Hacking

FBI warns of attacks on unsecured SonarQube used by US govt agencies and businesses

The FBI warns that threat actors are abusing misconfigured SonarQube applications to steal source code from US government agencies and businesses.

The Federal Bureau of Investigation has issued an alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and businesses. The alert, coded as MU-000136-MW, was issued on October 14th, but only publicly disclosed last week.

SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.

SonarQube apps are installed on web servers and are directly connected to systems and source code repositories, such as BitBucket, GitHub, or GitLab accounts, or Azure DevOps.

The attacks took place since at least April 2020, threat actors are targeting systems using default configuration (on port 9000) with default admin credentials (admin/admin).

“Since April 2020, unidentified cyber actors have actively targeted vulnerable SonarQube instances to access source code repositories of US government agencies and private businesses. The actors exploit known configuration vulnerabilities, allowing them to gain access to proprietary code, exfiltrate it, and post the data publicly.” reads the alert. “The FBI has identified multiple potential computer intrusions that correlate to leaks associated with SonarQube configuration vulnerabilities.”

The attacks aimed at accessing and stealing proprietary or private and sensitive applications.

The alert cites two incidents in which threat actors exploited the misconfiguration to carry out the attacks. In August 2020, unknown attackers leaked internal data from two organizations using a public lifecycle repository tool. The stolen data were connected to unsecured SonarQube instances that were using default port settings and admin credentials running on the affected organizations’ networks.

In July 2020, an identified cyber actor exfiltrated proprietary source code from enterprises through unsecured SonarQube instances and published it on a self-hosted public repository.

The alert provides the following mitigations:

  • Change the default settings, including changing default administrator username, password, and port (9000).
  • Place SonarQube instances behind a login screen, and check if unauthorized users have accessed the instance.
  • Revoke access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible.
  • Configure SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access.

In May 2018, the UK EE operator, the British largest cell network in the UK with some 30 million customers, has left a critical code system exposed online with a default password.

The code was exposed on the SonarQube open source platform hosted on an EE subdomain.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FBI)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

U.S. CISA adds Google Chromium, DrayTek routers, and SAP NetWeaver flaws to its Known Exploited Vulnerabilities catalog<gwmw style="display:none;"></gwmw>

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Google Chromium, DrayTek routers, and SAP NetWeaver…

1 hour ago

Pwn2Own Berlin 2025 Day Two: researcher earned 150K hacking VMware ESXi

On day two of Pwn2Own Berlin 2025, participants earned $435,000 for demonstrating zero-day in SharePoint,…

13 hours ago

New botnet HTTPBot targets gaming and tech industries with surgical attacks

New botnet HTTPBot is targeting China's gaming, tech, and education sectors, cybersecurity researchers warn. NSFOCUS …

15 hours ago

Meta plans to train AI on EU user data from May 27 without consent

Meta plans to train AI on EU user data from May 27 without consent; privacy…

23 hours ago

AI in the Cloud: The Rising Tide of Security and Privacy Risks

Over half of firms adopted AI in 2024, but cloud tools like Azure OpenAI raise…

1 day ago

Google fixed a Chrome vulnerability that could lead to full account takeover

Google released emergency security updates to fix a Chrome vulnerability that could lead to full…

1 day ago