FBI has published a security alert sent out last month to several companies and government agencies about attacks on SonarQube. The agency warned that attackers are exploiting SonarQube instances and are stealing proprietary source code from victims. FBI has warned companies about this last month and published it publicly this week.
Misconfigured SonarQube Apps
SonarQube is a platform to be integrated by companies into their software repositories to test their source code for any possible security flaws. These are then rectified before making it to the public hands. This is used by various companies, including government agencies, for checking the source code integrity.
Companies usually link their SonarQube apps to source code hosting systems like GitHub, BitBucket, or GitLab accounts. FBI has warned about this practice since many are using default admin credentials (admin/admin) to their SonarQube instances, thus letting attackers exploit these credentials and access the target’s network.
Further, they’d proceed to access the linked repositories and steal the proprietary source code. Security researcher Bob Diachenko has previously warned that about 30-40% of the SonarQube instances have the same misconfigured vulnerability, which is least seen by the attackers. The majority of them are focused on exploiting exposed MongoDB and ElasticSearch databases.
They’ve also provided two examples, “In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks.”
Further, “This activity is similar toa previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises through poorly secured SonarQube instances and published the exfiltrated source code on a self-hosted public repository.”
Thus, companies using SonarQube are recommended to configure their credentials with strong ones and make sure they aren’t allowing anyone to illegally access the source code.