BeyondTrust SaaS instances breached in cyberattack

BeyondTrust disclosed that attackers breached instances of its Remote Support and Privileged Remote Access SaaS products earlier this month.

On Dec. 8, the privileged access management vendor published a security bulletin warning that it had detected suspicious activity tied to "a limited number of Remote Support SaaS customers." During a root cause analysis on Dec. 5, BeyondTrust found that an API key for its remote support SaaS tools had been compromised. Subsequently, BeyondTrust revoked the key, notified affected customers and suspended the compromised instances.

"A compromised Remote Support SaaS API key was identified, which allowed for password resets of local application accounts, and was promptly revoked," the security bulletin said.

In updates published earlier this week, BeyondTrust disclosed two vulnerabilities in its Privileged Remote Access and Remote Support tools. The first is a medium-severity vulnerability tracked as CVE-2024-12686. The second is a high-severity flaw tracked as CVE-2024-12356, which received a CVSS score of 9.8 out of 10.

It's unclear if the two vulnerabilities were zero-day flaws used in attacks on Remote Support SaaS instances. BeyondTrust published separate security advisories for the two vulnerabilities, but neither mentioned exploitation activity.

However, CISA on Thursday added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog. BeyondTrust's advisory warned that exploitation of CVE-2024-12356 could "allow an unauthenticated attacker to inject commands that are run as a site user."

Both flaws were classified as command injection vulnerabilities. It's unclear how many customers were affected by the compromised instances and vulnerability exploitation.

On Dec. 16, BeyondTrust patched all cloud instances and released a patch for self-hosted versions. BeyondTrust added that no downtime is required to update the self-hosted versions. The updated security bulletin also said only Remote Support SaaS products were affected, according to an initial investigation.

BeyondTrust said it is continuing to work with affected customers and that an investigation remains ongoing. A spokesperson for BeyondTrust sent the following statement to Informa TechTarget Editorial:

Our investigation is ongoing, and are continuing to work with independent third-party cybersecurity firms to conduct a thorough investigation. At this time, BeyondTrust is focused on ensuring that all customer instances -- both cloud and self-hosted -- are fully updated and secure. Our priority remains supporting the limited number of customers impacted and safeguarding their environments. We will continue to provide regular updates via our website as our investigation progresses.

BeyondTrust is the latest identity and access management vendor to suffer a high-profile breach. In October, Okta confirmed that attackers used stolen credentials to breach its support case management system. While the vendor initially said the attack only affected 1% of customers, it later revealed that it affected all customers. BeyondTrust, which was also affected by the Okta breach along with 1Password, said it was the first customer to initially detect and report the activity to Okta on Oct. 2.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.