The Federal Bureau of Investigation has issued a security alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and private businesses.
FBI said in an alert sent out last month which was made public this week on its website. The intrusions have taken place since at least April 2020.
SonarQube which is a web-based application that are integrated by the organizations into their software for continuous inspection of code quality to discover security flaws before rolling out code and applications into production environments.
SonarQube apps are installed on web servers and connected to source code hosting systems like BitBucket, GitHub, or GitLab accounts, or Azure DevOps systems.
FBI issued the alert specially to warn the SonarQube owners as some companies have left these systems unprotected, running on their default configuration (on port 9000) with default admin details.
According to FBI officials, some threat actors have abused these misconfigurations to access SonarQube instances, pivot to the connected source code repositories, and then access and steal proprietary or sensitive applications.
The alert sites two incidents in which threat actors exploited the misconfiguration to perform the attack.
In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks.
In July 2020, a similar data leak occurred in which an identified threat actor exfiltrated proprietary source code from enterprises through unsecured SonarQube instances and published the code on a self-hosted public repository.
Even though the cyber-security industry has forgotten about the dangers of leaving SonarQube applications exposed online with default credentials, some security researchers have mentioned it since as far back as May 2018.
In order to prevent leaks, the alert also provides some mitigations that companies can take to protect their SonarQube servers:
- Change the default settings, including changing default administrator username, password, and port (9000).
- Place SonarQube instances behind a login screen, and check if unauthorized users have accessed the instance.
- Revoke access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible.
- Configure SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access.