It didn’t take very long for 2025 to serve up a reminder of the importance of identity security, with the US Treasury Department notifying congress that a “China-state sponsored” threat actor had gained access to its systems by exploiting vulnerabilities (CVE-2024-12356 また、 CVE-2024-12686) in BeyondTrust’s systems.
And while CISA reports that Treasury Department was the only federal agency to be affected by this breach, the story is still unfolding. More than 13,000 instances of the affected services are still connected to the internet and may be vulnerable, reports Censys. Since the initial Treasury Department disclosure, CISA has added CVE-2024-12686 to its Known Exploited Vulnerability catalog, which requires federal agencies to “secure their networks against ongoing attacks targeting the flaw.”
It’s never helpful to play Monday-morning quarterback, and that’s particularly the case in situations like this when details about the breach are still coming out. Instead, we think it’s valuable to look at the facts about the Treasury Department breach and explain what we think those facts mean for organizations’ cybersecurity programs going forward.translated
In its レポート on the breach, BeyondTrust notes that “a root cause analysis into a Remote Support SaaS issue identified an API key for Remote Support SaaS had been compromised.” The report notes that the compromised Remote Support SaaS API key “allowed for password resets of local application accounts.”
BeyondTrust took the appropriate action to immediately revoke the API key, likely to initiate password resets. But securing APIs must be part of a much broader approach: organizations must secure the entire credential lifecycle. That’s a bigger issue than just authentication. Organizations need to account for provisioning, enrollment, and resets of human and machine accounts.
They also need to ensure that what users are authenticating into is still relevant. I should only be able to access the resources that I need for a stated purpose. Any additional access—any access that I have but don’t need—only perpetuates risk.
Organizations must extend that to APIs as well. Human users and devices have tended to get all the security focus, overlooking service accounts and APIs. Organizations need to know what those services can access and do with that access. They also need to generate and manage APIs independently for each tenant—having duplicate API keys is just as risky and just as bad as sharing passwords.translated
In its letter to Congress, the Treasury Department noted that the “threat actor had gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users.”
It’s hard to parse precisely what that means in this case, but there’s elements of it that remind me of the 2023 attacks that cost MGM Resorts また、 Caesars Entertainment Group hundreds of millions of dollars.
In both the Las Vegas ransomware attacks and the more recent Treasury Department breach, attackers used some combination of the organizations’ support desks and APIs. The main difference is that in the case of the Las Vegas attacks, attackers used social engineering to trick the IT Help Desk into resetting a password.
Organizations need to understand the risks their own Help Desks can pose. Historically, threat actors have posed as IT Help Desks to socially engineer their targets, and that tactic seems to be at play in the Treasury Department attack.
These offices are under a great deal of pressure, have a large amount of latitude, and may not have their processes or actions fully documented.translated
Help Desk personnel may be able to reset passwords, remove MFA, or create new accounts altogether. Moreover, Help Desks can be pressured into acting before giving a case due consideration or documenting their actions.
To combat this, leadership needs to express that security is paramount, organizations have to document and use change management processes, and high-risk cases should require out-of-band communications to verify that someone requesting help is who they claim to be. Watch our on-demand webinar to see how organizations can help protect their help desks from phishing attacks.translated
It’s still too early to know all the factors involved in the BeyondTrust data breach. All researchers know so far are the two vulnerabilities that the firm has disclosed. Everything else—including whether the vulnerabilities were leveraged “as zero days to gain access to BeyondTrust systems or as part of [the] attack chain to reach customers,” per Bleeping Computer, whether its support desk was spoofed, and how it secures its APIs is all still speculation. There might be other factors that researchers will disclose in time.
And that’s the point. There are so many stages and components in any organization’s tech stack that can break, be overlooked, insecure, or misused. While organizations should strive to secure them all individually, they should also implement a broader Zero Trust framework.
Don’t overprovision access, prioritize Secure by Default and Secure by Design, train your users, and remove any implicit trust in users, systems and data. Look at your overall business processes and tech stacks together for weaknesses and don’t let perfect be the enemy of the good: any improvements you can make in your security posture—or any implicit trust you can remove from your environment—will go a long way in preventing or minimizing a breach.translated
