The FBI has issued a security alert warning that threat actors are abusing misconfigured SonarQube apps to access and steal source code from U.S. government agencies and private companies,media reported. In a warning issued last month and posted on its website this week, the agency noted that such attacks have been going on since at least April 2020.
This alert specifically warns the owner of SonarQube. SonarQube is a web-based application that companies integrate into their software build chains to test source code and identify security flaws before rolling out code and applications to production.
SonarQube applications are installed on web servers and connected to source code hosting systems such as BitBucket, GitHub, Git AccountLabs, or Azure DevOps systems.
But the FBI says some companies do not protect these systems, using the default administrative credentials (admin/admin) and running on the default configuration (port 9000).
FBI officials say the threats abused these misconfigurations to access SonarQube targets and transfer them to connected source code libraries, then access and steal private/sensitive applications.
The FBI’s warning touched on an issue rarely known to software developers and security researchers.
The cybersecurity industry often warns of the dangers of MongoDB or Elasticsearch databases being exposed online without passwords, but SonarQube has not been affected. However, some security researchers warned as early as May 2018 about the dangers of the SonarQube app exposing default certificates online.
At the time, Bob Diachenko, a data breach hunter, warned that 30 to 40 per cent of the approximately 3,000 SonarQube instances available online at that time did not have passwords or authentication mechanisms enabled.
This year, Till Kottmann, a Swiss security researcher, raised the same question about the misconfiguration of the SonarQube instance. Kottmann is understood to have collected it through a public portal over a one-year period
To prevent such a breach, the FBI’s warning lists a range of safeguards companies can take, starting with changing the app’s default configuration and credentials, and then using a firewall to prevent unauthorized users from authorized access to the app.