On December 30, 2024, the U.S. Treasury Department disclosed a cybersecurity breach attributed to Chinese state-sponsored hackers. The attackers exploited vulnerabilities in BeyondTrust's remote support platform, a tool used by the department for technical support.
Key Points:
- Discovery and Notification: BeyondTrust detected suspicious activity on December 2, 2024, and confirmed the breach by December 5. The company informed the Treasury Department on December 8 about the unauthorized access.
- Method of Attack: The hackers obtained an API key for BeyondTrust's Remote Support SaaS platform, enabling them to reset passwords for local application accounts and gain elevated access to the system. BeyondTrust identified two zero-day vulnerabilities, CVE-2024-12356 and CVE-2024-12686, which facilitated the breach.
- Extent of the Breach: The attackers accessed unclassified documents and remoteral workstations within the Treasury Department. The full scope of the data compromised is still under investigation.
- Response Measures: Upon learning of the breach, the Treasury Department collaborated with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and other intelligence agencies to assess and mitigate the impact. The compromised remote support service was taken offline, and efforts are ongoing to enhance security protocols.
- Official Classification: The Treasury Department has labeled this incident a "major cybersecurity incident" due to its attribution to an advanced persistent threat (APT) actor. A detailed report is expected to be submitted to lawmakers within 30 days.
Reference:
https://en.wikipedia.org/wiki/2024_United_States_Department_of_the_Treasury_hack
