HQ/EMEAFind out how we can help your business
The privileged access management provider, BeyondTrust, became the subject of a recent hack earlier this month. Reports revealed the threat actors infiltrated several of its Remote Support SaaS instances.
The affected entity is a cybersecurity startup focusing on Privileged Access Management (PAM) and secure remote access solutions. The recent compromise could inflict significant damage, as some organisations employing its services include government agencies, technology companies, energy, retail and e-commerce businesses, healthcare, utility service providers, and banks.
BeyondTrust suffered the breach on December 2.
BeyondTrust claimed it discovered the unauthorised activity on its network earlier this month. Moreover, its initial assessment determined that the attackers had infiltrated some of its Remote Support SaaS systems.
The infiltration allowed the threat actors to access a Remote Support SaaS API key, enabling them to reset passwords for local application accounts.
Furthermore, a root-cause study on December 5 for the Remote Support SaaS incident revealed that the attackers compromised an API key for the Service. On the other hand, the affected company claimed that it quickly revoked the API key, alerted identified affected clients, and halted those instances.
It is currently unknown whether the threat actors could exploit the impacted Remote Support SaaS instances to penetrate downstream clients.
The business discovered two security vulnerabilities as part of its examination into the breach. The first is a significant command injection bug affecting Remote Support (RS) and Privileged Remote Access (PRA) products.
The full description stated that if an attacker successfully exploited this vulnerability, it could allow them to execute underlying operating system commands in the context of the site user. For the second flaw, the attackers can acquire administrative privileges to insert commands and upload malicious files to the target.
Other researchers believe that it is probable that the threat actors took advantage of using the holes as zero-day exploits to obtain access to BeyondTrust systems or as part of their attack chain to target consumers.
However, neither advisory indicates that the issues were actively exploited. Lastly, BeyondTrust claims they have already developed a patch to address the two vulnerabilities, but those using self-hosted instances must manually install the security update.
