BeyondTrust Zero-Day Breach – 17 SaaS Customers API Key Compromised

BeyondTrust, a leading provider of identity and access management solutions, disclosed a zero-day breach impacting 17 Remote Support SaaS customers.

The incident, detected on December 5, 2024, has been linked to the compromise of an infrastructure API key used to access specific Remote Support SaaS instances.

The breach allowed attackers to reset local application passwords in affected environments. Importantly, no BeyondTrust products outside of Remote Support SaaS were compromised, nor were its FedRAMP instances affected.

Details of the Breach

The breach originated from a zero-day vulnerability in a third-party application, which allowed attackers to access an online asset in BeyondTrust’s AWS account.

This asset contained an infrastructure API key, which was then used to access and exploit Remote Support SaaS environments.

BeyondTrust reported that no ransomware or unauthorized access has been detected since early December 2024, and no additional systems were compromised. To mitigate the impact, BeyondTrust swiftly:

1. Revoked the compromised API key.
2. Quarantined affected customer instances and offered replacement instances.
3. Notified all affected customers.
4. Partnered with federal law enforcement and a third-party forensic team for detailed investigations.

Timeline of the Incident

BeyondTrust’s swift response began immediately after detecting anomalous behavior on December 5, 2024.

The company initiated its incident response protocols, engaged a third-party forensic firm, and quarantined affected infrastructure. Key milestones include:

• December 8, 2024: Initial security advisory published.
• December 13, 2024: Discovery of two zero-day vulnerabilities, CVE-2024-12356 (critical) and CVE-2024-12686 (medium).
• December 14-19, 2024: Vulnerabilities patched, with public disclosure and customer notifications following shortly after.
• December 19, 2024: Law enforcement attributed the attack to China-linked threat actors.
• January 17, 2025: BeyondTrust completed its forensics investigation.

To prevent future incidents, BeyondTrust recommends:

• Staying up-to-date with patches and enabling auto-update features.
• Using external authentication providers (e.g., SAML) over local accounts.
• Employing outbound event notifications and SIEM integrations for monitoring suspicious activity.
• Enforcing least-privilege access and rotating passwords regularly.

While BeyondTrust has taken exhaustive measures to secure its systems and assist affected customers, the company continues to work with law enforcement to track the threat actors responsible.

In a statement, BeyondTrust reaffirmed its commitment to transparency and enhanced cybersecurity, aiming to rebuild customer trust and strengthen its defenses.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Start Now for Free.