The FBI has warned that hackers have been accessing proprietary source code from government agencies and businesses by exploiting SonarQube.
SonarQube is a code inspection platform that currently supports 27 programming languages and helps developers write cleaner, more secure, bug-free code. SonarQube integrates with a number of third-party services and platforms, including GitHub, GitLab, LDAP, Active Directory, BitBucket, Azure DevOps and more.
Unfortunately, according to the FBI (PDF), it appears a number of organizations using SonarQube left the default parameters in place, opening themselves up to security issues and code theft.
In August 2020, unknownthreat actors leaked internal data from two organizations through a public lifecycle repositorytool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks. This activity is similar toa previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises throughpoorly secured SonarQube instances and published the exfiltrated source codeon a self-hosted public repository.
During the initial attack phase, cyber actorsscan theinternetfor SonarQube instances exposed to the open Internet using the default port (9000) and a publicly accessible IP address. Cyber actors then use default administrator credentials (username: admin, password: admin) to attempt to access SonarQube instances.
The FBI recommends following basic security protocols that, quite frankly, organizations should have implemented from the beginning. This includes, changing the default admin username and password, the default port through which SonarQube is accessed, putting SonarQube behind a login screen, checking for unauthorized users and keeping the platform behind the company firewall.