Analysis Summary

The US Treasury Department reported a significant cybersecurity breach that gave suspected Chinese threat actors remote access to several systems and unclassified data.

“On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” said the department in a letter.

The threat actor was able to remotely access some Treasury DO user workstations, circumvent the security of the service, and access some of the users' unclassified documents by using the stolen key. According to the federal agency, which has been collaborating with the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), the data suggests that it was carried out by an unidentified Chinese state-sponsored Advanced Persistent Threat (APT) actor.

The Treasury Department added that there is no proof that the threat actors have access to the environment and that it has taken the BeyondTrust service offline. A digital intrusion that allowed malicious actors to access certain of BeyondTrust's Remote Support SaaS instances was disclosed earlier this month. According to the company's analysis, the attackers were able to reset the passwords for local application accounts after gaining access to a Remote Support SaaS API key. BeyondTrust has not yet disclosed how the key was acquired. In addition to providing alternate Remote Support SaaS instances for those customers, BeyondTrust promptly halted those instances, removed the API key, and informed the known impacted customers.

The probe also discovered two security flaws in the Privileged Remote Access (PRA) and Remote Support (RS) products (CVE-2024-12356, CVSS score: 9.8 and CVE-2024-12686, CVSS score: 6.6). With evidence of active exploitation in the wild, the former has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. The revelation coincides with the fact that Salt Typhoon, another Chinese state-sponsored threat actor, has targeted several American telecom companies.

Impact

• Unauthorized Access
• Sensitive Data Theft
• Security Bypass

Remediation

• Conduct regular, comprehensive cybersecurity training programs for employees, focusing on spear-phishing recognition and avoidance. Simulate phishing attacks to test awareness and response.
• Enforce multi-factor authentication (MFA) for all critical systems, including email, source code repositories, and proprietary software, to reduce the risk of unauthorized access.
• Apply the principle of least privilege, ensuring that only authorized personnel have access to sensitive software and source code. Regularly review and audit access control policies.
• Use advanced email filtering systems that detect and block phishing attempts, especially those involving domain spoofing and impersonation tactics.
• Employ continuous network monitoring tools to detect unauthorized access or unusual activity. Regularly audit system logs for any indicators of compromise (IOCs) or anomalous behavior.
• Deploy EDR solutions to detect and respond to malicious activity on endpoints, particularly those involving attempts to exfiltrate sensitive data.
• Ensure timely patching of software vulnerabilities in operating systems, email servers, and security tools to reduce the risk of exploitation by cybercriminals.
• Establish protocols for quickly reporting cyber incidents to relevant authorities, like the FBI or other national agencies, to assist with tracking and mitigating cybercriminal activities.
• Perform periodic penetration testing and vulnerability assessments to identify and address weaknesses in the security infrastructure.
• Leverage real-time threat intelligence feeds to stay informed about new phishing campaigns and tactics targeting industries like aerospace and defense.