Pierluigi Paganini November 09, 2020

The FBI warns that threat actors are abusing misconfigured SonarQube applications to steal source code from US government agencies and businesses.

The Federal Bureau of Investigation has issued an alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and businesses. The alert, coded as MU-000136-MW, was issued on October 14th, but only publicly disclosed last week.

SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.

SonarQube apps are installed on web servers and are directly connected to systems and source code repositories, such as BitBucket, GitHub, or GitLab accounts, or Azure DevOps.

The attacks took place since at least April 2020, threat actors are targeting systems using default configuration (on port 9000) with default admin credentials (admin/admin).

“Since April 2020, unidentified cyber actors have actively targeted vulnerable SonarQube instances to access source code repositories of US government agencies and private businesses. The actors exploit known configuration vulnerabilities, allowing them to gain access to proprietary code, exfiltrate it, and post the data publicly.” reads the alert. “The FBI has identified multiple potential computer intrusions that correlate to leaks associated with SonarQube configuration vulnerabilities.”

The attacks aimed at accessing and stealing proprietary or private and sensitive applications.

The alert cites two incidents in which threat actors exploited the misconfiguration to carry out the attacks. In August 2020, unknown attackers leaked internal data from two organizations using a public lifecycle repository tool. The stolen data were connected to unsecured SonarQube instances that were using default port settings and admin credentials running on the affected organizations’ networks.

In July 2020, an identified cyber actor exfiltrated proprietary source code from enterprises through unsecured SonarQube instances and published it on a self-hosted public repository.

The alert provides the following mitigations:

• Change the default settings, including changing default administrator username, password, and port (9000).
• Place SonarQube instances behind a login screen, and check if unauthorized users have accessed the instance.
• Revoke access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible.
• Configure SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access.

In May 2018, the UK EE operator, the British largest cell network in the UK with some 30 million customers, has left a critical code system exposed online with a default password.

The code was exposed on the SonarQube open source platform hosted on an EE subdomain.

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

[adrotate banner=”5″]

[adrotate banner=”13″]