the US Cybersecurity and Infrastructure Security Agency CISA said today it is investigating the hack of the business intelligence company Sisense, whose products are designed to allow businesses to view the online status of multiple third-party services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave its customers on Wednesday evening.
New York City-based Sisense has more than 1,000 clients across a range of industry sectors, including financial services, telecommunications, healthcare and higher education. On April 10, Sangram Dash, Chief Information Security Officer at Sisense She told clients that the company is aware of reports that “some Sisense corporate information may be available on what we have been told is a restricted access server (not generally available on the Internet).”
“We take this matter very seriously and began an investigation immediately,” Dash continued. “We have engaged industry-leading experts to assist us in the investigation. This matter has not resulted in an interruption to our business operations. Out of an abundance of caution, and as we continue to investigate, we urge you to immediately replace any credentials you use within your Sisense app.
CISA said in its alert that it is working with private industry partners to respond to the recent compromise discovered by independent security researchers involving Sisense.
“CISA is playing an active role in collaborating with private sector industry partners to respond to this incident, particularly with respect to affected critical infrastructure sector organizations,” the scattered alert read. “We will provide updates as more information becomes available.”
Sisense declined to comment when asked about the veracity of the information shared by two reliable sources with intimate knowledge of the breach investigation. These sources said the breach appears to have started when the attackers somehow gained access to the company's code repository in Gitlab, and that repository contained a token or credentials that allowed the bad guys to access Sisense's Amazon S3 buckets in the cloud.
Both sources said the attackers used S3 access to copy and filter several terabytes of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.
Customers can use Gitlab either as a solution hosted in the cloud at Gitlab.com, or as a self-managed deployment of Gitlab. KrebsOnSecurity understands that Sisense was using the self-managed version of Gitlab.
The incident raises questions about whether Sisense was doing enough to protect sensitive data customers entrusted it with, such as whether the massive volume of stolen customer data was encrypted while in Amazon's cloud servers.
However, it is clear that the unknown attackers now have all the credentials that Sisense customers used in their dashboards.
The hack also shows that Sisense is somewhat limited in the cleanup actions it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for long periods of time — sometimes indefinitely. Depending on the service we're talking about, it may be possible for attackers to reuse these access tokens to authenticate as a victim without having to provide valid credentials.
Beyond that, it's largely up to Sisense customers to decide if and when to change passwords for various third-party services they previously entrusted to Sisense.
Earlier today, a PR firm working with Sisense reached out to see if KrebsOnSecurity planned to post any further updates on the hack (KrebsOnSecurity posted a screenshot of the CISO client's email to both LinkedIn And Mastodon Wednesday evening). The public relations representative said Sisense wanted to make sure they had an opportunity to comment before publishing the story.
But when Sisense was confronted with the details shared by my sources, she appears to have changed her mind.
“After consulting with Sisense, they told me they did not wish to respond,” the PR rep said in an email response.
Nicholas Weavera researcher at the University of California, International Computer Science Institute (ICSI) in Berkeley and a lecturer at the University of California, Davis, said that the company entrusted with many sensitive logins should encrypt this information.
“If they're hosting customer data on a third-party system like Amazon, it better have it encrypted,” Weaver said. “If they ask people to reset credentials, it means they weren't encrypted. So the first mistake is leaving Amazon credentials in your Git archive. The second mistake is using S3 without using encryption over it. The first is bad but tolerable, but The latter is unforgivable considering his actions.
Updated at 6:49 PM ET: Added clarification that Sisense uses a self-hosted version of Gitlab, not the cloud version managed by Gitlab.com.
Also, Sisense's CISO Dash sent an update to customers directly. The company's latest advice is much more detailed, and includes resetting a potentially large number of access tokens across multiple technologies, including Microsoft Active Directory credentials, GIT credentials, web access tokens, and any single sign-on (SSO) secrets or tokens ). .
The full message from Dash to customers is below:
“Good evening,
We are following up on our prior communication dated April 10, 2024, regarding reports that some Sisense information may be available on a restricted access server. As mentioned, we take this matter seriously and our investigation is ongoing.
Our customers must reset any keys, tokens, or other credentials in their environment used within the Sisense application.
Specifically, you must:
– Change your password: Change all Sisense-related passwords at http://my.sisense.com
– Other than single sign-on:
– Replace the secret in the Basic Configuration Security section with your own GUID/UUID.
– Reset passwords for all users in the Sysense application.
– Log out all users by running GET /api/v1/authentication/logout_all under admin user.
– Single sign-on (SSO):
– If you are using SSO JWT for user authentication in Sisense, you will need to update sso.shared_secret in Sisense and then use the newly created value on the SSO handler side.
– We highly recommend rotating the x.509 certificate for your SSO SAML identity provider.
– If you are using OpenID, it is necessary to rotate the client secret as well.
– After these modifications, update the SSO settings in Sisense with the revised values.
– Log out all users by running GET /api/v1/authentication/logout_all under admin user.
– Customer Database Credentials: Reset credentials in your database that were used in the Sisense application to ensure continuity of communication between systems.
– Data Forms: Change all usernames and passwords in the database connection string in Data Forms.
– User Parameters: If you are using the User Parameters feature, reset it.
– Active Directory/LDAP: Change the username and user password for users whose authorization is used for AD synchronization.
– HTTP Authentication for GIT: Roll out credentials in each GIT project.
– B2D Clients: Use the following API PATCH api/v2/b2d call in the Administration section to update the B2D connection.
– Infusion Apps: Rotate associated keys.
– Web Access Token: Rotate all tokens.
– Dedicated email server: Manage the associated credentials.
– Custom Code: Reset any secrets that appear in notebooks with custom code.
If you need any assistance, please submit a customer support ticket at https://community.sisense.com/t5/support-portal/bd-p/SupportPortal and mark it as critical. We have a dedicated response team on standby to assist with your requests.
At Sisense, we place the utmost importance on security and are committed to our customers' success. We thank you for your partnership and commitment to our mutual security.
It is considered,
Sangram Dash
Chief Information Security Officer
“Beer fan. Travel specialist. Amateur alcohol scholar. Bacon trailblazer. Music fanatic.”