- BeyondTrust says it spotted an attack in early December 2024
- It found some of its Remote Support SaaS instances were compromised
- It also found and patched two zero-day flaws
BeyondTrust has confirmed it recently suffered a cyberattack after spotting “anomalous behavior” on its network and uncovering some of its Remote Support SaaS instances were compromised.
In an announcement published on its website, the company, which provides Privileged Access Management (PAM) and secure remote access solutions, said a subsequent investigation uncovered that the threat actors accessed a Remote Support SaaS API key, which they used to reset local app account passwords.
“BeyondTrust immediately revoked the API key, notified known impacted customers, and suspended those instances the same day while providing alternative Remote Support SaaS instances for those customers,” the company said in its announcement.
It wasn’t ransomware
The company said it found two vulnerabilities, which it patched. It doesn’t seem as if these vulnerabilities were used in the attacks, though.
In any case, BeyondTrust’s research uncovered a critical command injection flaw impacting the Remote Support (RS) and Privileged Remote Access (PRA) products. This flaw is tracked as CVE-2024-12356 and has a severity score of 9.8/10 (critical).
The second flaw is a medium-severity one, with a 6.6 score, and tracked as CVE-2024-12686. It allows attackers with existing admin privileges to inject commands and run as a site user on Privileged Remote Access (PRA) and Remote Support (RS).
The instances provide cloud-hosted solutions for secure, scalable remote support, allowing IT and service desk professionals to remotely access and troubleshoot devices or systems while maintaining strict security and compliance standards. BeyondTrust’s usual clients are large enterprises, government agencies, financial institutions, tech giants, and similar.
The company did not state if the attack trickled down to any of BeyondTrust’s customers, but it did stress that it “proactively completed” an update for its Secure Remote Access Cloud customers, tightening up on their defenses.
The nature of the attack is not known at this time, but the company did confirm to BleepingComputer that it was not ransomware.
Via BleepingComputer
