Sisense Data Compromise: ARC Labs Intelligence Flash

UPDATE: April 12, 2024

Sisense has released additional guidance to customers regarding the incident beyond urging customers to reset API keys, tokens, and credentials used within Sisense application.

Sisense urged clients to specifically:

• Change all passwords associated with my.sisense.com
• Reset credentials in client-controlled databases and data model connection strings used within Sisense applications and services (https://docs.sisense.com/main/SisenseLinux/introduction-to-data-sources.htm?tocpath=Data%20Sources%7CConnecting%20to%20Data%20Sources%7C_____1)
• Reset any active User Param features (https://docs.sisense.com/main/SisenseLinux/personalization-parameters-for-live-data-sources.htm)
• Reset credentials leveraged for Active Directory synchronization (https://docs.sisense.com/main/SisenseLinux/Integrating-Active-Directory.htm)
• Rotate credentials for GIT integrations exposed to Sisense applications and services (https://docs.sisense.com/main/SisenseLinux/introduction-to-sisense-git-integration.htm)
• For B2D customers, leverage the API patch at api/v2/b2d-connection to update the B2D connection(https://docs.sisense.com/main/SisenseLinux/configuring-b2d-in-sisense.htm#Enabling)
• Rotate all keys associated with Sisense used within Infusion Apps (https://docs.sisense.com/main/SisenseLinux/enabling-infusion-apps.htm)
• Rotate all Web Access Tokens (https://docs.sisense.com/main/SisenseLinux/using-web-access-token.htm)
• Rotate all custom Email server connection credentials (https://docs.sisense.com/main/SisenseLinux/custom-email-servers.htm)
• Reset any secrets that appear in custom code Notebooks (https://docs.sisense.com/main/SisenseLinux/using-notebooks.htm)

ARC Labs and Binary Defense are actively monitoring a compromise of data associated with Sisense, a company that provides data analytic product and services. At this point, it is unknown if the Sisense’s network was compromised but independent researchers and government organizations indicate that data impacting Sisense has been discovered outside of an authorized space. Given the design of Sisense business model which provides companies the ability to integrate data analytics into various product and services in a modular fashion, the potential data exposure could be larger than those who directly work with Sisense.

The Sisense platform is designed to integrate customized analytics into applications, products, and services. Sisense also offers an SDK enabling developers to integrate Sisense analytics into various technology, tools, and platforms.

According to the Sisense website, Sisense has partnerships with various large software and product vendors indicating that organizations may be impacted by this data compromise through the integration of Sisense by a vendor into their product and services potentially.

As new information is released regarding the incident, ARC Labs and Binary Defense will make updates.

Recommend Immediate Action:

1. Perform an investigation to determine whether your organization uses Sisense directly or indirectly through an integration/implementation within a third-party product or service.
2. Reset any Sisense credentials (passwords, api keys, tokens, etc), including customer/partner portal access.
3. Reset credentials (passwords, api keys, tokens, etc) to any product/service that leverages or is exposed to Sisense services.
4. If you are using Sisense directly or indirectly, perform an audit of April activity associated with the user accounts and identities exposed to Sisense services and investigate any suspicious activity.

Sources:

@DarkWebInformer - alleged threat actor is selling root access to the panel containing 50TB of Sisense related data for $80,000

References:

https://www.cisa.gov/news-events/alerts/2024/04/11/compromise-sisense-customer-data