| Huewire

A cyber incident at the US Department of the Treasury – blamed on a Chinese state actor – raises fresh warnings about supply chain risk after it was found to have originated via vulnerabilities in a remote tech support product

Alex Scroxton

Alex Scroxton,
Security Editor

Published: 03 Jan 2025 16:27

A major state-sponsored cyber incident that targeted the United States Department of the Treasury in the weeks prior to Christmas 2024 appears to have begun as the result of a compromise at a third-party tech support supplier, serving as a warning on the precarious security and vulnerable nature of technology supply chains for IT firms and their customers alike.

The cyber attack was allegedly the work of an undisclosed China-backed advanced persistent threat (APT) actor and, according to The Washington Post, it targeted among other things the Office of Foreign Assets Control (OFAC), a department of the Treasury that administers and enforces foreign sanctions against individuals, organisations and countries.

Due to its involvement in sanctions and enforcement actions against malicious cyber actors – it has played a key role in multinational operations against financially motivated ransomware gangs – OFAC presents a very obvious target for threat actors.

In a letter to senators Sherrod Brown and Tim Scott, who sit on the Committee on Banking, Housing and Urban Affairs – a copy of which has been reviewed by Computer Weekly – Treasury assistant secretary for management, Aditi Hardikar, confirmed the department was notified by a third-party software services provider that it had been compromised on 8 December 2024.

The organisation in question, BeyondTrust, said the APT gained access to a key that it was using to secure a cloud-based remote tech support service.

“With access to the stolen key, the threat actor was able override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users,” wrote Hardikar.

“Treasury has been working with the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Intelligence Community, and third-party forensic investigators to fully characterise the incident and determine its overall impact.

“Based on available indicators, the incident has been attributed to a China state-sponsored APT actor. The compromised BeyondTrust service has been taken offline and at this time there is no evidence indicating the threat actor has continued access to Treasury information,” wrote Hardikar.

The Chinese authorities have denied the Americans’ allegations, with a spokesperson for Beijing’s embassy in Washington DC describing them as “irrational” and part of a “smear campaign”.

BeyondTrust vulnerabilities

The tech firm at the centre of the incident, BeyondTrust, is a US-based supplier with roots dating back to the mid-1980s. It specialises in privileged identity management and privileged access management (PIM/PAM), privileged remoter access and vulnerability management services. It claims more than 20,000 customers in 100 countries, including the likes of tech firms such as Axians and ServiceNow.

It is also particularly well-used in the public sector, with multiple customers in local government, healthcare and utilities, including a number of NHS bodies in the UK.

In a statement posted to its website, BeyondTrust said it identified an incident impacting a “limited number” of Remote Support SaaS customers that arose through the compromise of an application programming interface (API) key. It revoked the key immediately on concluding a root cause analysis into a remote support SaaS technical issue on 5 December 2024, and began notifying affected users, including the Treasury.

It has since identified two specific vulnerabilities within the Remote Support and Privileged Remote Access product lines – one of critical severity and one of medium severity. These have been assigned designations CVE-2024-12356 and CVE-2024-12686 respectively. Both have been patched for both cloud-hosted and on-prem versions as of 18 December 2024.

According to BeyondTrust, the issues are both command injection vulnerabilities that, successfully exploited, enable an unauthenticated remote attacker to execute operating system commands in the context of the site user.

A BeyondTrust spokesperson told Computer Weekly: “BeyondTrust previously identified and took measures to address a security incident in early December 2024 that involved the Remote Support product. BeyondTrust notified the limited number of customers who were involved, and it has been working to support those customers since then. No other BeyondTrust products were involved. Law enforcement was notified and BeyondTrust has been supporting the investigative efforts.”

Security supply chain still a big issue in 2025

With this incident, BeyondTrust unfortunately becomes the latest in a long-line of cyber security specialists to find themselves making headlines after the compromise of products and solutions designed to keep end-users safe.

Avishai Avivi, CISO at SafeBreach, a supplier of breach and attack simulation tools, explained how the breach likely unfolded. “BeyondTrust, unironically, provides a secure method for IT support personnel to provide remote support to end users,” he said. “This method involves establishing a trusted connection between the support person and the end-user.

“This trusted connection punches through traditional perimeter security controls and gives the support person full access and control over the end-user workstation. Once inside, the support person can send documents back over that secure channel or masquerade as the end-user and send the same documents directly.

“The security controls protecting the US Treasury network have no way of knowing something nefarious is happening, as the trusted connection is, well, trusted.

“Was there something that the US Treasury could have done to prevent this? The sad answer appears to be yes. Again, referring to the technical information BeyondTrust provided, the system administrators at the US Treasury, or the vendor likely to provide support services, failed to configure trusted locations from which the support agents could connect. We refer to this as IP whitelisting [allowlisting].

“This failure is a critical risk with any such service [and] the same issue led to notable breaches in 2023 and 2024. This oversight is why we urge all service vendors, especially trusted ICT vendors, to follow the CISA Secure-by-Default guidance.”