CISA Adds Another BeyondTrust Flaw to KEV Catalog Amid Ongoing Attacks

Get Started Quickly!

An additional security flaw has been added to the list of exploited vulnerabilities of BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS), a disclosure in this regard by the American Cybersecurity and Infrastructure Security Agency (CISA). The wild exploitations had been confirmed.

Details of the Newly Added Vulnerability

The current vulnerability is CVE-2024-12686, an average vulnerability (CVSS score: 6.6) that has a high severity. Under the influence of this vulnerability, the attack is to net underground system administrator privileges to achieve the execution of OS commands as a site user.

CISA elaborated on the issue, stating:

“BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) contain an OS command injection vulnerability that can be exploited by an attacker with existing administrative privileges to upload a malicious file. Successful exploitation of this vulnerability can allow a remote attacker to execute underlying operating system commands within the context of the site user.”

A Growing Concern

This addition is following the addition of a great defect within the said items in the KEV-catalog, particularly CVE-2024-12356 codename of the project. KEV-catalog added some weaknesses to the system, especially as it applied to e-mails.

BeyondTrust’s Response

Meanwhile, it has acknowledged the vulnerabilities used for its recent investigation within the immediate incident scenario of December 2024. Finally, there were reported occurrences of threat actors being able to break into many instances and change the passwords on local application accounts, via a hacked Remote Support SaaS API key. It is not known how the API key was compromised insofar as it got removed. There is speculation regarding the utilisation of the zero-day vulnerabilities in breaking into the BeyondTrust systems since the added information includes the fact that these vulnerabilities originally probably were not operational.

Broader Implication of the Breach

The BeyondTrust impact is far-reaching for this hack. The leaked API principal could gather remote access to the U.S. Treasury Department network that now labels it as “a significant cyber incident.” Investigation up to now says that the attack used to be executed by Chinese state-sponsored hacker collective Silk Typhoon, also called Hafnium.

Reports indicate that Silk Typhoon specifically targeted:

  • The Treasury’s Office of Foreign Assets Control (OFAC).
  • The Office of Financial Research.
  • The Committee on Foreign Investment in the United States (CFIUS).

Other Additions to the KEV Catalog

CISA has traced a critical Qlik Sense lacking in fully exploiting and entirely demonstrating (CVE-2023-48365, CVSS score: 9.9), aside from the bypass issue altogether. This vulnerability allows threat actors to make HTTP requests to escalate their access to backend systems, adding privileges to the vulnerability, and eventually leads to the infringement of BeyondTrust. Cactus is an unknown ransomware party in terms of the risks associated with going after user exposure of the fact rather than actually creating ransomware. By February 3, 2024, federal agencies need to fix everything that has been identified as a weakness until then and install necessary updates in order to lower the risks and provide security to their networks.

Takeaways for Cyber Security Professionals

  1. Prioritise Patching: Organisations using BeyondTrust PRA or RS products should immediately apply the latest patches.
  2. Monitor for Indicators of Compromise (IoC): Stay vigilant for signs of unauthorised access or activity linked to these vulnerabilities.
  3. Implement Robust Security Practices: Employ network segmentation, limit administrative privileges, and enable multi-factor authentication to minimise potential attack surfaces.

Reach out to ARANKISH to ensure your cyber security posture meets current industry requirement.

Quick Links

Partner with the Expert Team Your Business Deserves.

Our dedicated professionals deliver tailored solutions to help your business thrive, ensuring you get the expertise and support you deserve every step of the way.

Talk To The ARANKISH Team

Feel free to reach out to us with your cyber security requirements or for a quotation. Our team will respond to you promptly.

What are you looking for?