CISA: BeyondTrust breach affected Treasury Department only

The U.S. Treasury Department was the only federal agency affected by the BeyondTrust breach last month, according to an update from CISA.

On Dec. 30, the Treasury Department revealed that Chinese nation-state threat actors breached the department by leveraging a compromised cloud service at BeyondTrust. The department disclosed the incident in a letter to members of the U.S. Senate Committee on Banking, Housing and Urban Affairs. The letter stated that the department was working closely with CISA and the FBI after attackers remotely accessed user workstations and unclassified documents.

CISA issued an update on Monday confirming that the agency is working with both the Treasury Department and BeyondTrust on mitigation efforts. While an investigation remains ongoing, CISA said the attack did not extend beyond the Treasury Department.

"At this time, there is no indication that any other federal agencies have been impacted by this incident. CISA continues to monitor the situation and coordinate with relevant federal authorities to ensure a comprehensive response," CISA wrote in the update.

BeyondTrust also provided an update on Monday regarding last month's breach where attackers compromised the privileged access management vendor's remote support tools. In an advisory on Dec. 8, BeyondTrust disclosed that it had identified suspicious activity on Dec. 2 and later discovered that an API key had been compromised by attackers, which gave them access to instances for a "limited number" of customers.

The Treasury Department said BeyondTrust notified the agency on Dec. 8 that a threat actor had compromised the API key and used it to remotely access the agency's workstations.

It remains unclear how attackers compromised the key, but BeyondTrust also disclosed two vulnerabilities, tracked as CVE-2024-12686 and CVE-2024-12356, in its Remote Support and Privileged Remote Access SaaS products.

On Monday, BeyondTrust said the two CVEs have been mitigated and that no additional victims have been discovered.

"The forensic investigation into the Remote Support SaaS incident is approaching completion. All SaaS instances of BeyondTrust Remote Support have been fully patched against the vulnerabilities mentioned in our previous security advisories. A patch has also been pushed for self-hosted instances," BeyondTrust wrote in the security bulletin. "No new customers have been identified beyond those we have communicated with previously."

It's unclear if the Treasury Department was the only customer affected by the breach.

BeyondTrust provided the following statement to Informa TechTarget:

All customers known to have been affected by the security incident involving BeyondTrust's Remote Support SaaS product were contacted in early December, and BeyondTrust has been communicating and working with them since. As the forensic investigation is ongoing, BeyondTrust is unable to confirm the other customers who may or may not have been impacted.

Arielle Waldman is a news writer for Informa TechTarget covering enterprise security.