of U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced today that it is investigating a breach at a business intelligence company. Sisense's product is designed to help businesses view the status of multiple third-party online services in a single dashboard. CISA urged all Sisense customers to reset any credentials or sensitive information that may have been shared with the company, the same advice Sisense gave customers Wednesday evening. .
Based in New York City, Sisense has more than 1,000 customers across a wide range of industries, including financial services, telecommunications, healthcare, and higher education. April 10th, Sisense Chief Information Security Officer Sangram Dash The company advised customers that “certain Sisense company information may have been made available on a server that is reported to be a restricted access server (not typically available on the Internet).” said that it was aware of the report.
“We take this matter seriously and immediately launched an investigation,” Dash continued. “We have engaged industry-leading experts to assist with our investigation. This issue will not disrupt our business operations. Out of an abundance of caution, we will not be providing any assistance to our Sisense applications while we continue our investigation. We recommend that you immediately rotate the credentials you use within the system.”
CISA said in the alert that it is working with private industry partners to respond to recent breaches involving Sisense discovered by independent security researchers.
“CISA is taking an active role in working with our private industry partners to respond to this incident, particularly as it relates to affected organizations in the critical infrastructure sector,” the sparse warning read. It's dark. “We will provide updates as further information becomes available.”
Asked about the veracity of the information shared by two reliable sources familiar with the breach investigation, Sisense declined to comment. According to these sources, the breach appears to have begun when the attackers somehow gained access to the company's code repository in Gitlab, which gave the bad actors access to Sisense's Amazon S3 buckets in the cloud. It said it contained a token or credentials that authorized it.
Both sources said the attackers used S3 access to copy and exfiltrate multiple terabytes of Sisense customer data. This apparently included millions of access tokens, email account passwords, and even SSL certificates.
The case will question whether Sisense took sufficient steps to protect the sensitive data entrusted to it by its customers, including whether large amounts of stolen customer data was encrypted while stored on these Amazon cloud servers. This raised questions about whether it had been regulated.
However, it is clear that an unknown attacker now has all the credentials used by Sisense customers in their dashboards.
The breach also revealed some limitations on the cleanup actions that Sisense can take on behalf of its customers. Access tokens are essentially text files on your computer that allow users to remain logged in for long periods of time (sometimes indefinitely). . Also, depending on what service you're talking about, an attacker may be able to reuse those access tokens and authenticate as a victim without having to present valid credentials.
Additionally, it is primarily up to Sisense's customers to decide whether and when to change their passwords for the various third-party services that they have previously entrusted to Sisense.
Earlier today, a public relations firm working with Sisense reached out to ask if KrebsOnSecurity plans to release any further updates regarding the breach (KrebsOnSecurity reported on Wednesday evening that a screen shot of a CISO's customer email (I posted the shot to both LinkedIn and Mastodon). A spokesperson said Sisense wanted to ensure an opportunity to comment before the article was published.
But when faced with the details my sources shared, Sisense apparently changed his mind.
“After consulting with Sisense, they have indicated that they do not wish to respond,” a spokesperson said in an emailed response.
nicholas weaverA researcher at the International Computer Science Institute (ICSI) at the University of California, Berkeley and a lecturer at the University of California, Davis, said that companies entrusted with so many sensitive logins must never encrypt that information. He said that it should be changed.
“If you're hosting customer data on a third-party system like Amazon, it's a good idea to encrypt it,” Weaver said. “If we're telling you to reset your credentials, that means they're not encrypted. So the number one mistake is to leave your Amazon credentials in a Git archive. Mistake #2: They're using S3 without encryption. The former is bad and forgivable, but the latter is unacceptable given their business.”