China-linked threat actors breached the U.S. Treasury Department by hacking a remote support platform used by the agency.————————————————————————————————————————-China-linked threat actors breached the U.S. Treasury Department via a compromised remote support platform. The Treasury Department discovered the security breach on December 8th from its vendor [BeyondTrust](https://securityaffairs.com/172170/security/us-cisa-beyondtrust-known-exploited-vulnerabilities-catalog.html), according to a letter to lawmakers.BeyondTrust provides Privileged Access Management and secure remote access, serving sectors like government, healthcare, banking, and energy.Early this month, the privileged access management company BeyondTrust [suffered](https://www.beyondtrust.com/remote-support-saas-service-security-investigation) a cyberattack after threat actors breached some of its Remote Support SaaS instances.The Treasury Department is investigating the incident with the help of the F.B.I., and the intelligence community.The threat actors gained access to the workstations of government employees and unclassified documents.*’In a letter informing lawmakers of the episode, the Treasury Department said that it had been notified on Dec. 8 by a third-party software service company, BeyondTrust, that the hacker had obtained a security key that allowed it to remotely gain access to certain Treasury workstations and documents on them.’ [reported](https://www.nytimes.com/2024/12/30/us/politics/china-hack-treasury.html) the New York Times.**’Based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor,’ the letter said. ‘In accordance with Treasury policy, intrusions attributable to an APT are considered a major cybersecurity incident.’*The US Agency has taken the breached service offline and logged out the intruders.The Treasury Department plans to report breach details to Congress, while the Chinese government denies involvement and promotes cybersecurity cooperation.The investigation into the cyberattack against BeyondTrust led to the discovery of the zero-day vulnerabilities [CVE-2024-12356 and CVE-2024-12686](https://securityaffairs.com/172170/security/us-cisa-beyondtrust-known-exploited-vulnerabilities-catalog.html). Threat actors exploited the flaws to take over Remote Support SaaS instances, including the Treasury Department’s one.On December 20, 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [added](https://www.cisa.gov/news-events/alerts/2024/12/19/cisa-adds-one-known-exploited-vulnerability-catalog) the BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) Command Injection flaw, tracked as [CVE-2024-12356](https://www.cve.org/CVERecord?id=CVE-2024-12356) (CVSS score of 9.8) to its [Known Exploited Vulnerabilities (KEV) catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog).Follow me on Twitter: [**@securityaffairs**](https://twitter.com/securityaffairs) and [**Facebook**](https://www.facebook.com/sec.affairs) and [Mastodon](https://infosec.exchange/@securityaffairs)[**Pierluigi Paganini**](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)**(** [**SecurityAffairs**](http://securityaffairs.co/wordpress/)**–** **hacking, Treasury Department)**
Related Tags:
CVE-2024-12356
NAICS: 921 – Executive
Legislative
Other General Government Support
NAICS: 519 – Web Search Portals
Libraries
Archives
Other Information Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 922 – Justice
Public Order
Safety Activities
NAICS: 51 – Information
Blog: Security Affairs
Exploitation for Privilege Escalation
Associated Indicators: