The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has initiated an investigation into a data breach involving Sisense, a New York City-based business intelligence firm. Sisense specializes in providing businesses with the ability to monitor various third-party online services through an integrated dashboard. As part of its standard advisories, CISA has urged all customers of Sisense to promptly reset any credentials and secrets shared with the company, a message that aligns with guidance issued by Sisense to its users earlier this week.
On April 10, identified as a crucial date in the unfolding incident, Sisense’s Chief Information Security Officer, Sangram Dash, informed customers about reported concerns regarding the exposure of proprietary company information on a restricted server, which does not typically appear on the open internet. Dash emphasized the seriousness of the matter and stated that Sisense had engaged industry experts to conduct a thorough investigation. He reassured customers that this breach had not disrupted regular business operations but reiterated the importance of rotating any credentials utilized within the Sisense application.
CISA’s alert indicates that collaboration with private sector partners is underway to respond to the compromise that was identified by independent security researchers. The agency is particularly focused on organizations within critical infrastructure sectors affected by the breach, highlighting the potential ramifications of the incident for various industries.
Sources familiar with the investigation disclosed that the breach may have originated from attackers gaining unauthorized access to Sisense’s self-managed GitLab code repository. It is alleged that within this repository, attackers secured a token or credential that granted them access to Sisense’s Amazon S3 cloud storage buckets. Utilizing this access, the perpetrators reportedly exfiltrated several terabytes of sensitive customer data, which included millions of access tokens, email account passwords, and SSL certificates.
The incident raises significant questions regarding Sisense’s data protection measures, particularly concerning whether the extensive amount of customer data was adequately encrypted in its cloud storage solutions. The breach not only exposes the credentials utilized by Sisense customers but also emphasizes the limitations Sisense faces in preventing further damage, as access tokens serve as text files that allow prolonged access to systems.
As the investigation continues, customers bear the responsibility of deciding when to change passwords and tokens associated with third-party services tied to Sisense. In light of the breach, Sisense has issued detailed instructions for users to reset a wide array of access tokens across numerous technologies, including Microsoft Active Directory and Git credentials. These comprehensive directives emphasize a proactive approach to securing user accounts against potential unauthorized access.
Notably, the incident underlines an array of tactics and techniques as categorized by the MITRE ATT&CK framework. Initial access could have been achieved through compromised credentials, while persistence may have been established through unauthorized entry into the GitLab repository. Privilege escalation likely occurred when attackers used the sensitive tokens to breach further into Sisense’s system architecture. The incorporation of such tactics indicates a sophisticated and calculated attack strategy.
As the investigation unfolds and Sisense continues to communicate with its customer base, the situation remains dynamic. Increased vigilance and responsiveness to the established security protocols will be critical for Sisense customers as they navigate the aftermath of this significant data breach.
