Cyber Incident Victim: BeyondTrust
Date:
Oct 2023
Location:
Malaysia
Summary
BeyondTrust detected an identity-centric attack targeting an in-house Okta administrator account, originating from a compromised Okta support system where an attacker stole a session cookie via a HAR file uploaded for troubleshooting. The attacker attempted unauthorized access through a proxy-linked IP and created a backdoor user account via Okta's API, but BeyondTrust's custom security policies and Identity Security Insights tool immediately blocked further actions and revoked access, preventing any infrastructure or customer exposure. Despite initial alerts to Okta about the suspected breach, confirmation of the compromise affecting BeyondTrust and other customers was delayed until weeks later. The incident highlighted vulnerabilities in third-party support systems but resulted in no successful breach of BeyondTrust's environment due to rapid detection and mitigation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On October 2, 2023, BeyondTrust’s security teams detected an identity-centric attack targeting an in-house Okta administrator account. The attack originated when an Okta support agent requested the administrator generate a HAR file—a browser recording containing an API request and session cookie—to troubleshoot a non-security-related support issue. The administrator uploaded this file to Okta’s support portal. Within 30 minutes, an attacker used the stolen session cookie from the HAR file to attempt access to BeyondTrust’s Okta environment from a Malaysian IP address linked to anonymizing proxy/VPN services. BeyondTrust’s custom security policies blocked initial console access attempts due to requirements for Okta Verify on managed devices. The attacker then pivoted to Okta’s administrative API, which lacked equivalent policy restrictions, and created a backdoor user account named "svc_network_backup" mimicking existing service accounts. BeyondTrust’s Identity Security Insights tool alerted the team to suspicious activity, including session hijacking, administrative actions via proxy, and privilege escalation. The security team immediately disabled the fraudulent account, revoked the attacker’s access, and initiated forensic analysis. Investigation confirmed no compromise of BeyondTrust’s infrastructure or customer data, attributing the breach solely to the stolen session cookie from Okta’s support system.
BeyondTrust escalated concerns to Okta on October 2, citing forensic evidence pointing to a compromise within Okta’s support organization. Despite multiple Zoom meetings with Okta’s security team on October 11 and 13 to share findings and request log data, Okta did not acknowledge a breach until October 19, when its security leadership confirmed BeyondTrust was among affected customers. The attacker’s actions were confined to API-based account creation and failed attempts to generate a password health report or access the main dashboard, hindered by BeyondTrust’s MFA requirements and session policies. No further malicious activity occurred after access revocation, and forensic reviews found no evidence of broader system compromise. Okta later updated its HAR file handling guidance and publicly disclosed the breach on October 20. BeyondTrust confirmed no operational impact or data exposure resulted from the incident, crediting its layered security controls—including FIDO2 authentication, device management policies, and real-time monitoring—for containing the attack. The company published indicators of compromise, such as specific IPs, user agents, and API activity patterns, to aid other organizations in detecting similar threats.