Application Security , Cybercrime , Fraud Management & Cybercrime

Federal Source Code Accessed Via Misconfigured SonarQube

FBI: Hackers Exploiting Configuration Vulnerabilities To Gain Access
Federal Source Code Accessed Via Misconfigured SonarQube

The FBI has issued a flash alert warning that unidentified threat actors are actively targeting vulnerable SonarQube instances to access source code repositories of U.S. government agencies and private businesses.

See Also: OnDemand | API Protection – The Strategy of Protecting Your APIs

The agency notes that since April hackers have been exploiting known configuration vulnerabilities in SonarQube instances to gain access and exfiltrate proprietary code and then publicly post the data. The FBI alert was originally distributed to organizations as a private alert in October, but published publicly Tuesday to the bureau's Internet Crime Complaint Center.

SonarQube is an open-source platform for automated code quality auditing and static analysis that is used to discover bugs and security vulnerabilities in various application projects. It does this by utilizing more than 20 separate programming languages to help check for software flaws.

"In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks," the FBI alert notes.

An instance in this case refers to "a collection of SQL server databases run by a single SQL Server service."

The FBI identified multiple potential computer intrusions that correlate to leaks associated with the SonarQube configuration vulnerabilities, according to the alert.

Gaining Access to SonarQube

The FBI notes that during the initial attack phase, threat actors scanned the web for SonarQube instances exposed to the open internet using the default port (9000) and a publicly accessible IP address. Next, hackers used default administrator credentials (username: admin, password: admin) to attempt to access SonarQube instances, according to the alert.

The FBI has observed source code leaks associated with insecure SonarQube instances since at least April. The main targets for the threat actors are federal government agencies and private companies in the technology, finance, retail, food, e-commerce and manufacturing sectors, according to the alert.

The FBI notes that the activity was similar to a previous data leak in July where unidentified hackers exfiltrated proprietary source code from enterprises through poorly secured SonarQube instances and published the stolen source code on a self-hosted public repository (see: Intel Investigating Possible Leak of Internal Data).

In May, a massive leak of Nintendo data, including source code for older gaming systems, prototypes of games and extensive software and hardware documentation created havoc among gamers (see: Nintendo Source Code for N64, Wii and GameCube Leaked).

The leaked material included source code for the Wii, N64 and GameCube systems as well as demo games for the N64. Also leaked were extensive hardware and software engineering documents as well as software development kits.

Recommended Mitigations

As part of its alert, the FBI is warning both government and non-government users of SonarQube to follow several steps to ensure any instances that they are using are secure. This includes:

  • Changing the SonarQube default settings, including the administrator username, password, and port (9000);
  • Constantly monitoring SonarQube instances to check if unauthorized users have accessed them;
  • Revoking access to any application programming interface keys or other credentials that were exposed in a SonarQube instance;
  • Configuring SonarQube instances to sit behind the organization's firewall and other perimeter defenses to prevent unauthenticated access.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.