When BeyondTrust detected suspicious activity in its Remote Support SaaS environment in early December, the initial findings pointed to a compromised API key. The key allowed attackers to reset passwords for local application accounts, a serious but seemingly contained issue. However, as the investigation unfolded, it became clear that the attack went deeper.

Unpatched vulnerabilities in BeyondTrust’s software gave attackers the tools to escalate their actions, turning a single compromised API key into a springboard for greater access. While the breach affected a limited number of customers, the incident serves as a stark warning about how non-human identities (NHIs) like API keys and service accounts can be exploited in tandem with software flaws to create significant risks.

As Don Tait, senior analyst at research firm Omdia, recently noted:

“Cybercriminals often target NHIs, particularly those in the IoT area that operate without human intervention, seeking to exploit vulnerabilities for malicious purposes. Weak authentication mechanisms, misconfigured permissions, and inadequate monitoring can leave non-human entities susceptible to attacks, leading to data breaches, system compromises, and service disruptions.”

In BeyondTrust’s case, quick action limited the scope of the attack, but the event underscores how chained exploits can amplify vulnerabilities – and why securing NHIs is critical to modern threat defense.

What Happened?

The breach came to light on Dec. 2., when BeyondTrust detected anomalous activity within its Remote Support SaaS environment. A root cause analysis on Dec. 5 confirmed that attackers had compromised an API key tied to the service, enabling them to reset local account passwords and escalate access.

Further investigation revealed two vulnerabilities in BeyondTrust’s Remote Support and Privileged Remote Access tools:

• CVE-2024-12356 (Critical, CVSS 9.8): A command injection flaw allowing unauthenticated remote attackers to execute operating system commands.
• CVE-2024-12686 (Medium): A vulnerability permitting administrative users to upload malicious files and inject commands.

Patches were issued for cloud instances on Dec. 16, with on-premises users urged to apply updates promptly. BeyondTrust continues to investigate the breach with third-party cybersecurity firms.

What This Breach Reveals About Non-Human Identity Risks

The BeyondTrust breach shines a spotlight on three interconnected risks tied to non-human identities:

• Overprivileged API Keys
  API keys are often granted more permissions than necessary, creating opportunities for abuse. In this case, the compromised key allowed attackers to reset passwords – a high-privilege action that should have been tightly controlled.
• Chained Exploits
  The attackers’ ability to leverage the compromised API key alongside unpatched vulnerabilities underscores how seemingly isolated weaknesses can combine to amplify damage.
• Static Credentials with Long Lifespans
  API keys and service account credentials, when not rotated regularly, become ticking time bombs. Their static nature  makes them attractive targets for attackers, as they often go unnoticed for extended periods.

Lessons Learned: Securing Non-Human Identities

The BeyondTrust incident offers critical lessons for organizations managing non-human identities in complex environments. Addressing these vulnerabilities requires a combination of proactive policies and robust security practices:

1) Shift Away from Static API Keys

Static credentials are inherently risky. By transitioning to dynamic, short-lived credentials tied to workload identities, organizations can limit the lifespan of credentials and reduce their value to attackers.

2) Enforce Least-Privilege Access

API keys and service accounts should only have the permissions required to perform their specific tasks. Broad permissions – like the ability to reset passwords – should be avoided or tightly scoped.

3) Monitor, Audit, and React to API Key Usage

Implement logging and monitoring to detect anomalies in API key activity. Suspicious patterns, such as unauthorized resets or access from unexpected locations, should trigger alerts and prompt immediate investigation.

But don’t just monitor credential usage – that leaves you in a position to at best react to incidents. You are, in effect, chasing the hackers around your network. Instead, proactively secure workload access so that your attack surface is dramatically reduced and credentials are unlikely to be stolen in the first place. Then, your typical monitoring efforts can act as the backstop instead of the first line of defense.

4) Prioritize Patch Management

Vulnerabilities like CVE-2024-12356 demonstrate how unpatched flaws can magnify the impact of credential compromises. A proactive patching strategy is essential to reduce the risk of exploitation.

5) Secure Development and Deployment Pipelines

Many breaches start in development environments where API keys and other credentials are stored. Applying strict access controls, implementing secrets management, and regularly auditing these environments can prevent inadvertent exposures.