A significant cyber incident hit the United States Department of the Treasury just before Christmas 2024. It looks like the breach started with a third-party tech support supplier, which raises serious concerns about the security of technology supply chains for IT firms and their clients.
This attack appears to be linked to a state-sponsored group from China. According to The Washington Post, the breach targeted the Office of Foreign Assets Control (OFAC), which manages and enforces sanctions against individuals and countries. Given OFAC’s role in tackling malicious cyber actors and ransomware gangs, it’s no wonder they’re a prime target for hackers.
On December 8, 2024, Treasury assistant secretary for management, Aditi Hardikar, informed Senators Sherrod Brown and Tim Scott that a third-party provider had reported a breach. The provider, BeyondTrust, revealed that the threat actor gained access to a key associated with their cloud-based remote tech support service.
With this key, the attacker bypassed security measures, remotely accessed certain Treasury user workstations, and viewed unclassified documents. Hardikar noted that the Treasury is working with several federal agencies, including CISA and the FBI, to understand the breach’s scope. While the incident is linked to a Chinese state-sponsored group, BeyondTrust has since taken the compromised service offline and reports no ongoing access to Treasury data.
Chinese officials sharply rejected these claims, calling them unfounded and part of a smear campaign against them.
BeyondTrust, a US-based company founded in the mid-1980s, specializes in services like privileged identity management and remote access. They claim to have over 20,000 customers worldwide, including several in the public sector, such as local governments and healthcare providers in the UK’s NHS.
BeyondTrust issued a statement saying they found a limited impact on their Remote Support customers because of an compromised application programming interface (API) key. After identifying the issue, they revoked the key and reached out to affected users, including the Treasury.
The company discovered two vulnerabilities in their Remote Support and Privileged Remote Access products, labeled CVE-2024-12356 and CVE-2024-12686. These vulnerabilities, both command injection issues, let an attacker execute commands remotely as if they were the site user. BeyondTrust patched these vulnerabilities in both its cloud-hosted and on-premises versions by December 18, 2024.
A spokesperson from BeyondTrust clarified that they took quick action regarding the December incident, notifying the affected customers and collaborating with law enforcement on the investigation.
This event highlights ongoing vulnerabilities in security supply chains. Avishai Avivi, CISO at SafeBreach, explained how the breach might have occurred. BeyondTrust provides secure methods for IT support teams to assist users remotely, establishing trusted connections that bypass traditional security protocols. Unfortunately, once inside, these support personnel can act as if they are the end-users, making it hard for security systems to detect any malicious activities.
When asked if the US Treasury could have mitigated the breach, Avivi stated they could have. He pointed out that the Treasury or the vendor failed to set up trusted connection locations properly, a practice known as IP whitelisting. This oversight isn’t just a problem for the Treasury; similar issues have resulted in breaches over the past couple of years. Avivi stressed the need for all service vendors to adhere to CISA’s Secure-by-Default guidance to avoid such risks in the future.