New Relic Staging Environment Attack
It’s December 2023, and unauthorized users are still accessing staging environments without being noticed.
Don’t believe me? Check out the report New Relic shared regarding the latest attack on their environment.
Wait, who is New Relic?
New Relic is a software company that provides observability solutions for cloud-based businesses. The company’s platform helps businesses collect, analyze, and visualize data from their applications, infrastructure, and user interactions. This data can be used to identify and resolve performance issues, improve user experience, and optimize resource usage.
What happened?
- The staging environment contained data about how customers use New Relic and certain logs, but not actual telemetry or application data.
- Two weeks prior to their December 1st update, an unauthorized actor gained access to New Relic’s staging environment through stolen credentials and social engineering.
- A small number of customer accounts were accessed with similar indicators of compromise (IOCs), potentially indicating stolen credentials from a separate attack.
- New Relic immediately responded by rotating passwords and removing user API keys for the affected accounts.
Why is it dangerous?
- Potential access to customer accounts: The attacker used stolen credentials to access several customer accounts. It’s a concerning matter, as it indicates that the attacker may have obtained access to other customer accounts through other means.
- Unauthorized access to staging environment: The attacker gained access to New Relic’s staging environment, which contains data about how customers use New Relic and certain logs. This data could be used to gain insights into customer usage patterns and identify potential vulnerabilities.
- Potential for data exfiltration: The attacker may have tried to exfiltrate data from the staging environment or customer accounts.
How would an SSPM like Suridata potentially prevent such an incident?
New Relic integrates with numerous SaaS applications, acting as a third-party provider. This creates a complex and potentially vulnerable ecosystem.
Suridata could have helped prevent or mitigate the New Relic security incident in several ways:
Visibility and monitoring:
Suridata’s solution provides continuous and comprehensive visibility into the third-party applications that are connected to the core corporate applications. This could have helped New Relic’s customers detect unauthorized access much sooner and take action to prevent or control the incident.
Automated threat detection and response:
- Suridata’s solution utilizes advanced machine learning and analytics to detect suspicious activity and potential security threats. These capabilities could have helped New Relic’s customers identify if a malicious user or third-party app was accessing their data and take steps to mitigate the damage.
- Suridata’s automated response capabilities can help to contain the attack quickly and revoke access to the new relic plugin or application.
Improved Configuration Management:
Suridata’s solution can help ensure that all SaaS resources are properly configured and comply with security best practices. This could have helped to prevent the attacker from exploiting vulnerabilities in New Relic’s configuration.
Summary
In December 2023, New Relic, a software company offering observability solutions, experienced unauthorized access to its staging environment due to stolen credentials and social engineering. This exposed data about customer usage patterns and certain logs, prompting immediate action from New Relic, including password rotations and API key removal. While this incident highlights the persistent danger of unauthorized access, solutions like Suridata’s SSPM offer enhanced visibility, monitoring, automated threat detection and response, improved configuration management, and security posture insights which could have potentially prevented or mitigated this attack.
Product Lead