The US Federal Bureau of Investigation (FBI) has issued a security alert saying threat actors have stolen source code from government agencies and private firms and are abusing it to gain access to critical information.

The FBI said the alert specifically warns owners of SonarQube. Although it was sent out last month made public this week on its website.

SonarQube, a web-based application that companies integrate into their software build chains to test source code and discover security flaws before rolling out code and applications into production environments.

SonarQube apps are installed on web servers and connected to source code hosting systems like BitBucket, GitHub, or GitLab accounts, or Azure DevOps systems. The actors exploit known configuration vulnerabilities, allowing them to gain access to proprietary code, exfiltrate it, and post the data publicly.

According to the FBI, some companies have left these systems unprotected, running on their default configuration with default admin credentials (admin/admin).

FBI officials say that threat actors have abused these misconfigurations to access SonarQube instances, pivot to the connected source code repositories, and then access and steal proprietary or private/sensitive applications.

At the time, data breach hunter Bob Diachenko warned that about 30% to 40% of all the 3,000 SonarQube instances available online at the time had no password or authentication mechanism enabled.

A Swiss security researcher named Till Kottmann has experienced it. He has raised the same issue of misconfigured SonarQube instances. He has gathered source code from tens of tech companies in a public portal, and many of these came from SonarQube applications.

According to Kottmann “Most people seem to change absolutely none of the settings, which are actually properly explained in the setup guide from SonarQube.”  There are approx 1,000 servers (that are indexed by Shodan) which are ‘vulnerable’ by either requiring no auth or leaving default creds,” he said.

Recommendations:

• The FBI suggested the firms change the SonarQube default settings, including changing the default administrator username, password, and port (9000).
• Place SonarQube instances behind a login screen and check if unauthorized users have accessed the instance and revoke access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible.
• Firms are recommended to use firewalls to prevent unauthorized access to the app from unauthorized users.
• Organizations are advised to alter the app’s default configuration and credentials.