CISA Confirms Treasury as Only Federal Victim in BeyondTrust Attack

CISA has confirmed that the U.S. Treasury Department was the sole federal agency affected by the recent BeyondTrust Remote Support compromise. The incident, which occurred in early December 2024, involved the exploitation of compromised API keys that allowed password resets of local application accounts.

According to the Treasury Department, the breach impacted workstations in both the Office of Financial Research and the Office of Foreign Assets Control, resulting in the compromise of several government employees’ systems and some unclassified documents. The Treasury has attributed the attack to a Chinese state-sponsored APT group, though China denies involvement.

BeyondTrust’s investigation revealed two vulnerabilities in their Privileged Remote Access and Remote Support products, one of which was exploited in this attack. While the company has patched all SaaS instances and pushed updates for self-hosted installations, organizations must manually apply the patch if they don’t have automatic updates enabled.

Currently, over 13,500 BeyondTrust Remote Support and Privileged Remote Access instances remain exposed online, though their vulnerability status is unclear. CISA continues to monitor the situation and coordinate with federal authorities to prevent further impacts.

This incident coincides with the Treasury Department’s recent sanctions against Beijing-based Integrity Technology Group for its alleged involvement in U.S.-targeted cyber operations by the Flax Typhoon APT group.

Share this article on social media:

Subscribe to Our Newsletter!

Stay on top of cybersecurity risks, evolving threats and industry news.

This field is for validation purposes and should be left unchanged.

Recent News

Featured Services

The Latest Cybersecurity News

From major cyberattacks, newly discovered critical vulnerabilities to recommended best practices, read it here first:

BOOK A MEETING

Enter your Email Address

This field is for validation purposes and should be left unchanged.

* No free email provider (e.g: gmail.com, hotmail.com, etc.)

This site is registered on wpml.org as a development site. Switch to a production site key to remove this banner.