The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is investigating a breach at business intelligence company Sisense. According to security researcher Brian Krebs, the breach involved attackers accessing a self-managed GitLab repository, leading to the exfiltration of customer data, including millions of access tokens and SSL certificates. This incident illustrates the mandatory need for encrypted data storage and vigilant protection of access credentials.

Incident Recap

  1. CISA alerted of a breach at Sisense, advising customers to reset credentials and secrets.
  2. Attackers gained access to Sisense's self-managed GitLab.
  3. A hard-coded token gave attackers access to Sisense’s Amazon S3 buckets in the cloud.
  4. This access led to the copying and exfiltration of terabytes of data from Amazon S3 buckets.
  5. Exfiltrated data included millions of access tokens, email passwords, and SSL certificates.
  6. The breach has raised concerns regarding the encryption of sensitive customer data at rest.
  7. Sisense's response included detailed advice for customers on resetting a wide range of credentials and secrets.

Long Story

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to chief information security officers (CISOs) about a significant security breach at Sisense, a business intelligence company. Sisense's services, which facilitate the monitoring of multiple third-party online services through a single dashboard, are utilized by over a thousand organizations across various sectors. The breach was first acknowledged by Sisense's CISO, highlighting the discovery of company information on a restricted server and prompting an immediate and thorough investigation with assistance from top industry experts.

While details on how the hackers obtained the data haven't been released, KrebsonSecurity cited multiple sources who said hackers accessed Sisense's self-managed GitLab repository, leading to the compromise of sensitive customer data stored within Amazon S3. The attackers managed to exfiltrate several terabytes of critical data, including access tokens, email passwords, and SSL certificates—a testament to the scope and severity of the breach. 

This incident suggests at least two security failures for Sisense: the presence of hardcoded AWS credentials in GitLab repositories and the storage of customer-sensitive data unencrypted in the cloud. This has raised many questions about Sisense's data security measures.

In response to the breach, Sisense has issued comprehensive guidance to its customers, advising on the reset of various credentials and secrets potentially compromised. This includes instructions for changing passwords, rotating tokens, and other security measures aimed at mitigating the impact of the breach on its customers and their data security (see Recommendations below).

Lesson Learned

The Sisense breach is another unfortunate illustration of the consequences of improper handling of secrets, or secrets sprawl. When secrets are left embedded in plaintext in source code, they become high-impact vulnerabilities. GitGuardian's suite of tools offers invaluable resources for detecting and remedying such exposures before they escalate into full-blown security disasters, showcasing the critical role of proactive security in today's digital landscape. While tools alone cannot prevent all forms of attack, they serve as an essential first line of defense in identifying and addressing potential security lapses.

 "Encryption at rest for sensitive data is a non-negotiable security measure. So is the imperative to eliminate hard-coded credentials in source code repositories, as they always lead to further damages in case of a breach."

Recommendations for Sisense customers:

  1. Urgently rotate any credentials used within the Sisense application.
  2. Reset passwords for all users in the Sisense application.
  3. Log out all users to invalidate current sessions.
  4. Update the x.509 certificate for SSO SAML identity providers.
  5. For OpenID utilization, rotating the client secret is imperative.
  6. Reset credentials in databases used within Sisense to ensure system connectivity.
  7. Change usernames and passwords in database connection strings.
  8. Rotate credentials in every Git project.
  9. Use PATCH api/v2/b2d-connection to update B2D connections.
  10. Rotate keys associated with Infusion Apps.
  11. Rotate all web access tokens.
  12. Reset secrets present in custom code notebooks.