SiSense Attack, 2012 and Keys to Kingdom

Keys to Kingdom, I keep using this term from the days of me working on Bankofamerica.com session hijack and prevention attacks way back in 2012. At that time the cookies flowing from .bankofamerica.com to users browsers were the keys, which user can use to go to any services with in bankofamerica.com such as account, payments, transfers, mortgages and so on. The technology which was powering this seam less navigation from one application to another was SSO where policy decision is made at the front-door which was a web server proxying application servers which were hosting these applications. Once user get passed through front-door, he/she access to all these applications or in another words if user has a session cookie in the browser which is communicating with Bankofamerica.com webservers, user has access to all these applications...

1. 2012 and Session Cookies

In 2012 the SSO was done via these session cookies and attackers around the world look for the vulnerable browsers and webservers to steal these cookies and replay back on bankofamerica.com and gain access to user's resources (accounts etc) and perform actions on there behalf such as moving money from there accounts.

Moving money out of the accounts, sounds very similar to moving data out of S3 buckets..

Sounds like exfiltration, ransomware kind of situation, where a rogue entity got hold of users data stored in the cloud storage such as AWS S3 and some how the attackers not only gain access to the storage but able to perform changes in to it too like copied the data back to his storage or encrypted the data so that the owner can't use it and attacker can exploit the vulnerability of the owner if data is super critical for the business. Attacker can ask for extortion and that kind of attacks are usually called Ransomware attacks..

2. Coming to present(April - 2024)

Coming to present (April 2024)- On April 11, 2024 CISA ( Cyber Security Agency in USA) reported a cyber attack on Data Analytics company SiSense ( A Data analytics company providing its AI data analytics services to organizations like Philips Healthcare, Verizon, Nasdaq, Air Canada and hundreds more) caused a breach into there customers data. The agency urged all Sisense customers to reset credentials and data “potentially exposed to, or used to access, Sisense services” while also investigating and reporting “any suspicious activity” involving exposed credentials to CISA. 

SiSense has to tell its customers to reset there passwords, access tokens or any other keys they were using to connect with SiSense, why would they say that.. Again these access keys are like key to kingdom and attacks exposed these keys to the rogue users and they can use them to break into perimeter, access private resources such as Data and then use this vulnerability to make SiSense fall for there demands..

3. Commonalities and deep dive

Now what is common between 2012 Bankofamerica.com attacks and today's ransomware attacks.. Most of the times in both cases a key to kingdom is compromised and using this key attacker gained the initial access, persisted in the environment and then used his tactics to exploits .. More on attackers tactics, techniques and common knowledge is at Mitre Att&CK

Now lets do a deep dive on SiSense Attack While in case of BankofAmerica.com it was session cookie which was stolen from vulnerable clients or servers, in case of SiSense the credentials made way to gitlab repos, GitLab repos are like code repositories similar to Github. Developers check in the code there..it makes sure the code is version controlled and maintain the integrity and can be easily auditable for changes.

What went wrong at SiSense- SiSense used On Prem managed version of GitLab and there developers checked in there code using the managed version of GitLab. Please note there can be SaaS version of GitLab version available to SiSense, which would be managed service and if SiSense uses that then they don’t have to manage the service, GitLab would do it for them. SiSense can directly consume this service and keep running there operations..(Just a context(Managed vs SaaS) to enrich this article and bring a point to foreground - Why SiSense ended up using On Prem Managed Services instead of offloading it to GitLab)..

Moving on from Gitlab and coming back to the developer who ended up checking in the hard coded secrets (Access KeyID/Secret) which was then grabbed by the attackers..

The Key Checked in by developer happened to be have policies attached to it which gave the attacker broad level of access which he used to infiltrate into SiSense network and encrypt or infiltrate the data.. Imagine Attacker get to know about a key and got hold of it and by enumerating he found out that it has blanket admin access.. What will he do now.. heard about MITRE ATT&CK ? will deep dive into that in upcoming blogs..

But for now, lets focus on SiSense attack.. Attacker acquired the keys to kingdom and he exercised the power he acquired.. (This is what could have possibly happened in SiSense envrionment) ..

5. What could have been done

Couple of things

1. Tactically - Tokens/Credentials should not be checked in at all. The Supply Chain (CI/CD pipelines at SiSense ) should sense the hard coded credentials while they are getting pushed into Repos and prevented it.

2. Stretegic - Instead of putting all the focus on protecting the keys which will be eventually stolen.. the focus should be on protecting the kingdom. I believe 2 things

   1. Comprehensive Threat Hunting/Threat Modeling program which can bubble up these vulnerabilities as they appear in the systems.. such as in this case a mature threat hunting program can figure out the vulnerabilities around code check ins..

   2. Zero Trust - Assume the secrets are stoles, the horse is out of the barn.. Now think about protecting and authorizing each request not with a blanket trust but verification based on Identity/Network and behavior.

While Internet and enterprises fight Ransomware battles every day, I hope with advances of Gen AI Defenders will become more and more powerful and able to defend this attacks way before they infect enterprises deeply..

My writings fuel from your readings and acknowledgments. So…Please subscribe, like and reshare..