In short:
Key Point | Details |
---|---|
Company Affected | BeyondTrust |
Type of Attack | Break-in into customers’ Remote Support SaaS instances |
Discovery Date | Potentially suspicious behavior noted on December 2, confirmed on December 5 |
Vulnerabilities Identified | Two vulnerabilities found, including CVE-2024-12356 with a severity rating of 9.8/10 |
Government Warning | CISA warns of exploitation of CVE-2024-12356; no confirmation that vulnerabilities were exploited in the attacks |
Security company BeyondTrust has been hit by an attack in which attackers broke into customers’ Remote Support SaaS instances, the company announced. The US government warns of an actively exploited vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS). BeyondTrust offers Privileged Access Management (PAM) solutions and software for remote support that helpdesks can use, for example.
BeyondTrust reports that it discovered “potentially suspicious behavior” in a customer’s Remote Support SaaS instance on December 2. On December 5, the suspicious behavior was confirmed and more customer instances were found to have been compromised. According to the security company, an API key for Remote Support SaaS was compromised. The key was subsequently revoked and affected customers were warned.
While investigating the attack, BeyondTrust said it discovered two vulnerabilities in both the self-hosted and cloud versions of Remote Support and Privileged Remote Access. The company then released updates. Customers with a self-hosted installation must install it themselves. This includes a critical vulnerability referred to as CVE-2024-12356 that allows command injection. This allows an unauthenticated attacker to execute commands on the system. The impact is rated 9.8 on a scale of 1 to 10.
BeyondTrust makes no mention that the two discovered vulnerabilities were exploited in the attacks. However, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warns that exploitation of CVE-2024-12356 has been observed. No further details about these attacks were provided by the government agency.