Ethical Hacking News
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a second security flaw impacting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. This addition highlights the ongoing threat landscape that organizations face when relying on third-party software solutions. CISA has confirmed that both vulnerabilities were discovered as part of its investigation into a cyber incident in early December 2024 that involved malicious actors leveraging a compromised Remote Support SaaS API key to breach some of the instances, and reset passwords for local application accounts.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a second security flaw to the Known Exploited Vulnerabilities (KEV) catalog, impacting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products. The vulnerability, CVE-2024-12686, has a medium-severity CVSS score of 6.6 and allows an attacker to inject commands and run as a site user. The impact is substantial, enabling attackers to gain unauthorized access to sensitive areas of the network and potentially steal or manipulate data. Organizations must apply patches as soon as they become available to mitigate this risk. A Chinese state-sponsored group called Silk Typhoon (aka Hafnium) is believed to have exploited the two flaws in a major cybersecurity incident against the U.S. Treasury Department. Federal agencies are required to apply patches by February 3, 2024, to secure their networks against active threats.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a second security flaw impacting BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products to the Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. This addition is significant, as it highlights the ongoing threat landscape that organizations face when relying on third-party software solutions.
The vulnerability in question, CVE-2024-12686, has a medium-severity CVSS score of 6.6 and can be exploited by an attacker with existing administrative privileges to inject commands and run as a site user. BeyondTrust has confirmed that both vulnerabilities were discovered as part of its investigation into a cyber incident in early December 2024 that involved malicious actors leveraging a compromised Remote Support SaaS API key to breach some of the instances, and reset passwords for local application accounts.
The impact of this vulnerability is substantial, as it allows an attacker with existing administrative privileges to upload a malicious file, which can then be used to execute underlying operating system commands within the context of the site user. This creates a significant security risk, as it enables attackers to gain unauthorized access to sensitive areas of the network and potentially steal or manipulate data.
The addition of CVE-2024-12686 to the KEV catalog comes nearly a month after CISA added another critical security flaw impacting the same product (CVE-2024-12356, CVSS score: 9.8) that could also lead to the execution of arbitrary commands. This highlights the need for organizations to stay vigilant and apply patches as soon as they become available.
The U.S. Treasury Department revealed its network was breached using the compromised API key in what it said was a "major cybersecurity incident." The hack has been pinned on a Chinese state-sponsored group called Silk Typhoon (aka Hafnium). It's suspected that the threat actors exploited the two flaws as zero-days to break into BeyondTrust systems.
The threat actors are believed to have specifically targeted the Treasury's Office of Foreign Assets Control (OFAC), Office of Financial Research, and the Committee on Foreign Investment in the United States (CFIUS), according to multiple reports from the Washington Post and CNN. This level of sophistication and targeting suggests that the attackers were highly motivated and had a clear understanding of the organization's security posture.
The U.S. government has taken steps to mitigate the impact of this breach, including revoking the compromised API key. However, it's essential for organizations to take proactive measures to prevent similar breaches in the future. This includes applying patches as soon as they become available, implementing robust network segmentation and access controls, and regularly monitoring system logs for suspicious activity.
Furthermore, the recent addition of CVE-2023-48365 (CVSS score: 9.9) to the KEV catalog highlights the ongoing threat landscape in terms of vulnerabilities affecting Qlik Sense. This critical security vulnerability allows an attacker to escalate privileges and execute HTTP requests on the backend server hosting the software. It's worth noting that this vulnerability has been actively exploited in the past by the Cactus ransomware group.
Federal agencies are required to apply the necessary patches by February 3, 2024, to secure their networks against active threats. This underscores the importance of staying up-to-date with security patch schedules and ensuring that all software solutions are properly configured and maintained.
In conclusion, the recent additions to the KEV catalog highlight the ongoing threat landscape in terms of vulnerabilities affecting BeyondTrust and Qlik Sense. It's essential for organizations to stay vigilant and take proactive measures to prevent similar breaches in the future. By applying patches as soon as they become available, implementing robust security controls, and regularly monitoring system logs, organizations can reduce their risk exposure and protect against advanced threats.
Related Information:
https://thehackernews.com/2025/01/cisa-adds-new-beyondtrust-flaw-to-kev.html
https://nvd.nist.gov/vuln/detail/CVE-2024-12686
https://www.cvedetails.com/cve/CVE-2024-12686/
https://nvd.nist.gov/vuln/detail/CVE-2024-12356
https://www.cvedetails.com/cve/CVE-2024-12356/
https://nvd.nist.gov/vuln/detail/CVE-2023-48365
https://www.cvedetails.com/cve/CVE-2023-48365/
Published: Mon Jan 13 22:18:26 2025 by llama3.2 3B Q4_K_M
