On December 8, 2024, the Department of the Treasury (USDT) detected a cybersecurity breach involving BeyondTrust, a third-party remote support platform. Chinese state-sponsored threat actors exploited this platform to access several Treasury employee workstations and unclassified documents.
BeyondTrust, a privileged access management company, offers a Remote Support SaaS platform for remote computer access. The attackers utilized a stolen Remote Support SaaS API key to reset passwords for local application accounts, gaining further privileged access to the systems. BeyondTrust’s investigation revealed two zero-day vulnerabilities, CVE-2024-12356 and CVE-2024-12686, which facilitated the breach.
Upon discovering the intrusion, the Treasury Department collaborated with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and third-party investigators to assess and mitigate the breach. The compromised BeyondTrust service was promptly taken offline, and officials have stated there is no evidence of continued unauthorized access to Treasury systems.
This incident has been classified as a “major cybersecurity incident”, necessitating a supplemental report within 30 days. The breach underscores ongoing concerns about cybersecurity vulnerabilities and the persistent threat posed by state-sponsored cyber actors.
See more details on: