New Relic’s Security Incident

High Level Summary of the Security Advisory

New Relic offers a suite of tools covering everything from managing application performance and monitoring infrastructure to aiding in cloud migration. Their solutions provide in-depth insights into software performance, enabling businesses to improve their digital operations, troubleshoot effectively, and uplift the overall user experience.

Earlier on November 22, 2023 and then on December 1, 2023, New Relic issued advisories confirming detection of an unauthorized access to their staging environment. This environment grants visibility into how customers utilize New Relic and certain logs. 

Following the investigation, New Relic found that the unauthorized access stemmed from the use of stolen credentials and social engineering linked to a New Relic employee account. This granted access to their staging environment, enabling the viewing of specific data related to how customers use New Relic. Importantly, there's no evidence of this access extending from the staging environment to customers' New Relic accounts or to New Relic's production infrastructure.

New Relic has confirmed that their measures successfully contained the unauthorized access to the staging environment, and no further unauthorized activity has been detected there.

In their advisory, New Relic further detailed their swift response upon learning of the incident. They immediately initiated actions to evaluate the integrity of their internal applications, systems, and infrastructure. Activating their incident response plan, they enlisted multiple third-party cybersecurity experts to conduct an extensive investigation into the incident's impact on both customers and their business. Additionally, New Relic confirmed that their operations remained uninterrupted, assuring customers that their ability to serve was unaffected and continued without disruption throughout the incident.

According to the advisory, New Relic promptly revoked access to the compromised employee account within their security team. They've since taken measures to reinforce their security framework, introducing extra technical controls, fortifying network access management, and closing the vulnerability that facilitated the unauthorized entry into New Relic's staging environment. To support their ongoing investigation, they've maintained collaboration with leading cybersecurity experts and forensic firms.

New Relic has shared additional details regarding potential access to customer accounts identified during their investigation. Throughout their inquiry, they noticed similar indicators of compromise (IOCs) accessing a limited number of customers’ New Relic accounts. Taking a proactive stance, they opted to rotate passwords and remove user API keys from the potentially compromised user accounts as a precautionary measure. However, their investigation hasn't found evidence indicating that the identified login credentials were obtained due to the attack on New Relic’s staging environment. Instead, it appears that these credentials might have been obtained in recent large-scale social engineering and credential compromise attacks, potentially putting these New Relic user accounts at risk. In cases where such suspected access has been identified, New Relic is actively reaching out to these customers.

Should I be concerned?

Maybe. It depends on if you have a relationship with New Relic. Click on the link below to find out if you have a relationship with this vendor. If you do, follow the recommendations below.

Note: this link specifically references vendor directory records. You may also want to search your Relationship List for "New Relic” to confirm.

What to do if you or your vendors have an active relationship with New Relic

As stated in the advisory, New Relic ensured that all affected customers have been notified of the recommended steps. 

New Relic has additionally provided customers with essential recommendations to avoid credential-based compromises. They emphasize their offerings, including automated controls for user management, login procedures, and the provision of SAML, SSO, and SCIM features, available here.

They strongly advocate that customers already configured with these features also enable MFA for added security. For those not utilizing these features, New Relic advises against password reuse and encourages regular password rotation as a security measure. 

New Relic has additionally advised customers to maintain a vigilant approach by monitoring their accounts for any suspicious activities. They suggest regular audits of changes made within the New Relic environment, especially when unusual activity is suspected. New Relic emphasizes that these functionalities are easily accessible to all customers. They also recommend leveraging automatically generated meta-events like NrAuditEvent and NrdbQuery to track user actions and telemetry queries.

Moreover, New Relic encourages customers to review their Security bulletins and Security guides for implementing best practices in security. New Relic has also requested customers to open a support case under the security category or reach out to their customer support team at supportforum@newrelic.com for any additional queries. 

--------------------------------------------------------------

We are actively working on future product enhancements related to these types of events. If you found this information helpful or have additional feedback please let us know at product@visotrust.com. 

For any additional questions, please reach out to your customer success manager.

Stay ahead of the curve with our Public Risk Notice Alerts!

Get the latest information and news to your inbox on cybersecurity breaches and third-party vendor risks that could impact your organization.

Sign up today to fortify your organization's security.

The VISO TRUST team

—----------—----------—-----