BeyondTrust Zero-Day Breach \u2013 17 SaaS Customers API Key Compromised
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
BeyondTrust, a leading identity and access management firm, disclosed a critical security breach impacting 17 customers of its Remote Support SaaS platform<\/a>.<\/p>\n The breach was attributed to the exploitation of zero-day vulnerabilities and has since been linked to the China-based hacking group Silk Typhoon.\u00a0<\/p>\n While U.S. federal agencies and law enforcement continue their investigations, BeyondTrust has taken measures to fix the issue.<\/p>\n The breach was discovered after BeyondTrust saw unusual activity in their Remote Support SaaS system. A root cause analysis revealed that an infrastructure API key had been compromised by a zero-day vulnerability<\/a> in a third-party application.<\/p>\n This allowed attackers to reset local application passwords and gain unauthorized access to certain Remote Support SaaS instances.<\/p>\n The attackers exploited a critical zero-day vulnerability in a third-party application to access an online asset in BeyondTrust\u2019s AWS account<\/a>.\u00a0<\/p>\n This access enabled them to obtain an infrastructure API key, which was then used against another AWS account operating the Remote Support infrastructure.\u00a0<\/p>\n The two vulnerabilities identified during the investigation are:<\/p>\n Both vulnerabilities were actively exploited in the wild, prompting BeyondTrust to issue patches for all cloud-based instances while urging self-hosted customers to apply updates manually.<\/p>\n The attack has been attributed to Silk Typhoon (formerly Hafnium), a China-linked cyber-espionage group known for targeting government entities and critical infrastructure.\u00a0<\/p>\n The group reportedly accessed unclassified data from the U.S. Treasury Department using the stolen API key.<\/p>\n \u201cNo BeyondTrust products outside of Remote Support<\/a> SaaS were affected. No FedRAMP instances were affected. No other BeyondTrust systems were compromised, and ransomware was not involved\u201d, the company said.<\/p>\n BeyondTrust implemented several immediate actions following the breach:<\/p>\n Additionally, BeyondTrust applied patches for discovered<\/a> vulnerabilities across all SaaS instances and continues to support affected customers by providing logs, indicators of compromise (IOCs), and other forensic<\/a> artifacts.<\/p>\n This breach underscores the growing risks associated with non-human identities, such as API keys, when combined with software vulnerabilities. Organizations are urged to adopt robust security practices to safeguard against similar exploits.<\/p>\n The post BeyondTrust Zero-Day Breach \u2013 17 SaaS Customers API Key Compromised<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nExploiting Critical Zero-day Vulnerabilities<\/strong><\/h2>\n
\n
\n
Recommendations<\/strong><\/h2>\n
\n
Are you from SOC\/DFIR Teams? \u2013\u00a0Analyse Malware Files & Links with ANY.RUN Sandox\u00a0->\u00a0Start Now for Free<\/a>.<\/strong><\/code><\/strong><\/code><\/strong><\/p>\n