BeyondTrust reports breach of their Remote Support SaaS service

BeyondTrust, a privileged access management company, is reporting a security breach affecting their Remote Support SaaS service.

The incident began on December 2nd, 2024, when the company detected suspicious network activity. The investigation discovered that attackers had compromised an API key for their Remote Support SaaS service, which gave the threat actors the ability to reset passwords for local application accounts. BeyondTrust immediately revoked the compromised API key, suspended affected instances, and provided alternative Remote Support SaaS instances to impacted customers.

The full scope of the breach is not disclosed and no information is provided whether attackers were able to leverage the compromised instances to breach downstream customers.

During their investigation, BeyondTrust uncovered two significant vulnerabilities in their Remote Support (RS) and Privileged Remote Access (PRA) products. The first, CVE-2024-12356, is a critical command injection vulnerability that allows unauthenticated remote attackers to execute system commands. The second vulnerability, CVE-2024-12686, enables authenticated administrators to inject commands and upload malicious files.

While BeyondTrust has automatically patched these vulnerabilities for cloud instances, customers running self-hosted instances must manually apply the security updates.

Update - as of 24th of January 2025, BeyondTrust reports that the incident affected 17 customer organizations. Apart from the public report of U.S. Treasury Department being impacted, the rest are not disclosed.

The timing and discovery of the vulnerabilities raises questions about whether they might have been exploited as zero-days in the initial breach, though BeyondTrust hasn't explicitly confirmed this connection.