On Monday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the addition of a second vulnerability affecting BeyondTrust’s Privileged Remote Access (PRA) and Remote Support (RS) solutions to its Known Exploited Vulnerabilities (KEV) catalog. This decision follows the identification of ongoing exploitation of the flaw in real-world environments.
The vulnerability is classified as CVE-2024-12686, with a CVSS score of 6.6, indicating medium severity. It permits an attacker with pre-existing administrative privileges to execute command injections, thereby allowing the attacker to operate under the site user’s context.
CISA highlighted that the flaw allows an adversary with administrative access to upload malicious files, potentially leading to unauthorized command execution within the operating system. The catalog inclusion of CVE-2024-12686 comes on the heels of a previous addition, CVE-2024-12356, a critical vulnerability with a CVSS score of 9.8, which also facilitates arbitrary command execution.
Both vulnerabilities emerged during an investigation into a cyber incident in early December 2024, where malicious actors exploited a compromised Remote Support Software-as-a-Service (SaaS) API key, leading to unauthorized breaches and password resets for local application accounts. While this API key has since been revoked, the method of its compromise remains uncertain, raising concerns it could have been exploited as zero-day vulnerabilities.
Earlier this month, the U.S. Treasury Department experienced a significant breach believed to be associated with the compromised API key. This incident has been attributed to a Chinese state-sponsored group, popularly referred to as Silk Typhoon, known for its sophisticated cyber warfare tactics.
The targeted agencies included the Treasury’s Office of Foreign Assets Control, the Office of Financial Research, and the Committee on Foreign Investment in the United States, as reported by major news outlets including The Washington Post and CNN.
Additionally, a newly patched critical vulnerability related to Qlik Sense, identified as CVE-2023-48365 (CVSS score: 9.9), has also been added to the KEV catalog. This flaw allows attackers to escalate privileges and execute HTTP requests on the software’s backend server. Notably, this vulnerability was previously exploited by the Cactus ransomware group. Federal agencies must apply patches for this vulnerability by February 3, 2024, to safeguard their networks against ongoing threats.
Employing frameworks from the MITRE ATT&CK Matrix, potential tactics used in these recent attacks may include initial access, privilege escalation, and command and control. Understanding these mechanisms can help organizations fortify their defenses against similar vulnerabilities and exploits in the future.
