US Treasury Department Outs The Blast Radius Of BeyondTrust's Key Leak

The US Department of the Treasury has admitted that miscreants were in its systems, accessing documents in what has been called a "major incident."

A letter shared by Reuters with the Chairman of the Committee on Banking, Housing, and Urban Affairs described the sequence of events. On December 8, the Treasury was notified by BeyondTrust that a key used for remote technical support had been pilfered, meaning that a threat actor could access some Departmental Office workstations and unclassified files.

Agencies including the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have been working with the Treasury to understand the incident. Third-party forensic investigators have also been called in.

According to the Treasury, "Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor."

The Register contacted China's Ministry of Foreign Affairs to get its take, but we have not received a response.

The BeyondTrust incident was reported by The Register earlier this month and involved the compromise of an API key for its Remote Support SaaS product. The key was swiftly revoked, but there were at least a few days in which attackers could have roamed around affected systems.

According to the Treasury Department, "The compromised BeyondTrust service has been taken offline and at this time there is no evidence indicating the threat actor has continued access to Treasury information." The Register asked the Department of the Treasury for more information on what had been accessed, but we have yet to receive a response.

In its letter, the organization said a more detailed report would be forthcoming in 30 days, and "In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident."

The US Department of the Treasury's admission gives an insight into what a vendor's SaaS incident can mean for customers. During its investigation, BeyondTrust has identified vulnerabilities and pushed out patches for self-hosted versions of its software. For its cloud customers, it performed an update "fortifying the security of their solution overall."

Writing on Mastodon, cyber security researcher Kevin Beaumont had a warning for Software-as-a-Service users: "One thing every org needs to start to plan for: SaaS provider breaches. What's your playbook for when your SaaS provider gets breached?

"In the case of BeyondTrust, they released some CVEs and patches for the on prem software – but didn't say much of anything about their SaaS platform.

"The US govt just outed them for the customer impact side."

Notably, BeyondTrust has confirmed in its advisory that "all cloud instances have been patched for this vulnerability" by mid-December.

The outfit added, "We continue to communicate, and work closely with, all known affected customers." ®