Federal Source Code Accessed Via Misconfigured SonarQubeFBI: Hackers Exploiting Configuration Vulnerabilities To Gain Access
The FBI has issued a flash alert warning that unidentified threat actors are actively targeting vulnerable SonarQube instances to access source code repositories of U.S. government agencies and private businesses.
The agency notes that since April hackers have been exploiting known configuration vulnerabilities in SonarQube instances to gain access and exfiltrate proprietary code and then publicly post the data. The FBI alert was originally distributed to organizations as a private alert in October, but published publicly Tuesday to the bureau's Internet Crime Complaint Center.
SonarQube is an open-source platform for automated code quality auditing and static analysis that is used to discover bugs and security vulnerabilities in various application projects. It does this by utilizing more than 20 separate programming languages to help check for software flaws.
"In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks," the FBI alert notes.
An instance in this case refers to "a collection of SQL server databases run by a single SQL Server service."
The FBI identified multiple potential computer intrusions that correlate to leaks associated with the SonarQube configuration vulnerabilities, according to the alert.
Gaining Access to SonarQube
The FBI notes that during the initial attack phase, threat actors scanned the web for SonarQube instances exposed to the open internet using the default port (9000) and a publicly accessible IP address. Next, hackers used default administrator credentials (username: admin, password: admin) to attempt to access SonarQube instances, according to the alert.
The FBI has observed source code leaks associated with insecure SonarQube instances since at least April. The main targets for the threat actors are federal government agencies and private companies in the technology, finance, retail, food, e-commerce and manufacturing sectors, according to the alert.
The FBI notes that the activity was similar to a previous data leak in July where unidentified hackers exfiltrated proprietary source code from enterprises through poorly secured SonarQube instances and published the stolen source code on a self-hosted public repository (see: Intel Investigating Possible Leak of Internal Data).
In May, a massive leak of Nintendo data, including source code for older gaming systems, prototypes of games and extensive software and hardware documentation created havoc among gamers (see: Nintendo Source Code for N64, Wii and GameCube Leaked).
The leaked material included source code for the Wii, N64 and GameCube systems as well as demo games for the N64. Also leaked were extensive hardware and software engineering documents as well as software development kits.
As part of its alert, the FBI is warning both government and non-government users of SonarQube to follow several steps to ensure any instances that they are using are secure. This includes:
- Changing the SonarQube default settings, including the administrator username, password, and port (9000);
- Constantly monitoring SonarQube instances to check if unauthorized users have accessed them;
- Revoking access to any application programming interface keys or other credentials that were exposed in a SonarQube instance;
- Configuring SonarQube instances to sit behind the organization's firewall and other perimeter defenses to prevent unauthenticated access.