The Cybersecurity and Infrastructure Security Agency (CISA) has identified an actively exploited command injection vulnerability (CVE-2024-12686) affecting BeyondTrust’s Privileged Remote Access and Remote Support solutions. U.S. federal agencies must patch this vulnerability by February 3, in accordance with Binding Operational Directive 22-01.

A second critical vulnerability (CVE-2024-12356) was discovered in December 2023 during BeyondTrust’s investigation of a breach affecting their Remote Support SaaS instances. The breach involved threat actors stealing an API key to reset local account passwords.

The U.S. Treasury Department fell victim to an attack linked to Chinese state-sponsored group Silk Typhoon, who exploited these vulnerabilities. The hackers specifically targeted sensitive departments including:
– Office of Foreign Assets Control (OFAC)
– Committee on Foreign Investment (CFIUS)
– Office of Financial Research

Silk Typhoon, known for their previous attack on 68,500 servers using Microsoft Exchange vulnerabilities, accessed unclassified information related to potential sanctions and other sensitive documents.

BeyondTrust has patched both vulnerabilities on cloud instances, but self-hosted installations require manual updates. Organizations using BeyondTrust products are urged to implement security patches immediately to prevent potential exploitation.