Reuters is among news outlets disclosing that the US Treasury says Chinese hackers stole documents in ‘major incident’, reporting that “The hackers compromised a third-party cybersecurity service provider and were able to access unclassified documents, the letter said, calling it a ‘major incident.’”
According to the letter from the US Treasury to the Chair and Ranking Member of the Senate Committee on Banking, Housing and Urban Affairs, hackers “gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”
Lawrence Pingree, VP, Dispersive had this to say:
“Beijing’s routine denial of responsibility for cyberespionage incidents raises diplomatic challenges with the US in addressing such breaches effectively since there’s lack of transparency and accountability/coordination. In this case, it’s hard to tell whether it was a breach of an application’s “secret” or some form of cryptographic key. Secrets and cryptographic key management are critical elements of managing software API access and thus if deficient in some way, or a compromise occurs via a developer’s endpoint, the breach of those secrets and authentication keys can create these types of epic breaches. It’s important that systems that developers and administrators use are properly isolated by zero trust technology controls, along with robust key and secrets management processes are tested and followed.”
Former NSA cybersecurity expert Evan Dornbush follows up with this:
“The cybersecurity world is reeling from yet another high-profile breach, this time targeting the clients of security vendor BeyondTrust. This incident joins a growing list of attacks on security firms, including Okta (whose breach directly impacted BeyondTrust as a customer), LastPass, SolarWinds, and Snowflake.
“In today’s interconnected landscape, your perimeter has all but vanished. A single zero-day exploit against a vendor can cripple your own operations. The BeyondTrust response, while remarkably swift, underscores this harsh reality.
“Discovered on December 2nd, the BeyondTrust hack saw the root cause identified by December 5th, leading to the emergence of two CVEs. Clients were notified on December 8th, and a patch was released by December 18th. Recent reports attribute the attack to Chinese actors.
“Sixteen days from discovery to mitigation, patching, disclosure, and attribution is impressive. However, this speed doesn’t negate the fundamental problem: their zero-days are your problem. While BeyondTrust acted quickly, the attackers likely exfiltrated data long before the patch was available. In smash-and-grab operations like this, data theft doesn’t take 16 days.
“As we enter 2025, one prediction is unavoidable: Network Detection and Response (NDR) must become a cornerstone of both internal security and third-party risk management. It’s the clearest way to detect anomalous activity across the enterprise. Further, until defenders gain advanced warning of the exploits attackers wield, the playing field remains tilted sharply in the attackers’ favour.”
Given that this is the latest cybersecurity incident tied to China, it is becoming clear that they need to be held accountable for their actions in some way, shape or form. But at the same time, we need to do a better job of defending against them so that they are less of a threat than they are now.
Like this:
Like Loading...
Related
This entry was posted on December 31, 2024 at 8:41 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
US Treasury reveals Chinese hackers stole documents in ‘major incident’
Reuters is among news outlets disclosing that the US Treasury says Chinese hackers stole documents in ‘major incident’, reporting that “The hackers compromised a third-party cybersecurity service provider and were able to access unclassified documents, the letter said, calling it a ‘major incident.’”
According to the letter from the US Treasury to the Chair and Ranking Member of the Senate Committee on Banking, Housing and Urban Affairs, hackers “gained access to a key used by the vendor to secure a cloud-based service used to remotely provide technical support for Treasury Departmental Offices (DO) end users. With access to the stolen key, the threat actor was able to override the service’s security, remotely access certain Treasury DO user workstations, and access certain unclassified documents maintained by those users.”
Lawrence Pingree, VP, Dispersive had this to say:
“Beijing’s routine denial of responsibility for cyberespionage incidents raises diplomatic challenges with the US in addressing such breaches effectively since there’s lack of transparency and accountability/coordination. In this case, it’s hard to tell whether it was a breach of an application’s “secret” or some form of cryptographic key. Secrets and cryptographic key management are critical elements of managing software API access and thus if deficient in some way, or a compromise occurs via a developer’s endpoint, the breach of those secrets and authentication keys can create these types of epic breaches. It’s important that systems that developers and administrators use are properly isolated by zero trust technology controls, along with robust key and secrets management processes are tested and followed.”
Former NSA cybersecurity expert Evan Dornbush follows up with this:
“The cybersecurity world is reeling from yet another high-profile breach, this time targeting the clients of security vendor BeyondTrust. This incident joins a growing list of attacks on security firms, including Okta (whose breach directly impacted BeyondTrust as a customer), LastPass, SolarWinds, and Snowflake.
“In today’s interconnected landscape, your perimeter has all but vanished. A single zero-day exploit against a vendor can cripple your own operations. The BeyondTrust response, while remarkably swift, underscores this harsh reality.
“Discovered on December 2nd, the BeyondTrust hack saw the root cause identified by December 5th, leading to the emergence of two CVEs. Clients were notified on December 8th, and a patch was released by December 18th. Recent reports attribute the attack to Chinese actors.
“Sixteen days from discovery to mitigation, patching, disclosure, and attribution is impressive. However, this speed doesn’t negate the fundamental problem: their zero-days are your problem. While BeyondTrust acted quickly, the attackers likely exfiltrated data long before the patch was available. In smash-and-grab operations like this, data theft doesn’t take 16 days.
“As we enter 2025, one prediction is unavoidable: Network Detection and Response (NDR) must become a cornerstone of both internal security and third-party risk management. It’s the clearest way to detect anomalous activity across the enterprise. Further, until defenders gain advanced warning of the exploits attackers wield, the playing field remains tilted sharply in the attackers’ favour.”
Given that this is the latest cybersecurity incident tied to China, it is becoming clear that they need to be held accountable for their actions in some way, shape or form. But at the same time, we need to do a better job of defending against them so that they are less of a threat than they are now.
Share this:
Like this:
Related
This entry was posted on December 31, 2024 at 8:41 am and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.