BeyondTrust sagt, dass Hacker in Remote Support SaaS-Instanzen eingedrungen sind

Teilen:

Privileged access management company BeyondTrust suffered a cyberattack in early December after threat actors breached some of its Remote Support SaaS instances.

BeyondTrust is a cybersecurity company specializing in Privileged Access Management (PAM) and secure remote access solutions. Their products are used by government agencies, tech firms, retail and e-commerce entities, healthcare organizations, energy and utility service providers, and the banking sector.

The company says that on December 2nd, 2024, it detected “anomalous behavior” on its network. An initial investigation confirmed that threat actors compromised some of its Remote Support SaaS instances.

After further investigation, it was discovered that hackers gained access to a Remote Support SaaS API key that allowed them to reset passwords for local application accounts.

“BeyondTrust identified a security incident that involved a limited number of Remote Support SaaS customers,” reads the announcement.

“On December 5th, 2024, a root cause analysis into a Remote Support SaaS issue identified an API key for Remote Support SaaS had been compromised.”

“BeyondTrust immediately revoked the API key, notified known impacted customers, and suspended those instances the same day while providing alternative Remote Support SaaS instances for those customers.”

It is unclear if the threat actors were able to use the compromised Remote Support SaaS instances to breach downstream customers.

Critical vulnerability discovered

As part of the company’s investigation into the attack, it discovered two vulnerabilities, one on December 16th and the other on the 18th.

The first one, tracked as CVE-2024-12356, is a critical command injection flaw impacting the Remote Support (RS) and Privileged Remote Access (PRA) products.

“Successful exploitation of this vulnerability can allow an unauthenticated, remote attacker to execute underlying operating system commands within the context of the site user,” reads the description of the flaw.

The second issue, tracked as CVE-2024-12686, is a medium-severity vulnerability on the same products, allowing attackers with admin privileges to inject commands and upload malicious files on the target.

Although not explicitly mentioned, it’s possible that the hackers leveraged the two flaws as zero days to gain access to BeyondTrust systems or as part of their attack chain to reach customers.

However, BeyondTrust has not marked the flaws as actively exploited in either advisory.

BeyondTrust says they automatically applied patches for the two flaws on all cloud instances, but those who run self-hosted instances need to manually apply the security update.

Finally, the company noted that investigations into the security incident are ongoing, and updates will be provided on its page when more information becomes available.

BeyondTrust told BleepingComputer that the vulnerabilities have not been used to deploy ransomware and that their investigation is still ongoing.

“As of this time, we have not encountered any instances of ransomware. Our investigation is ongoing, and we are continuing to work with independent third-party cybersecurity firms to conduct a thorough investigation,” BeyondTrust told BleepingComputer.

“At this time, BeyondTrust is focused on ensuring that all customer instances—both cloud and self-hosted—are fully updated and secure. Our priority remains supporting the limited number of customers impacted and safeguarding their environments. We will continue to provide regular updates via our website as our investigation progresses.”

They have not answered our question as to whether the flaws were exploited to breach their Remote Support SaaS instances and BleepingComputer sent additional follow up questions.

However, CISA now says that the CVE-2024-12356 was exploited in attacks but did not share any further details.

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
9:52 am, Feb. 11, 2025
Wetter-Symbol 3°C
L: 3° | H: 4°
haze
Luftfeuchtigkeit: 92 %
Druck: 1018 mb
Wind: 6 mph WNW
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 100%
Regen Chance: 0%
Sichtbarkeit: 5 km
Sonnenaufgang: 7:21 am
Sonnenuntergang: 5:07 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 9:00 pm
Wetter-Symbol
3° | 4°°C 0 mm 0% 4 mph 94 % 1018 mb 0 mm/h
Tomorrow 9:00 pm
Wetter-Symbol
2° | 7°°C 0 mm 0% 5 mph 96 % 1021 mb 0 mm/h
Do. Feb. 13 9:00 pm
Wetter-Symbol
3° | 7°°C 0 mm 0% 9 mph 77 % 1025 mb 0 mm/h
Fr. Feb. 14 9:00 pm
Wetter-Symbol
2° | 6°°C 0 mm 0% 8 mph 78 % 1026 mb 0 mm/h
Sa. Feb. 15 9:00 pm
Wetter-Symbol
1° | 5°°C 0 mm 0% 9 mph 75 % 1026 mb 0 mm/h
Today 12:00 pm
Wetter-Symbol
3° | 3°°C 0 mm 0% 4 mph 94 % 1018 mb 0 mm/h
Today 3:00 pm
Wetter-Symbol
4° | 4°°C 0 mm 0% 4 mph 88 % 1017 mb 0 mm/h
Today 6:00 pm
Wetter-Symbol
4° | 4°°C 0 mm 0% 3 mph 86 % 1018 mb 0 mm/h
Today 9:00 pm
Wetter-Symbol
4° | 4°°C 0 mm 0% 3 mph 84 % 1018 mb 0 mm/h
Tomorrow 12:00 am
Wetter-Symbol
4° | 4°°C 0 mm 0% 2 mph 88 % 1019 mb 0 mm/h
Tomorrow 3:00 am
Wetter-Symbol
3° | 3°°C 0 mm 0% 3 mph 92 % 1018 mb 0 mm/h
Tomorrow 6:00 am
Wetter-Symbol
2° | 2°°C 0 mm 0% 3 mph 96 % 1018 mb 0 mm/h
Tomorrow 9:00 am
Wetter-Symbol
3° | 3°°C 0 mm 0% 3 mph 91 % 1019 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€95,144.51
0.57%
Ethereum(ETH)
€2,631.21
2.47%
XRP(XRP)
€2.42
2.71%
Fesseln(USDT)
€0.97
0.00%
Solana(SOL)
€197.31
-0.57%
USDC(USDC)
€0.97
0.01%
Dogecoin(DOGE)
€0.258128
5.94%
Shiba Inu(SHIB)
€0.000016
2.23%
Pepe(PEPE)
€0.000010
8.79%
Nach oben scrollen