The United States Treasury Department said it suffered a “major cybersecurity incident” that allowed suspected Chinese threat actors to remotely access some computers and unclassified documents.
“On December 8, 2024, Treasury was notified by a third-party software service provider, BeyondTrust, that a threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users,” the department said in a letter informing the Senate Committee on Banking, Housing, and Urban Affairs.
“With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”
Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.
Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).
➤ Activate Your Coupon Code
The federal agency said it has been working with the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), and that available evidence points to it being the work of an unnamed state-sponsored Advanced Persistent Threat (APT) actor from China.
The Treasury Department further said that it has taken the BeyondTrust service offline, adding there is no evidence that the threat actors have access to the environment.
Earlier this month, BeyondTrust revealed that it was the victim of a digital intrusion that allowed bad actors to breach some of its Remote Support SaaS instances.
The company said its investigation into the incident found that the attackers gained access to a Remote Support SaaS API key that allowed them to reset passwords for local application accounts. BeyondTrust has yet to reveal how the key was obtained.
“BeyondTrust immediately revoked the API key, notified known impacted customers, and suspended those instances the same day while providing alternative Remote Support SaaS instances for those customers,” it said.
The probe has also uncovered two security flaws in Privileged Remote Access (PRA) and Remote Support (RS) products (CVE-2024-12356, CVSS score: 9.8 and CVE-2024-12686, CVSS score: 6.6), the former of which has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild.
The disclosure comes as several U.S. telecommunication providers have found themselves in the crosshairs of another Chinese state-sponsored threat actor named Salt Typhoon.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Some parts of this article are sourced from:
thehackernews.com
Misconfigured Kubernetes RBAC in Azure Airflow Could Expose Entire Cluster to Exploitation