Connect with us


FBI: Hackers stole source code from US government agencies and private companies

FBI blames intrusions on improperly configured SonarQube source code management tools….



The Federal Bureau of Investigation has sent out a security alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and private businesses.

Intrusions have taken place since at least April 2020, the FBI said in an alert sent out last month and made public this week on its website.

The alert specifically warns owners of SonarQube, a web-based application that companies integrate into their software build chains to test source code and discover security flaws before rolling out code and applications into production environments.

SonarQube apps are installed on web servers and connected to source code hosting systems like BitBucket, GitHub, or GitLab accounts, or Azure DevOps systems.

But the FBI says that some companies have left these systems unprotected, running on their default configuration (on port 9000) with default admin credentials (admin/admin).

FBI officials say that threat actors have abused these misconfigurations to access SonarQube instances, pivot to the connected source code repositories, and then access and steal proprietary or private/sensitive applications.

Officials provided two examples of past incidents:

“In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks.

“This activity is similar toa previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises throughpoorly secured SonarQube instances and published the exfiltrated source codeon a self-hosted public repository.”

The FBI alert touches on a little known issue among software developers and security researchers.

While the cyber-security industry has often warned about the dangers of leaving MongoDB or Elasticsearch databases exposed online without passwords, SonarQube has slipped through the cracks.

However, some security researchers have been warning about the dangers of leaving SonarQube applications exposed online with default credentials since as far back as May 2018.

At the time, data breach hunter Bob Diachenko warned that about 30% to 40% of all the ~3,000 SonarQube instances available online at the time had no password or authentication mechanism enabled.

After @zackwhittaker covered EE leak, I ran a couple of queries on Sonarqube. Shocked to see more than 3K+ instances available, with roughly 30-40% of them set without auth, and almost half of those containing source code with prod data. Big names involved, another area to cover.

This year, a Swiss security researcher named Till Kottmann has also raised the same issue of misconfigured SonarQube instances. Throughout the year, Kottmann has gathered source code from tens of tech companies in a public portal, and many of these came from SonarQube applications.

“Most people seem to change absolutely none of the settings, which are actually properly explained in the setup guide from SonarQube,” Kottmann told ZDNet.

“I don’t know the current number of exposed SonarQube instances, but I doubt it changed much. I would guess it’s still far over 1,000 servers (that are indexed by Shodan) which are ‘vulnerable’ by either requiring no auth or leaving default creds,” he said.

To prevent leaks like these, the FBI alert lists a series of steps that companies can take to protect their SonarQube servers, starting with altering the app’s default configuration and credentials and then using firewalls to prevent unauthorized access to the app from unauthorized users.



0 Users (0 votes)
Criterion 1
What people say... Leave your rating
Sort by:

Be the first to leave a review.

User Avatar
{{{ review.rating_title }}}
{{{review.rating_comment | nl2br}}}

Show more
{{ pageNumber+1 }}
Leave your rating

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


CNBC9 hours ago

Black Friday shopping in stores craters 52% during pandemic as e-commerce sales surge

Traffic at stores on Black Friday fell by 52.1% compared with last year, according to preliminary data from Sensormatic Solutions,...

Bioengineer9 hours ago

Study finds fungal disease of snakes in 19 states, Puerto Rico

Credit: Photo by L. Brian Stauffer CHAMPAIGN, Ill. -- In a collaborative effort between scientists and personnel on military bases...

ZDNET10 hours ago

Digital transfusion: technology leaders urged to openly question existing business models

Now is the time for technology leaders and professionals to step up, do a lot of hand-holding, and guide their...

Ventureburn11 hours ago

New African entrepreneur fund worth $1-million launches

Established by Adam Molai, an African industrialist, the new fund aims to provide entrepreneurs with the capital to kickstart and...

CNBC12 hours ago

Big Tech earnings showed digital ad revenue came roaring back

Big Tech's third-quarter earnings showed that digital ad revenue came roaring back in recent months....

Bioengineer13 hours ago

2020 Neukom Awards honors complex stories in complex times

Winners peer into imagined worlds with real consequencesCredit: Turnbull photo credit: Anju Manandhar; Chiang photo credit: Alan Berner. HANOVER, N.H....

Entrepreneur14 hours ago

10 Apps to Help New Entrepreneurs, Still at Black Friday Pricing

Score limited-time savings on awesome apps....

Coinpedia15 hours ago

Stellar Price Prediction | Will The Stellar Price Gear Up?

Detailed guide on the Stellar price prediction, Stellar coin price, XLM price prediction and much more only on Coinpedia....

Cointelegraph16 hours ago

Bitcoin analysts explain what’s next in the aftermath of BTC plunging to $16.2K

Analysts and traders discuss both bull and bear cases for Bitcoin after BTC's sudden price crash to $16,200...

Reuters16 hours ago

In fresh blow to Trump, U.S. court rejects Pennsylvania election case

A federal appeals court on Friday rejected an attempt by U.S. President Donald Trump's campaign to block President-elect Joe Biden...


    Select language