Summary
In December 2024, BeyondTrust identified a security incident that involved 17 Remote Support SaaS customers. On December 5th, 2024, a root cause analysis into a Remote Support SaaS issue identified a BeyondTrust infrastructure API key for Remote Support SaaS had been compromised and used to enable access to certain Remote Support SaaS instances by resetting local application passwords. No BeyondTrust products outside of Remote Support SaaS were affected. BeyondTrust’s forensics investigation, in coordination with a leading third-party forensics firm, was completed on January 17, 2025.
Timeline Overview
December 5, 2024 – Anomalous behavior was confirmed and a limited number of affected instances of Remote Support SaaS were identified.
December 5, 2024 – Initiated incident response protocols, engaged third-party forensics firm on retainer, revoked affected API key, and quarantined infrastructure for analysis.
December 8, 2024 – Published initial public security advisory.
December 10, 2024 – Notification to Federal law enforcement partners.
December 13, 2024 – CVE-2024-12356 and CVE-2024-12686 zero-day vulnerabilities discovered.
December 14-15, 2024 – Remote Support SaaS environments patched.
December 16, 2024 – Critical zero-day vulnerability (CVE-2024-12356) and patches announced.
December 19, 2024 – Medium-severity vulnerability (CVE-2024-12686) and patches announced.
December 19, 2024 – Law enforcement assigns attribution to China-nexus threat actors.
December 20, 2024 - Present – Continue to support affected customers and law enforcement in their respective investigations.
January 17, 2025 – BeyondTrust Investigation completed.
Security Incident Details
BeyondTrust confirmed and began taking measures to address the security incident on December 5, 2024 that involved our Remote Support SaaS product. No BeyondTrust products outside of Remote Support SaaS were affected. No FedRAMP instances were affected. No other BeyondTrust systems were compromised, and ransomware was not involved.
Our investigation into the cause and impact of the compromise was conducted with a recognized third-party cybersecurity and forensics firm. The investigation determined that a zero-day vulnerability of a third-party application was used to gain access to an online asset in a BeyondTrust AWS account. Access to that asset then allowed the threat actor to obtain an infrastructure API key that could then be leveraged against a separate AWS account which operated Remote Support infrastructure. This vulnerability, as well as the two vulnerabilities discovered and disclosed as noted in the timeline above have been patched.
In response to the initial incident, BeyondTrust initiated our security incident response process and took actions including:
Immediately revoked the compromised API key.
Suspended and quarantined all known affected customer instances.
Notified affected customers and worked with them to provide alternative Remote Support SaaS instances.
Engaged a recognized third-party cybersecurity and forensics firm to assist in the investigation.
Communicated with federal law enforcement, with whom we continue to coordinate and share information.
Our forensics investigation is now complete and has identified no unauthorized access to these Remote Support SaaS instances since early December 2024. This has been confirmed by the leading third-party forensics provider who continues to scan our environment for any indicators of compromise or other signs of threat actor activity. All customers affected have been informed and continue to be actively engaged with our security teams. Additionally, our teams continue to support the ongoing law enforcement investigation.
Recommended Best Practices for Customers
BeyondTrust patched all SaaS instances of Remote Support and has worked to raise awareness with customers who need to do their own patching for self-hosted Remote Support instances. Further, and in addition to the Remote Support configuration guidance on our website, below are also good practices to consider when using Remote Support:
If self-hosted, stay up-to-date with current releases, and activate the "Apply Critical Updates Automatically" option found in the /appliance interface
Consider using external authentication provider (ex. SAML) over local accounts; and be sure to delete accounts not in use
Consider using outbound events to trigger notifications for session events
Integrate with a SIEM using one of our various middleware for Session Data and periodically review for suspicious activity
Configure syslog to send all configuration changes and authentication events to your SIEM
Practice least privilege for setting up user roles and capabilities, and for endpoint access
Periodically, review all Security Settings and leverage the Session Policy simulator to validate policies are being applied as intended
Periodically, review all active accounts on your appliance(s), especially those with admin privileges. Deactivate those not in use, and rotate passwords at recurring intervals where possible.
Indicators of Compromise (IoC)
The following Indicators of Compromise (IOCs) were identified during our investigation.
Attribution
Federal law enforcement identified the unauthorized activity was attributed to a group of individuals associated with China.
Closing Thoughts
Our forensics investigation is complete. We will now look to implement any necessary changes as part of our ongoing efforts to continuously strengthen our security posture. Our primary focus remains working with our affected customers’ security teams to ensure their own investigations are properly supported and concluded.
Organizations across every major industry are vulnerable to cyber threats, many of which, like these zero-day vulnerabilities, remain unknown. While our forensics investigation is complete, we know that controls and defenses should not remain static, and findings from our investigation will serve only to strengthen our security posture as we continue to implement measures to further enhance our security practices.
Further Resources
As always, if you have a technical issue, please open a ticket via our secure customer portal link: https://beyondtrust.com/myportal
You can also access the latest customer news and updates via our BeeKeepers community: https://beekeepers.beyondtrust.com/