Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more
Blog Threat Research

Sisense Data Breach: What You Need to Know

The U.S. Cybersecurity and Infrastructure Agency (CISA) issued an alert warning Sisense customers of a data breach which could result in lateral movement to connected data sources.
Varonis Threat Labs
2 min read
Last updated April 19, 2024

Contents

    The U.S. Cybersecurity and Infrastructure Agency (CISA) issued an alert warning Sisense customers of a data breach. The agency advised all Sisense customers to "reset credentials and secrets potentially exposed toor used to access, Sisense services" and report any suspicious activity.

    Sisense's CISO echoed this message, advising customers: “Out of an abundance of caution, and while we continue to investigate, we urge you to promptly rotate any credentials that you use within your Sisense application."

    Sisense makes business intelligence products that allow customers to build custom dashboards by connecting to multiple third-party services.

    IMPORTANT: The data stolen from Sisense includes credentials, tokens, and access configurations. Therefore, not only is the data stored within Sisense at risk, but data in each connected service may also be at risk. This includes cloud services such as Salesforce, Azure Blob, Amazon S3, Amazon RDS, GitHub, Google, Box, and many others.

    Sisense can also establish JDBC and SSH connections to data sources on unmanaged or on-premises servers.

    What does this mean for my organization?

    If you are a Sisense customer, your Sisense credentials may have been compromised, giving bad actors access to data stored in your Sisense instance. Sisense has not confirmed precisely which data was stolen, and the nature of the data at risk will likely vary from customer to customer, depending on what they use Sisense for. Example dashboards include financial data, PII, customer data, HR data, and more.

    Keep in mind that some Sisense integrations use OAuth and app keys to connect to third-party systems while others require a simple username and password. 

    We advise Sisense customers to:

    • Reset credentials used to access Sisense products.
    • Reset credentials stored in Sisense for data integrations.
    • Limit Sisense access to integrations to Sisense IPs (107.23.195.228 and 54.236.224.46) to lower the risk of data exfiltration.
      • For self-hosted databases and SSH tunnels, limit user connections to the above IPs.
      • For cloud-hosted data sources (e.g., AWS or Azure), put a policy in place to restrict Sisense's cloud identity to act from the above IPs.
    • Search for Sisense integrations and users performing activity from IPs other than 107.23.195.228 and 54.236.224.46 (or other approved internal IPs) in integrated data sources and services including databases and cloud providers.
    • Look for anomalous users or resources created by Sisense integration users.
    • Review logs from at least a month back in your Sisense products, connected apps, and connected data sources.
    • Review actions performed by integration keys and credentials used for Sisense data integrations.

    Sisense’s CISO sent an update to customers with a list of suggested actions (source: @marcwrogers): 

    Sisense Steps
    Figure 1: Screenshot of the email Sisense's CISO sent to customers with detailed instructions how to mitigate the risk of this data breach.

    What happened?

    There has been no confirmation by Sisense regarding how the breach happened. According to Brian Krebs, trusted sources close to the investigation indicated that the attack flow looked something like this:

    • Attacker accessed Sisense’s Gitlab instance
    • Found credentials to Sisense’s AWS account in a Gitlab repository
    • Accessed Sisense’s AWS account and downloaded multiple terabytes of S3 data including credentials, tokens, and configs

    Blog_SisenseCustomerDataCompromise_202404_FNL

    How can Varonis help?

    If you are using Varonis to monitor services that are connected to Sisense such as Salesforce, AWS, Azure, Google Workspace, Box, etc., many of our existing threat models will help detect abnormal behavior stemming from malicious use of credentials stored in Sisense:

    • Abnormal service account behavior
    • Potential ticket harvesting attacks
    • Account enumeration
    • Abnormal access to sensitive and idle data
    • Unusual upload/download activity

    These models also apply to customers using Varonis to monitor local resources like Linux servers, Windows machines, and Active Directory.

    If you have our network monitoring product and are using Varonis' cloud-hosted offering, our Threat Labs team has already performed a threat hunt, using the Varonis logs to look for communication between your infrastructure and Sisense IP addresses and will reach out if needed.

    If you are a Sisense customer and want assistance hunting for IOCs in data sources that are connected to Sisense, please reach out to our team.

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
    Varonis Threat Labs
    Varonis Threat Labs Our team of security researchers and data scientists are among the most elite cybersecurity minds in the world. With decades of military, intelligence, and enterprise experience, this team is responsible for evolving Varonis’ threat detection and response capabilities.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    how-a-doggo-can-teach-you-the-difference-between-salesforce-objects-and-records
    How a Doggo Can Teach You the Difference Between Salesforce Objects and Records
    how-a-doggo-can-teach-you-the-difference-between-salesforce-objects-and-records
    Kilian Englert
    June 30, 2022
    What can Fido teach you about Salesforce? Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team host a special, goodest boy guest to explain the difference between objects, fields, and records in the popular CRM.
    securityrwd---introduction-to-aws-lambda
    SecurityRWD - Introduction to AWS Lambda
    securityrwd---introduction-to-aws-lambda
    Kilian Englert
    April 12, 2022
    Join Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team as they discuss AWS's serverless computing platform, Lambda. Find out what the Lambda functions allow for, see an everyday example of how it all comes together, and learn why it's so important for organizations to monitor Lambda's behavior within the entire Amazon Web Service ecosystem.
    securityrwd---introduction-to-aws-services
    SecurityRWD - Introduction to AWS Services
    securityrwd---introduction-to-aws-services
    Kilian Englert
    March 1, 2022
    Kilian Englert and Ryan O'Boyle from the Varonis Cloud Architecture team kick off a new series diving into the various services found under the AWS umbrella. In this video, they introduce and provide an overview of some of the core services including IAM, S3, and EC2.
    varonis-threat-labs-discovers-sqli-and-access-flaws-in-zendesk
    Varonis Threat Labs Discovers SQLi and Access Flaws in Zendesk
    varonis-threat-labs-discovers-sqli-and-access-flaws-in-zendesk
    Tal Peleg
    November 15, 2022
    Varonis Threat Labs found a SQL injection vulnerability and a logical access flaw in Zendesk Explore, the reporting and analytics service in the popular customer service solution, Zendesk.