Cyberattack at Sisense Puts Critical Infrastructure on Alert

SecurityScorecard’s Threat Research STRIKE Team is investigating breaking news of a large-scale cyberattack on Sisense, a major business analytics software company used by both the private and public sectors. 

The cybersecurity community woke up on Thursday to news of a cyberattack on Sisense, a major business analytics software company. It’s thought that the breach may have exposed hundreds of Sisense’s customers to a supply chain attack and provided the attacker with a door into the company’s customer networks. 

While the details of the attack are still emerging, according to the Cybersecurity and Infrastructure Security Agency (CISA), the incident also affects critical infrastructure sector organizations in the United States. As a result, the agency is working with partners in the private sector to assess its impact. 

Though the cyberattack on Sisense is still developing, it does highlight the concentration of risk in the greater supply chain. Recent attacks on Change Healthcare and MOVEit both point to the widespread impact of a single incident on the greater digital ecosystem. 

Critical infrastructure in the crosshairs

U.S. critical infrastructure has long been a target for nation-state threat actors and other cyber criminal groups. For instance, late last year, SecurityScorecard researchers found that 90% of the largest global energy companies have experienced a third-party breach in the past 12 months. This research highlights the uphill battle faced by many critical infrastructure agencies in combating emerging threats across the supply chain.

Third-party risk increasingly prevalent

Third-party cyber risk is now one of the biggest threats today, with many of the recent major breaches resulting from a single vulnerability. SecurityScorecard’s recent Global Third-Party Cyber Breach report found that more than 29% of all breaches are attributable to a third-party vector. And our joint research with the Cyentia Institute found that 98% of organizations have a relationship with at least one third party that has experienced a breach in the last two years. 

Protecting critical infrastructure is critical in ensuring the safety of civilians, maintaining essential services, and fostering trust. Therefore, companies in all areas of critical infrastructure would benefit from the following: 

• Developing an incident response plan
• Identifying vulnerable spots and outdated systems
• Implementing strict access controls
• Establishing backup systems and redundancies
• Establishing clear channels of communication

For further guidance and best practices, please read SecurityScorecard’s 2023 report: “Addressing the Trust Deficit in Critical Infrastructure.”

News of the incident began circulating after cybersecurity journalist Brian Krebs published

this note from Sisense Chief Information Security Officer Sangram Dash.

Immediate recommendations for Sisense customers 

CISA is urging all Sisense customers ro reset any credentials, while the CISO of Sisense, Sangram Dash, issued this statement: “Out of an abundance of caution, and while we continue to investigate, we urge you to promptly rotate any credentials that you use within your Sisense application.” Customers should report any suspicious activity involving potentially exposed credentials or unauthorized access to Sisense services to CISA.

Organizations may also want to take these additional steps to secure their environments: 

• Conduct an internal investigation to assess any impact
• Notify all customers who may be affected by this security incident 
• Rotate cloud service account tokens used by Sisense — organization should also rotate their personal user tokens within the Sisense portal
• Revoke Sisense access to internal systems and remove any and all customer data from the Sisense platform. 

Customers of Sisense should also closely monitor the situation and evaluate their exposure. Sisense recommends rotating any credentials out of an abundance of caution. 

This is a developing story, stay tuned for updates from SecurityScorecard.