Despite warnings of active exploitation by Chinese state-sponsored attackers, many BeyondTrust instances are still connected to the internet. The threat actors abused the critical vulnerability, CVE-2024-12356, in unpatched systems.
The BeyondTrust bug (CVE-2024-12356) was assigned a CVSS score of 9.8 and impacts the Privileged Remote Access (PRA) and Remote Support (RS) components. The flaw was initially reported by BeyondTrust on Dec 16, 2024, and added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities list three days later. However, by the end of the month, the flaw was used by a Chinese state-sponsored threat group to breach and steal data from the US Department of the Treasury.
A new report published by Censys said that exploiting the vulnerability would allow an unauthorised attacker to run “underlying operating system commands within the context of the site user.” In spite of publicised evidence of the advanced persistent threat (APT) campaign, 8,602 systems of BeyondTrust PRA and RS remain connected to the internet, out of which 72% are in the US.
The number of unpatched instances and whether any exposed systems have been patched remains unknown. BeyondTrust had said that self-hosted instances were forcefully updated, however, it it unclear whether the open instances were patched. A significant number of systems are self-hosted BeyondTrust deployments, which are open to the internet and at the risk of exploitation.
Cloud customers were patched on Dec 16, 2024, as the flaw was reported. “Customers own patching, hardening, and building monitoring capabilities — you’re effectively operating on an island by yourself,” Bugcrowd CISO’s Trey Ford said. “Service providers charge a slight premium to provide the patching, hardening, and monitoring — at scale — where the rising tide of operational efficiency protects all customers.”
He further explained that hosted services have economies supporting detection, response attempts and centralised patching and securing. According to cybersecurity expert and president of Bambenek Consulting, John Bambenek, self-hosted deployments that cannot be patched can still protect vulnerable remote tools.
While patching is not possible in cases such as this, organisations could limit the inbound connectivity of these instances to only trusted IP addresses. The company can lock down the IP addresses as they know who is remotely supporting them.
In the News: Supreme Court transfers Amazon and Flipkart antitrust cases to Karnataka HC