BeyondTrust Suffers Cyberattack: Remote Support SaaS Instances Breached

December 19, 2024

BeyondTrust, a cybersecurity firm specializing in Privileged Access Management (PAM) and secure remote access solutions, was the target of a cyberattack in early December. The company's services, which are used by a wide range of sectors, including government agencies and healthcare organizations, were compromised when hackers breached some of its Remote Support SaaS instances. The intrusion was first detected on December 2, 2024, when 'anomalous behavior' was noticed on the company's network.

An initial investigation confirmed the breach of some Remote Support SaaS instances. Further exploration revealed that the threat actors had gained access to a Remote Support SaaS API key, which they used to reset passwords for local application accounts. 'BeyondTrust identified a security incident that involved a limited number of Remote Support SaaS customers,' the company stated in an announcement. 'On December 5th, 2024, a root cause analysis into a Remote Support SaaS issue identified an API key for Remote Support SaaS had been compromised.'

The company promptly revoked the compromised API key, informed the impacted customers, and suspended the affected instances. They also provided alternative Remote Support SaaS instances for those customers. It remains uncertain whether the threat actors managed to use the compromised instances to breach downstream customers.

During the investigation into the attack, BeyondTrust discovered two vulnerabilities. The first, identified as CVE-2024-12356, is a critical command injection flaw affecting the Remote Support (RS) and Privileged Remote Access (PRA) products. The second, CVE-2024-12686, is a medium-severity vulnerability that allows attackers with admin privileges to inject commands and upload malicious files. It is not mentioned explicitly whether these vulnerabilities were exploited by the hackers to access BeyondTrust systems or to reach customers.

BeyondTrust applied patches for the two vulnerabilities to all cloud instances automatically. However, those using self-hosted instances need to manually apply the security update. The company stated that investigations into the security incident are still ongoing and updates will be provided when more information is available.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.