The US Treasury Attack: Key Events and Security Implications

January 21, 2025 CyberArk Labs

Blog abstract feature image with U.S. Department of Treasury seal depicted as the open door of a digital vault.

There’s a dark joke in cybersecurity: each year ends with an unwelcome holiday surprise—a major security incident. This timing isn’t random. Threat actors target this timing, knowing security teams operate with skeleton crews that impact detection, investigation and response times. It’s a calculated strategy that works reliably, year after year.

And now there’s another holiday surprise to add to the list—the recent attack on the U.S. Treasury Department.

Here’s a quick snapshot of the recent history of some major cyberattacks during or around the holiday season:

Graphic illustrating cyberattack "holiday surprises": SolarWinds (Dec. 2020); Log4Shell / Log4j (Dec. 2021); LastPass (Dec. 2022); U.S. Treasury Dept. (Dec. 2024)

This CyberArk Labs research post explains what is known so far, as well as critical takeaways and our top recommendations for helping to mitigate organizational risk.

Understanding the broader implications of this incident requires a closer look at the key events and security lessons learned. Below is an executive summary that encapsulates the critical aspects of the U.S. Treasury Department breach.

Executive Summary: Key Insights from the U.S. Treasury Department Breach

  • This CyberArk Labs research post explains the known details of the U.S. Treasury Department breach—at the time of this blog’s publication, there are 17 affected BeyondTrust customers.
  • Critical takeaways and actionable recommendations to mitigate risk are detailed below.
  • This incident demonstrates how zero-day exploits, stolen machine identities and strategic timing during the holiday season can lead to federal system compromise.

Pull quote: "This incident demonstrates how zero-day exploits, stolen machine identities, and strategic timing during the holiday season can lead to federal system compromise."

Note: The purpose of this blog is to help inform organizations about the details of this attack in the spirit of promoting prevention and protection. While BeyondTrust is a CyberArk competitor, we both play for the same team.

Chronology of the US Treasury Breach

Examining the sequence of events unfolding is crucial to comprehensively understanding the U.S. Treasury Department breach. The following chronology provides a detailed timeline of key incidents and responses:

1. Dec. 2, 2024

In a statement shared with CyberScoop, a BeyondTrust spokesperson reported that security monitoring systems had flagged unusual behavior on Dec. 2. Specific details remain undisclosed.

2. Dec. 5, 2024

BeyondTrust confirmed the event as malicious and escalated it to a security incident investigation. According to the update, “a limited number” of BeyondTrust Remote Support software-as-a-service (SaaS) customers were affected. This contrasted with later reports focusing on a single victim without disclosing that the first logged events were on FedRAMP assets.

3. Dec. 8, 2024

The U.S. Treasury Department received notification that threat actors had compromised a machine identity. In this case, attackers used an API key to gain unauthorized access to Treasury Department systems. The Treasury Department mobilized a response, bringing in multiple government agencies and third-party incident response teams to investigate.

4. Dec. 16, 2024

During its investigation, BeyondTrust identified what we suspect is the initial entry point: CVE-2024-12356. This critical vulnerability, scoring 9.8 on the Common Vulnerability Scoring System (CVSS) scale, allowed unauthenticated attackers to execute privileged commands on the company’s Remote Support and Privileged Remote Access servers, which were responsible for providing remote access capabilities to client systems.

While this vulnerability gave attackers control of the company’s Remote Support server, it did not provide direct access to the U.S. Treasury Department’s infrastructure. The attackers needed to steal a privileged credential—in this case, an API key—to pivot from the company’s systems into Treasury’s environment. BeyondTrust immediately patched its SaaS environment and issued urgent patching instructions to self-hosted customers. Unpatched self-hosted instances remain vulnerable to this exploit.

5. Dec. 18, 2024

BeyondTrust disclosed a second zero-day vulnerability, CVE-2024-12686, affecting the same BeyondTrust products. This vulnerability is rated 6.6, ‘medium’ severity, as this command injection vulnerability requires authenticated access to exploit.

BeyondTrust patched all cloud instances and reinforced the need for self-hosted customers to patch.

6. Dec. 19, 2024

CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities (KEV) Catalog.

7. Dec. 30, 2024

A letter from Aditi Hardikar, the U.S. Treasury’s assistance secretary for management, notified Committee on Banking, Housing and Urban Affairs Chairman Sherrod Brown and Ranking Member Tim Scott about the “major incident.”

In the letter, Hardikar reported that “a threat actor gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations and access certain unclassified documents maintained by those users.”

8. Jan. 6, 2025

CISA published an update: “At this time, there is no indication that any other federal agencies have been impacted by this incident.”

Meanwhile, BeyondTrust announced in a security investigation update that “The forensic investigation into the Remote Support SaaS incident is approaching completion.”

9. Jan. 13, 2025

CISA added the second vulnerability, CVE-2024-12686, to the KEV Catalog.

10. Jan. 16, 2025

Bloomberg reported that the breach involved unauthorized access to 400 laptops and desktop machines. The data accessed included sensitive law enforcement information and materials related to investigations conducted by the Committee on Foreign Investment in the U.S.

CyberArk Labs’ Analysis and Findings

How did attackers obtain a machine identity like an API key to pivot from BeyondTrust infrastructure into the Treasury Department? While the exact theft mechanism remains undisclosed, the discovery of CVE-2024-12356—a critical unauthenticated command injection vulnerability—provides significant insight. This vulnerability allowed attackers to execute privileged commands on BeyondTrust’s Remote Support platform, potentially exposing sensitive credentials like API keys stored in the system.

Three critical security lessons emerge from this incident:

  • Two zero-day remote code execution vulnerabilities point to challenges in threat modeling and secure development practices.
  • The successful theft and exploitation of the API key reveal insufficient machine identity security, specifically secret management policies and controls that enabled lateral movement beyond the initial breach.
  • The six-day delay (Dec. 2-8) in notifying the Treasury Department provided attackers a window to strengthen their position and expand system access.

Actionable Recommendations for Security Leaders

To help effectively mitigate risks and enhance your organization’s security posture, consider implementing the following actionable recommendations:

1. Secure Machine Identities and Vendor Access

Industry best practices for secrets management stress using short-lived API credentials—making them dynamic secrets—whenever possible or frequently rotating secrets to minimize exposure. Secure these machine identities in a dedicated secrets manager, integrate automated issuance and revocation into your workflows with auditing and monitor secrets usage. Discovering where these secrets are stored is essential: more and more are being stored in cloud provider secret stores.

Humans, such as third-party vendors, reduce risk by granting only the minimal permissions needed for clearly defined tasks. These permissions are enforced through a privileged session broker or direct privileged access management (PAM) integration. This approach can help ensure that every third party’s access is time-bound and monitored.

2. Privileged Accounts and Endpoint Identity Security

Endpoint identity security applies the principles of identity security, least privilege and Zero Trust directly to endpoints and servers. Removing or drastically limiting local admin rights protects individual machines from compromise and prevents attackers from moving laterally through your environment.

Transit to passwordless user experience for desktop sign-in and intermittent user authentications, and use strong phishing-resistant multi-factor authentication (MFA). Lean on continuous user authentication and introduce user re-authentication for risky actions or when access parameters change.

Where feasible, incorporate just-in-time (JIT) privilege elevation to dynamically provide elevated permissions only when users or systems genuinely require them. If JIT is not possible in particular use cases, implement frequent rotation of one-time passwords or short-lived tokens as an alternative, ensuring that no credential remains in place long enough to become a liability.

Monitoring all privileged sessions via PAM provides a real time window into unusual activity, while periodic reviews help eliminate unnecessary or dormant privileges.

3. Rapid Incident Response: Kill Switch and Orchestration

When a validated high-risk threat materializes—such as the confirmed misuse of privileged credentials or significant evidence of an active breach—an orchestrated kill switch can quickly lock down your environment. Integrating PAM and secrets management with your Security Information and Event Management (SIEM) or Security Orchestration, Automation and Response (SOAR) platform allows you to automatically revoke privileged access when reliable signs of compromise are detected.

This proactive containment disrupts an attacker’s ability to escalate privileges or spread laterally, while centralized logs and forensics give you insights into root cause and incident scope. Frequent simulations can ensure your kill switch mechanism and orchestration workflows run smoothly, preventing confusion and containing damage during actual incidents.

Breaking the Cyberattack Cycle: Strategies for 2025

A single compromised API key transformed an initial foothold in BeyondTrust’s systems into a breach of Treasury Department infrastructure. The incident demonstrates how the convergence of zero-day exploits, stolen machine identities and strategic timing during the holiday season can successfully lead to federal system compromise. Attackers are wising up to the volume, variety and velocity of machine identities and the opportunity to exploit attacks that move at machine speed.

While the immediate incident appears contained, the implications for government cybersecurity and third-party risk management will echo throughout 2025. Organizations must learn from this incident and implement measurable security defenses—particularly regarding machine identity protection and secrets management—to prevent similar attacks.

If you find the analysis in this blog valuable, join our upcoming webinar, “The US Treasury Dept Breach: Analysis of the Attack,” on Feb. 6, 2025. We’ll explore technical details beyond the scope of this blog post, including an in-depth analysis of the vulnerabilities, an attack chain reconstruction and actionable recommendations for protecting your organization against supply chain and machine identity compromise.

Register for the webinar.

The CyberArk Labs research team specializes in advanced cybersecurity research and analysis.

 

Editor’s note: For more insights on the U.S. Treasury Department attack, check out CyberArk’s Trust Issues podcast episode, “Zero Days and High Stakes: The U.S. Treasury Attack.” Guests Andy Thompson, CyberArk Labs’ Senior Offensive Research Evangelist, and Joe Garcia, CyberArk’s Principal DevOps Solutions Engineer, explore the timeline, details and implications of the attack. They also share security recommendations. The episode is available in the player below and on most major podcast platforms.

Previous Article
Machine Identities Elevated: Insights from the White House Executive Order
Machine Identities Elevated: Insights from the White House Executive Order

Impact of the Executive Order on Software Supply Chain Security, AI and Machine Identities Cybersecurity is...

Next Article
Securing the Backbone of Enterprise GenAI
Securing the Backbone of Enterprise GenAI

The rise of generative AI (GenAI) over the past two years has driven a whirlwind of innovation and a massiv...