Sisense breach exposes customers to potential supply chain attack
Sisense, a business analytics software company whose clients make up a who’s-who of the business world, recently suffered a compromise that prompted U.S. cybersecurity authorities to issue an alert Thursday warning the firm’s customers of the issue.
Although the details of the attack are not yet clear, the breach may have exposed hundreds of Sisense’s customers to a supply chain attack and provided the attacker with a door into the company’s customer networks, a source familiar with the investigation told CyberScoop.
It’s also not yet clear how many companies are at risk, whether the attackers accessed Sisense customer networks, nor who carried out the attack.
The Cybersecurity and Infrastructure Security Agency said in an advisory Thursday that it “is collaborating with private industry partners to respond to a recent compromise discovered by independent security researchers impacting Sisense.”
The alert recommends that Sisense customers reset credentials “potentially exposed to, or used to access, Sisense services,” as well as report to CISA any suspicious activity involving credentials exposed to or used to access Sisense services.
The veteran cybersecurity researcher Marc Rogers on Thursday urged Sisense’s current and former customers to “not underestimate the risk” posed by the breach.
Over a series of posts on the social media platform X, Rogers said that Sisense has access to a wide range of its customers’ confidential data sources and that the breach of the company included the tokens and credentials used to mediate that access.
“This is a worst case scenario for many sisense customers. These are often literally the keys to their kingdoms. Treat as an EXTREMELY serious event,” Rogers wrote.
An email alert sent to Sisense customers late Wednesday that was viewed by CyberScoop said the company was “aware of reports that certain Sisense company information may have been made available on what we have been advised is a restricted access server (not generally available on the internet).”
The alert urged customers “to promptly rotate any credentials that you use within your Sisense application.”
Sisense did not respond to multiple requests for comment Wednesday.
Sisense is used by more than 2,000 global companies operating in the finance, health care, retail, manufacturing, media and entertainment, marketing and technology sectors, according to the company’s website. Its clients include Verizon, Air Canada and Nasdaq, among others, although there’s no indication yet that any of those companies’ networks were exposed in the attack.
Targeting software as a service platforms is a tactic abused by both state-backed operations and criminal, financially motivated attacks.
A 2023 operation linked to North Korea, for instance, targeted the 3CX video conferencing and online communications platform, which had been compromised after one of that company’s employees downloaded a compromised version of the financial trading software X_Trader. In another example from 2023, attackers leveraging the CL0P ransomware variant targeted vulnerabilities in the MOVEit file transfer software to eventually compromise thousands of companies and obtain data on potentially tens of millions of people.
In another instance, attackers linked to a nebulous cybercrime ecosystem known as Scattered Spider managed to use access and customer credentials for the authentication platform Okta to target multiple international companies, including MGM Resorts and Caesars Entertainment.
Updated April 11, 2024: This article has been updated to include comment from Marc Rogers.
