28 October 2020

FBI: Hackers target misconfigured SonarQube instances to steal government source code


FBI: Hackers target misconfigured SonarQube instances to steal government source code

The Federal Bureau of Investigation (FBI) has released a flash alert warning of hackers exploiting insecure SonarQube instances in order to get their hands on source code repositories of US government agencies and private companies.

SonarQube is an open-source automatic code review tool that detects bugs and security vulnerabilities in source code.

The FBI said malicious actors exploit known configuration vulnerabilities to gain access to proprietary code repos owned by government entities and private businesses in the technology, finance, retail, food, eCommerce, and manufacturing sectors, steal the data and leak it online.

“The FBI has identified multiple potential computer intrusions that correlate to leaks associated with SonarQube configuration vulnerabilities,” the agency said.

Vulnerable SonarQube servers have been actively exploited by attackers since April 2020, according to the FBI.

In July and August 2020 the attacks were observed where threat actors leaked internal data of several organizations obtained from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks.

“During the initial attack phase, cyber actors scan the internet for SonarQube instances exposed to the open Internet using the default port (9000) and a publicly accessible IP address. Cyber actors then use default administrator credentials (username: admin, password: admin) to attempt to access SonarQube instances,” the FBI explains.

To defend themselves from such attacks the security agency recommends organizations to implement the following measures:

  • Change the SonarQube default settings, including changing default administrator username, password, and port (9000).

  • Place SonarQube instances behind a login screen, and check if unauthorized users have accessed the instance.

  • Revoke access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible.

  • Configure SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access.

Back to the list

Latest Posts

Vulnerability summary for the week: November 27, 2020

Vulnerability summary for the week: November 27, 2020

A weekly vulnerability digest.
27 November 2020
Personal data of 16M Brazilian COVID-19 patients exposed due to a password leak

Personal data of 16M Brazilian COVID-19 patients exposed due to a password leak

An employee of the Albert Einstein Hospital uploaded on his personal GitHub account a spreadsheet containing usernames, passwords, and access keys to electronic systems of the Ministry of Health.
27 November 2020
Sophos security breach exposes customers’ data

Sophos security breach exposes customers’ data

The company said that the incident affected "only a small subset of customers."
27 November 2020
Featured vulnerabilities
SSRF in Gitea
Medium Patched | 27 Nov, 2020
Denial of service in Matrix Synapse
Medium Patched | 27 Nov, 2020
Authentication bypass in Ceph
Medium Patched | 27 Nov, 2020