The FBI recently issued a security alert stating that hackers are abusing the misconfigured SonarQube application to access and steal the source code libraries of US government agencies and private companies.
The FBI specifically warned the owner of SonarQube in the alert. SonarQube is a platform for managing source code quality, helping developers write clean code. The supported languages include: Python, Java, PHP, C#, C, Cobol, PL/SQL, Flex, etc. The SonarQube application is installed on a web server and connected to source code hosting systems such as BitBucket, GitHub, GitLab accounts or Azure DevOps systems.
The content of the alert pointed out that such attacks have begun since April this year; in addition to many government agencies in the United States, the affected also include private companies in the fields of technology, finance, retail, food, e-commerce, and manufacturing. . Hackers exploit known SonarQube configuration vulnerabilities to access private program codes stored in SonarQube and make them public.
In the initial attack stage, the hacker first used the default port (9000) and a publicly accessible IP address to scan the SonarQube instance exposed on the open Internet on the Internet. Then, use the default administrator credentials (user name: admin, password: admin) to try to access the SonarQube instance. Currently, the FBI has discovered multiple potential computer intrusions, all related to leaks related to SonarQube configuration vulnerabilities.
As stated by ZDNet , this FBI alert involves a little-known issue among software developers and security researchers. Although the network security industry often warns about the dangers of MongoDB or Elasticsearch databases being exposed online without a password, SonarQube has become a slippery fish.
In fact, as early as May 2018, some security researchers have issued warnings about the danger of allowing the SonarQube application to expose the default certificate online. At that time, data breach hunter Bob Diachenko warned that about 30% to 40% of all about 3000 SonarQube instances provided online at that time did not have passwords or authentication mechanisms enabled.
This year, a Swiss security researcher named Till Kottmann also raised the same problem, that is, a misconfigured SonarQube instance. Kottmann revealed that in this year, he has collected the source code of dozens of technology companies on a public portal, including Microsoft, Adobe, Amd, and Taiwan’s MediaTek. Many of these data come from SonarQube. application.
In order to prevent such leaks from continuing, the FBI listed a series of mitigation measures in the alert, including:
- Change the default settings of SonarQube, including changing the default administrator username, password and port (9000).
- Put the SonarQube instance behind the login window and check if there are unauthorized users accessing the instance.
- If possible, revoke all API keys and credentials stored in public SonarQube instances.
- Configure the SonarQube instance behind the organization's firewall and other perimeter defense systems to prevent unauthorized access.
Security Alert: https://www.ic3.gov/Media/News/2020/201103-3.pdf