Beyondtrust found that he had completed an investigation into a recent cybersecurity incident that sent some deleted SAAS support cases using the compromised API key.
The company said the violation provided 17 remote support for SAAS customers, and that the API key was used to include unauthorized access by dropping local applications. The violation was first noted on December 5, 2024.
“The investigation has determined that the vulnerability of the zero day of the third application was used to receive access to the Internet action on the account outside AWS,” the company – Note This week.
“Then access to this asset allowed the actor threatening to receive the API infrastructure key, which can then be used against a separate AWS account, which managed the remote support infrastructure.”
The American access management company did not name an application that was studied to obtain the API key but stated that the probe had discovered two separate ones in its products (Cve-2014-12356 and Cve-2014-12686).
Since then, beyondtrust has recalled the compromised API key and suspended all known cases of affected customers, as well as providing them with alternative deleted specimens of SAAS.
It is worth noting that the US Cybersecurity and infrastructure agencies (CISA) added both the CVE-2024-12356 and the CVE-2024-12686 to its famous vulnerability (KEV), citing evidence of active exploitation in the wild. The exact details of the malicious activity are currently unknown.
Development occurs as the US Finance Ministry – Note It was one of the affected parties. No other federal agencies are influenced.
The attacks were associated with a Chinese hacking group called the Silk Typhoon (formerly Hafnium), with the agency By imposing sanctions Against a cyber-actor based in Shanghai, nicknamed Yin Kechen for his allegedly involved in the abuse of the Treasury.
