New Relic says customer accounts were breached, but not via the hack of its staging environment...
Hackers gained access to an employee account and pivoted to staging environment, but did not move laterally, company says.
New Relic says hackers breached a staging environment in a recent attack, gaining access to “certain data” about how customers use its software.
Investigating the attack, it also identified customer breaches.
It says the attack was contained to that environment and that “telemetry and application data sent to New Relic by our customers in their use of the New Relic platform does not reside in our staging environment.”
Investigating the attack, which came after attackers gained access to the credentials of an employee at the $6.5 billion application performance and monitoring company, New Relic said it spotted similar indicators of compromise for “a small number of customers’ New Relic accounts.”
“Out of an abundance of caution, we proactively responded by rotating passwords and removing user API keys for the suspected compromised user accounts” the company said, adding that “based on our investigation to date, there is no evidence to suggest the identified log-in credentials were acquired as a result of the attack on New Relic’s staging environment.
"It appears the credentials were harvested in recent large-scale social engineering and credential compromise attacks," New Relic said, without sharing any detailed Indicators of Compromise (IOCs).
The update comes nine days after New Relic left customers on tenterhooks with a detail-thin post on November 22 that said it had suffered a “recent cybersecurity incident that we are working diligently to investigate with the support of third-party cybersecurity experts.”
New Relic, which competes with the likes of Dynatrace and DataDog on observability, serves around 15,000 enterprise customers globally and has revenues of ~$1 billion annually. It employs approximately 2,700 staff. New Relic says its SaaS platform queries four trillion data points per minute for customers, and serves 160+ billion web requests daily.
The company said that the initial breach came after the attacker used “stolen credentials and social engineering” to gain access to a New Relic employee account. It offered few further details the staging environment.
The company said on December 1 that it had “taken this opportunity to further harden access controls and credential theft defenses, leveraging an industry-leading security toolset,” adding that “we have also increased capacity to monitor security across our entire enterprise, all in order to ensure comprehensive visibility into our security posture.”
It added that it "offers automatic controls over how users are added to New Relic, how they're managed, and how they log in" with "SAML, SSO, and SCIM provisioning, which is available here. Additionally, customers configured with SAML, SSO, and SCIM, are strongly encouraged to enable MFA. If you are not taking advantage of these features, avoid reusing passwords and ensure that you regularly rotate your passwords."
It urged customers to "remain vigilant and monitor your account for suspicious activity... Customers should also use automatically generated meta-events, such as NrAuditEvent and NrdbQuery to understand what actions your users are taking and which telemetry they are querying. Additionally, we encourage you to review our Security bulletins and Security guides for best practices."