Nine days after issuing a vaguely worded warning about a possible cyber security incident, web tracking and analytics outfit New Relic has revealed a two-front attack.
One front was the vendor’s staging systems, which it has admitted were compromised in mid-November after an “unauthorized actor used stolen credentials and social engineering in connection with a New Relic employee account.”
The invader was “able to view certain data pertaining to our customers’ use of New Relic,” the vendor’s advisory explains.
“There is no indication of lateral movement from our staging environment to any customers’ New Relic accounts in the separate production environment or to New Relic’s production infrastructure,” the advisory adds.
The second front is … you, possibly.
“Over the course of our investigation, we observed similar indicators of compromise (IOCs) accessing a small number of customers’ New Relic accounts,” the advisory reveals.
New Relic has, therefore, rotated passwords and removed API keys for accounts it believes may have been attacked.
“Based on our investigation to date, there is no evidence to suggest the identified log-in credentials were acquired as a result of the attack on New Relic’s staging environment,” the advisory states. Instead, the creds were “harvested in recent large-scale social engineering and credential compromise attacks, which may have put these New Relic user accounts at risk.”
Customers whose use of New Relic was detailed in data in the staging environment, and/or whose accounts may have been probed, will hear from the analytics outfit about what to do next.
New Relic hasn’t said the advisory is the last word on the matter. Indeed, the December 1 update is described as being the result of “considerable progress in our investigation” that put the business “in a more informed position to share with our customers additional details about the ongoing investigation and what we have learned.” The investigators continue to work with third party infosec consultants and forensics firms “to unpick the incident.”
The vendor has already made some changes, revealing that its security team has “taken steps to implement additional layers of technical controls, enhance network access controls, and eliminate the attack method used to access New Relic’s staging environment.”
“We have taken this opportunity to further harden access controls and credential theft defenses, leveraging an industry-leading security toolset,” the advisory continues, adding that New Relic has “increased capacity to monitor security across our entire enterprise, all in order to ensure comprehensive visibility into our security posture.” ®