CISA's Update on Breaches
As we cited in our previous blog posts – it pays to follow the warnings of CISA (The U.S. Cybersecurity and Infrastructure Security Agency).
Just a few days ago – CISA warned us about the Microsoft breach at U.S. government agencies – now CISA said they are investigating a breach at a business intelligence company called Sisense. So, this time it’s not just CISA looking into hackers breaching government organizations – they are now looking at how Sisense was hacked [their products enables their customers (businesses) to see the status of third-party online services, all in a single dashboard].
They recently told government agencies to reset their login credentials – now, they said business customers using Sisense to also ‘reset any credentials and secrets that may have been shared with the company.’ Think your company won’t be next? Think again - Sisense has 1,000+ customers in verticals such as financial services, telecommunications, healthcare and higher education.
“CISA is taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations - We will provide updates as more information becomes available.”
How did it happen? Two insiders said the breach likely started when the hackers got access to the company’s code repository. How bad is it? That repository held the credentials that enabled the hackers to access to Sisense’s Amazon S3 buckets in the cloud. What exactly did the hackers get? They gained access to millions of access tokens, email account passwords – plus, SSL certificates.
And, just as CISA has warned us before – companies like Sisense were not properly protecting its customers data. Now, experts are wondering if this data was ever encrypted ‘while at rest in these Amazon cloud servers.’
This also raises the issue of tokens – since with tokens, they allow users to stay logged in for extended periods of time, even indefinitely. This is also a good reminder that in the end, it’s still up the customers themselves to change passwords with their third-party partners (like the passwords they would have previously entrusted Sisense to secure).
The latest update – customers are being told that tokens need to be reset on technologies such as Microsoft Active Directory credentials, GIT credentials, web access tokens, and any single sign-on (SSO) secrets or tokens. You should see all of the measures Sisense is now telling their customer they must do – there are 21 of them!
Three (3) sources about the recent warnings from CISA:
‘Krebs on Security’ article from 4/11/2024 on Sisense breach: https://krebsonsecurity.com/2024/04/why-cisa-is-warning-cisos-about-a-breach-at-sisense/
Another important piece you need to read - on how: ‘The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new version of "Malware Next-Gen," – that allows the public to submit malware samples for analysis by CISA: https://www.bleepingcomputer.com/news/security/cisa-makes-its-malware-next-gen-analysis-system-publicly-available/
Article from 4/11/2024 on CISA exposing Microsoft breach at federal agencies – warning that more breaches will follow: https://www.washingtonpost.com/technology/2024/04/11/microsoft-russia-hack-fallout/