- CISA added two bugs found in BeyondTrust products
- Both were seen in the wild in December 2024
- Federal agencies have until February 3, 2025 to patch up
The US Cybersecurity and Infrastructure Security Agency (CISA) has added two recently-discovered BeyondTrust bugs to its Known Exploited Vulnerabilities (KEV) catalog.
The move means CISA has seen evidence of the bugs being exploited in the wild, and has thus given federal agencies a deadline to patch the software or stop using it entirely.
In late December 2024, BeyondTrust confirmed suffering a cyberattack after spotting and uncovering some of its Remote Support SaaS instances were compromised. Subsequent investigation uncovered these two flaws, which the company later patched.
Attacks on the Treasury Department
The bugs are tracked as CVE-2024-12686, and CVE-2024-12356. The former is a medium-severity vulnerability (6.6 score), described as a flaw in Privileged Remote Access (PRA) and Remote Support (RS) that allows malicious actors with existing admin privileges to inject commands and run as a site user. The latter is a critical vulnerability which can allow an unauthenticated attacker to inject commands that are run as a site user. It was given a 9.8 severity score (critical).
CVE-2024-12356 was added to KEV on December 19, while CVE-2024-12686 on January 13. That means that users had until January 9 to address the first, and have until February 3, 2025, to address the second flaw.
The news comes after the US Treasury Department was hit by a cyberattack in early January 2025 where the attackers, thought to be Silk Typhoon, a notorious cyber-espionage group allegedly on the payroll of the Chinese government, used a stolen Remote Support SaaS API key to compromise a BeyondTrust instance.
Silk Typhoon is perhaps best known for targeting some 68,500 servers in early 2021 using Microsoft Exchange Server ProxyLogon zero-days.
Silk Typhoon is a part of a wider network of “Typhoon” groups – Volt Typhoon, Salt Typhoon, Flax Typhoon, and Brass Typhoon. Salt Typhoon was recently linked to a number of high-profile breaches, including at least four major US telecom operators.
Via BleepingComputer
Leave a comment