The US Cybersecurity and Infrastructure Security Agency (CISA) is urging organizations to change any credentials they might have shared or stored with Sisense, a data analytics software and services provider, due to a compromise that’s still being investigated.
Sisense’s platform allows companies to connect various data sources including databases, spreadsheets, cloud services and web applications and then use the platform’s tools to analyze that data and generate reports and visualizations. The company’s customers include major companies from various industries including healthcare, retail, manufacturing, technology, financial services and pharma.
“CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations,” the agency said in an alert.
Sisense did not immediately respond to a CSO request for comment, but independent journalist Brian Krebs published a copy of the message that Sisense CISO Sangram Dash sent to the company’s customers. In the message Dash warns that “certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet).”
It’s not clear if this refers to a Sisense server that was inadvertently exposed to external access or to a server where the information was stored by attackers after being stolen as a result of a security breach of the company’s systems. According to CISA, the incident was discovered by independent security researchers and involved Sisense customer data.
Dash advised customers to promptly rotate any credentials they use in their Sisense application, a recommendation that was echoed by CISA. The agency also told users to investigate any potentially suspicious activity involving credentials they shared with the company.
The Sisense platform has multiple deployment options, including a cloud version managed by Sisense, a version that can be deployed on the customer’s own cloud and one that can be deployed on premise. The platform offers many plug-ins and integration options, as well as a software development kit (SDK) that developers can integrate into their own applications.
“The nature of Sisense is they require access to their customers’ confidential data sources,” security researcher Marc Rogers said on X. “They have direct access to JDBC connections, to SSH, and to SaaS platforms like Salesforce and many more. It also means they have tokens, credentials, certificates often upscoped. The data stolen from Sisense contained all these tokens, credentials and access configurations.”
“This is a worst-case scenario for many Sisense customers,” Rogers noted. “These are often literally the keys to their kingdoms. Treat it as an EXTREMELY serious event.”
Meanwhile, security researcher Dave Kennedy advised Sisense customers to change any API keys in addition to passwords to Sisense accounts and to look for any unusual activity dating from April 5th onward.
Sisense CISO advice to customers
In a follow-up email that was shared by security experts online, Sisense CISO Sangram Dash advised customers to change the following credentials:
- Change Your Password: Change all Sisense-related passwords on my.sisense.com
- Non-SSO:
- Replace the Secret in the Base Configuration Security section with your GUID/UUID.
- Reset passwords for all users in the Sisense application.
- Logout all users by running GET /api/v1/authentication/logout_all under Admin user.
- Single Sign-On (SSO):
- If you use SSO JWT for the user’s authentication in Sisense, you will need to update sso.shared_secret in Sisense and then use the newly generated value on the side of the SSO handler.
- We strongly recommend rotating the x.509 certificate for your SSO SAML identity provider.
- If you utilize OpenID, it’s imperative to rotate the client secret as well.
- Following these adjustments, update the SSO settings in Sisense with the revised values.
- Logout all users by running GET /api/v1/authentication/logout_all under Admin user.
- Customer Database Credentials: Reset credentials in your database that were used in the Sisense application to ensure continuity of connection between the systems.
- Data Models: Change all usernames and passwords in the database connection string in the data models.
- User Params: If you are using the User Params feature, reset them.
- Active Directory/LDAP: Change the username and user password of users whose authorization is used for AD synchronization.
- HTTP Authentication for GIT: Rotate the credentials in every GIT project.
- B2D Customers: Use the following API PATCH api/v2/b2d-connection in the admin section to update the B2D connection.
- Infusion Apps: Rotate the associated keys.
- Web Access Token: Rotate all tokens.
- Custom Email Server: Rotate associated credentials.
- Custom Code: Reset any secrets that appear in custom code Notebooks.