Zero-Day Breach: BeyondTrust Reveals Investigation into API Key Compromise

February 1, 2025

By Ravie Lakshmanan

BeyondTrust has completed an investigation into a recent cybersecurity incident that targeted some of the company’s Remote Support SaaS instances by exploiting a compromised API key.

The Breach

The company said the breach involved 17 Remote Support SaaS customers and that the API key was used to enable unauthorized access by resetting local application passwords. The breach was first flagged on December 5, 2024.

The Investigation

The investigation determined that a zero-day vulnerability of a third-party application was used to gain access to an online asset in a BeyondTrust AWS account. Access to that asset then allowed the threat actor to obtain an infrastructure API key that could then be leveraged against a separate AWS account which operated Remote Support infrastructure.

Affected Customers

BeyondTrust has since revoked the compromised API key and suspended all known affected customer instances, while also providing them with alternative Remote Support SaaS instances.

CISA Adds Flaws to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added both CVE-2024-12356 and CVE-2024-12686 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The exact details of the malicious activity are presently not known.

Federal Impact

The development comes as the U.S. Treasury Department said it was one of the affected parties. No other federal agencies are assessed to have been impacted.

Attribution

The attacks have been attributed to a China-linked hacking group dubbed Silk Typhoon (formerly Hafnium), with the agency imposing sanctions against a Shanghai-based cyber actor named Yin Kecheng for his alleged involvement in the breach of the Treasury’s Departmental Offices network.

Stay Informed

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.