The Federal Bureau of Investigation (FBI) has released a flash alert warning of hackers exploiting insecure SonarQube instances in order to get their hands on source code repositories of US government agencies and private companies.

SonarQube is an open-source automatic code review tool that detects bugs and security vulnerabilities in source code.

The FBI said malicious actors exploit known configuration vulnerabilities to gain access to proprietary code repos owned by government entities and private businesses in the technology, finance, retail, food, eCommerce, and manufacturing sectors, steal the data and leak it online.

“The FBI has identified multiple potential computer intrusions that correlate to leaks associated with SonarQube configuration vulnerabilities,” the agency said.

Vulnerable SonarQube servers have been actively exploited by attackers since April 2020, according to the FBI.

In July and August 2020 the attacks were observed where threat actors leaked internal data of several organizations obtained from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks.

“During the initial attack phase, cyber actors scan the internet for SonarQube instances exposed to the open Internet using the default port (9000) and a publicly accessible IP address. Cyber actors then use default administrator credentials (username: admin, password: admin) to attempt to access SonarQube instances,” the FBI explains.

To defend themselves from such attacks the security agency recommends organizations to implement the following measures:

• Change the SonarQube default settings, including changing default administrator username, password, and port (9000).

• Place SonarQube instances behind a login screen, and check if unauthorized users have accessed the instance.

• Revoke access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible.

• Configure SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access.