The FBI has issued a flash alert earlier this week, warning the government agencies and corporates about attacks on SonarQube instances. SonarQube is used for auditing source code; thus, exploiting any vulnerabilities could let hackers gain companies’ source code. Researchers claim that thousands of companies had their source code leaked already.
FBI Warns About Attacks Against SonarQube
SonarQube is a platform for source code auditing and static analysis to surface security bugs in them. It uses over 27 programming languages for doing so. While it’s a resourceful platform, the US Federal Bureau of Investigation has issued a flash alert, warning about attacks against SonarQube vulnerabilities.
The flash alert defines that some hackers are targeting the SonarQube vulnerabilities since April this year. Since they host the source of various government agencies and corporates for reviewing, it’s a one place jackpot for hackers to breach. Reports tell that over a dozen companies had their source code leaked already.
While the FBI hasn’t specifically mentioned any companies, they warned that attacks against companies in the field of technology, finance, retail, food, eCommerce, and manufacturing sectors are active. Tillie Kottmann, a developer and a reverse engineer, has gathered and published the leaked source code of over 50 companies.
These include big names like Adobe, AMD, Microsoft, Hisilicon, Lenovo, Qualcomm, Mediatek, Motorola, Nintendo, GE Appliances Roblox, Disney, etc. All these companies have failed to secure their SonarQube installations, thus exposing the proprietary source code. These leaks include the dumping of Intel’s confidential data (about 20GB) from its servers.
FBI explained that these hackers’ initial attacking vector is the scanning of vulnerable SonarQube instances around the internet. After finding them, they then use the default admin credentials to login and exfiltrate data. FBI has also mentioned some mitigation measures against these SonarQube instances;
- Place SonarQube instances behind a login screen, and check if unauthorized users have accessed the instance.
- Change the SonarQube default settings, including changing the default administrator username, password, and port (9000).
- Configure SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access.
- Revoke access to any application programming interface keys or other credentials exposed in a SonarQube instance, if feasible.