“I cannot believe that we’re seeing command injection vulnerabilities in 2024 in any products, let alone a secure remote access product that’s supposed to have additional vetting for use by the US government,” says Jake Williams, vice president of research and development at the cybersecurity consultancy Hunter Strategy and a former NSA hacker. “They are some of the easiest bugs to identify and remediate at this point.”
BeyondTrust is an accredited “Federal Risk and Authorization Management Program” vendor, but Williams speculates that it is possible that the Treasury was using a non-FedRAMP version of the company’s Remote Support and Privileged Remote Access cloud products. If the breach actually affected FedRAMP-certified cloud infrastructure, though, Williams says, “it might be the first breach of one and almost certainly the first time FedRAMP cloud tools were abused to facilitate remote access to a customer’s systems.”
The breach comes as US officials have been scrambling to address a massive espionage campaign compromising US telecoms that has been attributed to the China-backed hacking group known as Salt Typhoon. White House officials told reporters on Friday that Salt Typhoon breached nine US telecoms.
“We wouldn’t leave our homes, our offices, unlocked and yet our critical infrastructure—the private companies owning and operating our critical infrastructure—often do not have the basic cybersecurity practices in place that would make our infrastructure riskier, costlier, and harder for countries and criminals to attack,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, said on Friday.
Treasury, CISA, and FBI officials did not respond to WIRED’s questions about whether the actor that breached the Treasury was specifically Salt Typhoon. Treasury officials said in the disclosure to Congress that they would provide more information about the incident in the Department’s mandated 30-day supplemental notification report. As details continue to emerge, Hunter Strategy’s Williams says that the scale and scope of the breach may be even larger than it currently appears.
“I expect the impact to be more significant than access to just a few unclassified documents,” he says.