the US Cybersecurity and Infrastructure Security Agency CISA said today it is investigating the hack of the business intelligence company Sisense, whose products are designed to allow businesses to view the online status of multiple third-party services in a single dashboard. CISA urged all Sisense customers to reset any credentials and secrets that may have been shared with the company, which is the same advice Sisense gave its customers on Wednesday evening.
New York City-based Sisense has more than 1,000 clients across a range of industry sectors, including financial services, telecommunications, healthcare and higher education. On April 10, Sangram Dash, Chief Information Security Officer at Sisense She told clients that the company is aware of reports that “some Sisense corporate information may be available on what we have been told is a restricted access server (not generally available on the Internet).”
“We take this matter very seriously and began an investigation immediately,” Dash continued. “We have engaged industry-leading experts to assist us in the investigation. This matter has not resulted in an interruption to our business operations. Out of an abundance of caution, and as we continue to investigate, we urge you to immediately replace any credentials you use within your Sisense app.
CISA said in its alert that it is working with private industry partners to respond to the recent compromise discovered by independent security researchers involving Sisense.
“CISA is playing an active role in collaborating with private sector industry partners to respond to this incident, particularly with respect to affected critical infrastructure sector organizations,” the scattered alert read. “We will provide updates as more information becomes available.”
Sisense declined to comment when asked about the veracity of the information shared by two reliable sources with intimate knowledge of the breach investigation. These sources said the breach appears to have started when the attackers somehow gained access to the company's code repository in Gitlab, and that repository contained a token or credentials that allowed the bad guys to access Sisense's Amazon S3 buckets in the cloud.
Both sources said the attackers used S3 access to copy and filter several terabytes of Sisense customer data, which apparently included millions of access tokens, email account passwords, and even SSL certificates.
The incident raises questions about whether Sisense was doing enough to protect sensitive data customers entrusted it with, such as whether the massive volume of stolen customer data was encrypted while in Amazon's cloud servers.
However, it is clear that the unknown attackers now have all the credentials that Sisense customers used in their dashboards.
The hack also shows that Sisense is somewhat limited in the cleanup actions it can take on behalf of customers, because access tokens are essentially text files on your computer that allow you to stay logged in for long periods of time — sometimes indefinitely. Depending on the service we're talking about, it may be possible for attackers to reuse these access tokens to authenticate as a victim without having to provide valid credentials.
Beyond that, it's largely up to Sisense customers to decide if and when to change passwords for various third-party services they previously entrusted to Sisense.
Earlier today, a PR firm working with Sisense reached out to see if KrebsOnSecurity planned to post any further updates on the hack (KrebsOnSecurity posted a screenshot of the CISO client's email to both LinkedIn And Mastodon Wednesday evening). The public relations representative said Sisense wanted to make sure they had an opportunity to comment before publishing the story.
But when Sisense was confronted with the details shared by my sources, she appears to have changed her mind.
“After consulting with Sisense, they told me they did not wish to respond,” the PR rep said in an email response.
Nicholas Weavera researcher at the University of California, International Computer Science Institute (ICSI) in Berkeley and a lecturer at the University of California, Davis, said that the company entrusted with many sensitive logins should encrypt this information.
“If they're hosting customer data on a third-party system like Amazon, it better have it encrypted,” Weaver said. “If they ask people to reset credentials, it means they weren't encrypted. So the first mistake is leaving Amazon credentials in your Git archive. The second mistake is using S3 without using encryption over it. The first is bad but tolerable, but The latter is unforgivable considering his actions.
“Infuriatingly humble alcohol fanatic. Unapologetic beer practitioner. Analyst.”