US officials have announced that threat actors linked to China have leveraged vulnerabilities in BeyondTrust’s remote support software to steal documents in what Treasury Department officials called a “major incident” in a letter to lawmakers. The investigation is still ongoing, but we can outline several key details, insights, and remediation pathways based on available facts. This breach highlights the increasing frequency of cyber attacks, as Check Point Research (CPR) found that in November, organizations in the U.S. faced an average of 1,345 cyber-attacks per week. Government entities were among the top three most targeted industries for ransomware.
According to reports, the attack leveraged two specific vulnerabilities in BeyondTrust’s remote support software:
- CVE-2024-12356 (CVSS 9.8): A critical vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) software that allowed unauthorized attackers to gain access through improperly validated API endpoints.
- CVE-2024-12686 (CVSS 6.6): An additional flaw related to token management, which attackers used to maintain persistence.
It’s reported that attackers acquired a digital signing key for the software, which enabled them to masquerade as legitimate users with privileged access. This allowed them to access unclassified workstations and documents in Treasury’s systems, compromising sensitive, but not classified, data. Organizations everywhere that deploy the same software are at risk for similar or more serious breaches. Check Point recommends immediate action to patch the relevant intrusion points and ensure a resilient cyber security posture to deal with further attacks, with an emphasis on prevention.
Security teams can reference the following “defense-in-depth” framework to structure a response plan for the BeyondTrust vulnerabilities in the short term while building a prevention-focused, comprehensive, and effective cyber posture for the long term.
- Patch management and vulnerability remediation:
- Immediate Action: Ensure all third-party software and tools are patched regularly. Monitor for updates and advisories from vendors.
- Use a vulnerability management system to identify and prioritize critical CVEs.
- Implement External Attack System Management program (EASM) to prioritize relevant vulnerabilities and address them before they are identified by adversaries
- Zero trust architecture:
- Limit trust levels for software integrations.
- Continuously verify users and devices, restricting access even after initial authentication.
- Implement multi-factor authentication (MFA), even from known devices to internal and external applications and portals.
- Privileged Access Management (PAM):
- Use robust PAM solutions to enforce strict controls on who can access critical systems.
- Rotate, monitor, and audit the use of privileged credentials frequently.
- Data security:
- Encrypt corporate documents, so if they are compromised or leaked, then data inside is not accessible.
- Digital certificate security:
- Protect signing keys and other sensitive cryptographic material.
- Implement hardware security modules (HSMs) for key storage to prevent theft or misuse.
- Endpoint Detection and Response (EDR):
- Deploy EDR tools to monitor unusual activity on endpoints.
- Investigate and respond to anomalies, especially on systems with privileged software.
- Behavioral analysis and threat intelligence:
- Conduct a security information and events management-security operations center (SIEM-SOC) assessment to detect and address cyber risk.
- Implement behavioral monitoring to detect unusual API calls or unexpected user behavior.
- Use threat intelligence feeds to stay informed about active exploits targeting similar software.
- Supply chain security:
- Choose a security vendor that demonstrates digital trust and immediate reaction to high severity vulnerabilities (score beyond 8.5).
- Conduct regular security assessments of third-party vendors.
- Include clauses in vendor contracts mandating timely disclosure of vulnerabilities.
- Incident Response Plans:
- Maintain a comprehensive incident response playbook tailored for third-party compromises and organizational needs.
- Conduct tabletop exercises simulating attacks on third-party tools.
The first step in the wake of these attacks on the Treasury must be to remediate the specific vulnerabilities that permitted unauthorized access to their systems. Typically, however, it’s not the weaknesses you see that lead to trouble – it’s the ones you don’t see. By combining proactive vulnerability management, real-time monitoring, and a defense-in-depth strategy, organizations can mitigate risks posed by similar attacks on a continuous basis into the future.