Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Cyber-crime

US Treasury Department outs the blast radius of BeyondTrust's key leak

Data pilfered as miscreants roamed affected workstations

Richard Speed Tue 31 Dec 2024  //  15:30 UTC

The US Department of the Treasury has admitted that miscreants were in its systems, accessing documents in what has been called a "major incident."

A letter shared by Reuters with the Chairman of the Committee on Banking, Housing, and Urban Affairs described the sequence of events. On December 8, the Treasury was notified by BeyondTrust that a key used for remote technical support had been pilfered, meaning that a threat actor could access some Departmental Office workstations and unclassified files.

Agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have been working with the Treasury to understand the incident. Third-party forensic investigators have also been called in.

According to the Treasury, "Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor."

The Register contacted China's Ministry of Foreign Affairs to get its take, but we have not received a response.

The BeyondTrust incident was reported by The Register earlier this month and involved the compromise of an API key for its Remote Support SaaS product. The key was swiftly revoked, but there were at least a few days in which attackers could have roamed around affected systems.

According to the Treasury Department, "The compromised BeyondTrust service has been taken offline and at this time there is no evidence indicating the threat actor has continued access to Treasury information." The Register asked the Department of the Treasury for more information on what had been accessed, but we have yet to receive a response.

In its letter, the organization said a more detailed report would be forthcoming in 30 days, and "In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident."

The US Department of the Treasury's admission gives an insight into what a vendor's SaaS incident can mean for customers. During its investigation, BeyondTrust has identified vulnerabilities and pushed out patches for self-hosted versions of its software. For its cloud customers, it performed an update "fortifying the security of their solution overall."

Writing on Mastodon, cyber security researcher Kevin Beaumont had a warning for Software-as-a-Service users: "One thing every org needs to start to plan for: SaaS provider breaches. What's your playbook for when your SaaS provider gets breached?

"In the case of BeyondTrust, they released some CVEs and patches for the on prem software – but didn't say much of anything about their SaaS platform.

"The US govt just outed them for the customer impact side."

Notably, BeyondTrust has confirmed in its advisory that "all cloud instances have been patched for this vulnerability" by mid-December.

The outfit added, "We continue to communicate, and work closely with, all known affected customers." ®
Send us news
16 Comments

Incoming deputy boss of Homeland Security says America's top cyber-agency needs to be reined in

Plus: New figurehead of DOGE emerges and they aren't called Elon

US Dept of Housing screens sabotaged to show deepfake of Trump sucking Elon's toes

'Appropriate action will be taken,' we're told – as federal HR email sparks uproar, ax falls on CISA staff

National Science Foundation staff axed by Trump fear for US scientific future

An inside tale: Probation extended, tenure revoked, a scramble to merge research portfolios, and more

Trump’s DoD CISO pick previously faced security clearance suspension

Hey, at least Katie Arrington brings a solid resume

DOGE latest: Citrix supremo has 'read-only' access to US Treasury payment system

CEO of Cloud Software a 'special government employee' probing for Team Elon

Critical PostgreSQL bug tied to zero-day attack on US Treasury

High-complexity bug unearthed by infoseccers, as Rapid7 probes exploit further

DOGE geek with Treasury payment system access now quits amid racist tweet claims

We did Nazi see that coming

Trump’s cyber chief pick has little experience in The Cyber

GOP lawyer Sean Cairncross will be learning on the fly, as we also say hi to new intelligence boss Tulsi Gabbard

Probe finds US Coast Guard has left maritime cybersecurity adrift

Numerous systemic vulnerabilities could scuttle $5.4T industry

Musk’s DOGE ship gets ‘full’ access to Treasury payment system, sinks USAID

Who better to trust trillions of dollars, SSNs and other sensitive info with than Elon

Judge says US Treasury ‘more vulnerable to hacking’ since Trump let the DOGE out

Order requires destruction of departmental data accessed by Musky men

Does DOGE have what it takes to actually tackle billions in US govt IT spending?

Tesla’s DIY ERP legend meets the messy reality of entrenched federal contracts