djohnson@CyberScoop - 60d
The US Treasury Department has confirmed a major cyber incident involving Chinese state-sponsored hackers who gained unauthorized access to employee workstations and unclassified documents. The breach occurred after a third-party software provider, BeyondTrust, was compromised, allowing the attackers to obtain a security key used for remote technical support. This key enabled the hackers to bypass security measures and remotely access Treasury systems and exfiltrate sensitive information. The Treasury was notified of the breach on December 8th and has been working with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and other agencies to investigate the full impact of the incident.
The compromised BeyondTrust service has since been taken offline, and there is currently no evidence to suggest the threat actors still have access to Treasury systems. The Treasury Department has classified the incident as a “major incident” and has reaffirmed its commitment to bolstering cybersecurity defenses, highlighting the importance of addressing third-party vulnerabilities. The breach follows a series of other recent cyberattacks linked to China, further raising concerns about the security posture of the US government.
Recommended read:
References :
- CyberScoop: Treasury workstations hacked by China-linked threat actors
- Federal News Network: Treasury says Chinese hackers remotely accessed workstations, documents in ‘major’ cyber incident
- siliconangle.com: Third-party provider hack exposes US Treasury Department unclassified documents
- Techmeme: Letter: the US Treasury says China-backed hackers gained access to some Treasury workstations and unclassified docs; a vendor notified it of the hack on Dec. 8 (Zack Whittaker/TechCrunch)
- bsky.app: Chinese state-sponsored hackers broke into the U.S. Treasury Department this month and stole documents from its workstations, according to a letter to lawmakers
- Chuck Darwin: US treasury’s workstations breached in cyber-attack by China – report A Chinese state-sponsored actor broke into the US treasury department earlier this month and stole documents from its workstations, according to a letter to lawmakers that was provided to Reuters on Monday.
- www.theguardian.com: US treasury’s workstations breached in cyber-attack by China – report
- techcrunch.com: US Treasury says China accessed government documents in ‘major’ cyberattack
- cyberscoop.com: Treasury workstations hacked by China-linked threat actors
- techcrunch.com: Letter: the US Treasury says China-backed hackers gained access to some Treasury workstations and unclassified docs; a vendor notified it of the hack on Dec. 8 (Zack Whittaker/TechCrunch)
- International homepage: ‘In a letter to 🇺🇸 Senate banking committee seen by the Financial Times, the department said it had been informed on December 8 by software company BeyondTrust that a hacker had breached several remote government workstations by obtaining a security key and had in turn gained access to unclassified documents on them.’
- www.benzinga.com: China-Linked Hackers Breach US Department Of Treasury
- malware.news: Chinese-sponsored hackers accessed Treasury documents in ‘major incident’
- www.cnn.com: CNN: China-backed hackers breached US Treasury workstations.
- Michael West: Treasury says Chinese hackers accessed workstations
- SiliconANGLE: Third-party provider hack exposes US Treasury Department unclassified documents
- www.pymnts.com: Treasury Department Workstations Breached by Hackers via Third-Party Vendor
- www.engadget.com: The US Treasury Department says it was hacked in a China-linked cyberattack
- federalnewsnetwork.com: Treasury says Chinese hackers remotely accessed workstations, documents in ‘major’ cyber incident
- WIRED: US Treasury Department confirms hack by China-backed group.
- bsky.app: The U.S. Treasury announced a major cyberattack linked to a compromised API key from its contractor, BeyondTrust.
- securityonline.info: Treasury Department Hit by Major Cybersecurity Incident, China Suspected
- PYMNTS.com: Treasury Department Workstations Breached by Hackers via Third-Party Vendor
- san.com: Chinese-sponsored hackers behind ‘major’ breach: Treasury Department
- securityaffairs.com: China-linked threat actors breached the U.S. Treasury Department by hacking a remote support platform used by the agency.
- Hong Kong Free Press HKFP: US Treasury says was targeted by China state-sponsored cyberattack.
- The Hacker News: The United States Treasury Department said it suffered a 'major cybersecurity incident' that allowed suspected Chinese threat actors to remotely access some computers and unclassified documents.
- Fortune | FORTUNE: Treasury Department says a China state-sponsored cyberattack gained access to workstations and documents
- securityonline.info: Treasury Department Hit by Major Cybersecurity Incident, China Suspected
- gbhackers.com: US Treasury Department Breach, Hackers Accessed Workstations.
- SAN: Investigators accuse China of hacking U.S. Treasury Department computers.
- blog.gitguardian.com: What Happened in the U.S. Department of the Treasury Breach? A Detailed Summary.
- DataBreaches.Net: Chinese hackers breached Treasury Department workstations, documents in ‘major cybersecurity incident’.
- go.theregister.com: US Treasury Department outs the blast radius of BeyondTrust's key leak
- www.wired.com: US Department Admits It Got by Treasury says accessed “certain documents” in a “major” breach, but experts believe the attack’s impacts could prove to be more significant as new details emerge.
- www.bleepingcomputer.com: US Treasury Department breached through remote support platform L: C: posted on 2024.12.31 at 21:39:28 (c=2, p=3)
- Hacker News: US Treasury Department breached through remote support platform L: C: posted on 2024.12.31 at 21:39:28 (c=2, p=3)
- OODAloop: What to know about string of US hacks blamed on China
- Techmeme: Sources: Chinese government hackers breached the US Treasury Department's OFAC, which administers economic sanctions, and two other Treasury offices (Washington Post)
- Dataconomy: According to the Washington Post Chinese government hackers compromised the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) in December, targeting intelligence related to economic sanctions, officials reported.
- Carly Page: China-backed hackers reportedly compromised the US Treasury’s highly sensitive sanctions office during December cyberattack
- techcrunch.com: Chinese government hackers targeted the U.S. Treasury’s highly sensitive sanctions office during a December cyberattack, according to reports.
- techcrunch.com: Chinese government hackers targeted US Treasury’s sanctions office during December cyberattack
- Cybernews: On Thursday, it was revealed that PRC-backed hackers behind last month’s US Treasury hack accessed some senior officials' laptops.
- Bloomberg Technology: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
- www.techmeme.com: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
- Techmeme: Sources: China-backed hackers accessed the computers of senior US Treasury officials; the department's email system and classified data were not breached (Bloomberg)
- The Hacker News: CISA: No Wider Federal Impact from Treasury Cyber Attack, Investigation Ongoing
- www.helpnetsecurity.com: CISA says Treasury was the only US agency breached via BeyondTrust -backedattacks 'tmiss
- www.the420.in: Chinese APT Exploits BeyondTrust Vulnerability to Breach U.S. Treasury Systems
- Pyrzout :vm:: CISA says Treasury was the only US agency breached via BeyondTrust -backedattacks 'tmiss
- Help Net Security: CISA says Treasury was the only US agency breached via BeyondTrust
- industrialcyber.co: US Treasury sanctions Beijing’s Integrity Tech for Flax Typhoon cyber intrusions on critical infrastructure
- ciso2ciso.com: CISA: Third-Party Data Breach Limited to Treasury Dept. – Source: www.darkreading.com
- Latest from TechRadar: Chinese cybersecurity firm hit by US sanctions over ties to Flax Typhoon hacking group
@csoonline.com - 14d
A high-severity SQL injection vulnerability, identified as CVE-2025-1094, has been discovered in PostgreSQL's psql interactive tool. Rapid7 researchers found that threat actors exploited this zero-day flaw in conjunction with a BeyondTrust vulnerability (CVE-2024-12356) during targeted attacks in December 2024. Specifically, attackers who exploited a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL.
This vulnerability enables attackers to execute arbitrary SQL commands, potentially leading to OS command execution. The flaw stems from how PostgreSQL handles invalid UTF-8 characters, which allows attackers to inject malicious code via a shortcut command "\!". Rapid7 discovered that successful exploitation of the BeyondTrust vulnerability required exploiting CVE-2025-1094 to achieve remote code execution. Patches have been released for PostgreSQL versions 13 through 17 to address this issue, and users are advised to upgrade their database servers immediately.
Recommended read:
References :
- The Register - Security: High-complexity bug unearthed by infoseccers, as Rapid7 probes exploit further A high-severity SQL injection bug in the PostgreSQL interactive tool was exploited alongside the zero-day used to break into the US Treasury in December, researchers say.…
- Caitlin Condon: CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting — 🧵on its relation to BeyondTrust exploitation
- securityaffairs.com: Threat actors are exploiting a zero-day SQL injection vulnerability in PostgreSQL, according to researchers from cybersecurity firm Rapid7.
- The Hacker News: Threat actors who were behind the exploitation of a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL, according to findings from Rapid7.
- www.csoonline.com: PostgreSQL patches SQLi vulnerability likely exploited in BeyondTrust attacks
- infosec.exchange: New vuln disclosure c/o : CVE-2025-1094 is a SQL injection flaw in PostgreSQL's psql interactive tool that was discovered while analyzing BeyondTrust RS CVE-2024-12356. The bug is interesting on its relation to BeyondTrust exploitation
- MSSP feed for Latest: New PostgreSQL Zero-Day Potentially Leveraged in BeyondTrust Attacks
- www.scworld.com: New PostgreSQL zero-day potentially leveraged in BeyondTrust attacks
- Talkback Resources: Rapid7 discovered a zero-day vulnerability in PostgreSQL's psql terminal (CVE-2025-1094) enabling SQL injection, exploited in attacks on BeyondTrust Remote Support systems, compromising US Treasury Department machines.
- Caitlin Condon: CVE-2025-1094 affects all supported versions of PostgreSQL
- Open Source Security: Hi, As announced on February 13 in: This vulnerability is related to BeyondTrust CVE-2024-12356: In Caitlin Condon's words in the thread above: The referenced Rapid7 blog post:
- www.postgresql.org: PostgreSQL security announcement about CVE-2025-1094.
- Open Source Security: Re: CVE-2025-1094: PostgreSQL: Quoting APIs miss neutralizing quoting syntax in text that fails encoding validation, enabling psql SQL injection
- securityonline.info: Metasploit-Ready: CVE-2025-1094 SQLi in PostgreSQL Exposes Systems to Remote Attacks
- securityonline.info: Metasploit-Ready: CVE-2025-1094 SQLi in PostgreSQL Exposes Systems to Remote Attacks
- Caitlin Condon: Infosec.exchange post linking to various resources related to CVE-2025-1094 in PostgreSQL.
- www.postgresql.org: PostgreSQL announcement about PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 releases fixing CVE-2025-1094
Bill Toulas@BleepingComputer - 71d
BeyondTrust has confirmed a security breach affecting its Remote Support SaaS instances. Hackers exploited a compromised API key to reset account passwords, gaining unauthorized access. The company detected anomalous activity in early December, which led to the discovery of the compromised API key and subsequent quarantine of affected SaaS instances. BeyondTrust immediately revoked the API key and provided alternative instances for impacted customers.
The investigation revealed two critical vulnerabilities, CVE-2024-12356, a command injection flaw with a critical score of 9.8 and CVE-2024-12686, a privilege escalation vulnerability with a medium severity score of 6.6. The command injection vulnerability allows unauthenticated attackers to execute arbitrary commands, while the privilege escalation flaw enables attackers with administrative privileges to upload malicious files and run commands. BeyondTrust has released patches to address these vulnerabilities for both cloud and on-premise customers. The U.S. CISA has added the command injection flaw to its Known Exploited Vulnerabilities catalog, highlighting the severity and the need for immediate patching.
Recommended read:
References :
- Cyber Security News: Cyberpress article on BeyondTrust patching PRA and RS flaws.
- securityonline.info: CVE-2024-12356 (CVSS 9.8): Critical Vulnerability in BeyondTrust PRA and RS Enables Remote Code Execution
- The Hacker News: BeyondTrust Issues Urgent Patch for Critical Vulnerability in PRA and RS Products
- Security Risk Advisors: Critical Command Injection Vulnerability in BeyondTrust Remote Access Products Enables Unauthenticated RCE
- www.beyondtrust.com: Critical command injection #vulnerability in #BeyondTrust Remote Support/PRA allows unauthenticated system access
- : BeyondTrust : Apparently BeyondTrust discovered the vulnerabilities CVE-2024-12356 (see parent toot above) as well as (6.6 medium, disclosed ) Command Injection vulnerability in Remote Support(RS) & Privilege Remote Access (PRA) while investigating a security breach that occurred in Remote Support SaaS instances on or about 05 December 2024.
- www.bleepingcomputer.com: BeyondTrust says hackers breached remote support SaaS instances
- www.heise.de: Critical security gap in BeyondTrust Privileged Remote Access and Remote Support
- heise online English: Critical security gap in BeyondTrust Privileged Remote Access and Remote Support The developers have closed a dangerous vulnerability in current versions of BeyondTrust Privileged Remote Access and Remote Support.
- www.beyondtrust.com: BeyondTrust : Apparently BeyondTrust discovered the vulnerabilities CVE-2024-12356 (see parent toot above) as well as (6.6 medium, disclosed ) Command Injection vulnerability in Remote Support(RS) & Privilege Remote Access (PRA) while investigating a security breach that occurred in Remote Support SaaS instances on or about 05 December 2024.
- : CISA : Very hot! 🥵 Page isn't live yet (access denied), but it's BeyondTrust CVE-2024-12356 (see parent toots above) NOTE THE DUE DATE!! This is a very important vulnerability to CISA!
- www.beyondtrust.com: Security Advisory: Command Injection vulnerability in Remote Support
- socradar.io: Socradar article about BeyondTrust security incident - command injection.
- securityaffairs.com: U.S. CISA adds BeyondTrust software flaw to its Known Exploited Vulnerabilities catalog
- bsky.app: Bsky post about hackers breaching BeyondTrust’s Remote Support SaaS instances.
- Latest from TechRadar: BeyondTrust says hackers hit its remote support products
- gbhackers.com: GBHackers - CISA Warns of BeyondTrust Privileged Remote Access Exploited in Wild
@csoonline.com - 14d
A critical zero-day vulnerability, identified as CVE-2025-1094, has been discovered in the open-source database management system PostgreSQL. This SQL injection flaw, found in PostgreSQL's psql terminal, was actively exploited in conjunction with a separate zero-day vulnerability, CVE-2024-12356, affecting BeyondTrust Remote Support systems. The combined exploitation of these vulnerabilities enabled attackers to achieve remote code execution, leading to potential system compromise.
Rapid7 researchers discovered that the PostgreSQL flaw stems from the interactive terminal psql's handling of malformed UTF-8 characters, which allows attackers to inject malicious SQL commands. This vulnerability was leveraged in attacks targeting the U.S. Treasury Department, highlighting the severity of the threat. PostgreSQL has urged users of versions before 13.19, 14.16, 15.11, 16.7, and 17.3 to immediately apply the issued patch to mitigate the risk of exploitation.
Recommended read:
References :
- The Hacker News: PostgreSQL Vulnerability Exploited Alongside BeyondTrust Zero-Day in Targeted Attacks
- www.csoonline.com: PostgreSQL patches SQLi vulnerability likely exploited in BeyondTrust attacks
- MSSP feed for Latest: New PostgreSQL Zero-Day Potentially Leveraged in BeyondTrust Attacks
- www.scworld.com: New PostgreSQL zero-day potentially leveraged in BeyondTrust attacks
- securityaffairs.com: Experts discovered PostgreSQL flaw chained with BeyondTrust zeroday in targeted attacks
- Talkback Resources: Rapid7 discovered a zero-day vulnerability in PostgreSQL's psql terminal (CVE-2025-1094) enabling SQL injection, exploited in attacks on BeyondTrust Remote Support systems, compromising US Treasury Department machines.
|
|
FlagThis - #beyondtrust