The Federal Bureau of Investigation has despatched out a safety alert warning that menace actors are abusing misconfigured SonarQube purposes to entry and steal supply code repositories from US authorities companies and personal companies.
Intrusions have taken place since not less than April 2020, the FBI mentioned in an alert despatched out final month and made public this week on its web site.
The alert particularly warns homeowners of SonarQube, a web-based utility that corporations combine into their software program construct chains to check supply code and uncover safety flaws earlier than rolling out code and purposes into manufacturing environments.
SonarQube apps are put in on net servers and related to supply code internet hosting programs like BitBucket, GitHub, or GitLab accounts, or Azure DevOps programs.
However the FBI says that some corporations have left these programs unprotected, operating on their default configuration (on port 9000) with default admin credentials (admin/admin).
FBI officers say that menace actors have abused these misconfigurations to entry SonarQube cases, pivot to the related supply code repositories, after which entry and steal proprietary or non-public/delicate purposes.
Officers supplied two examples of previous incidents:
“In August 2020, unknown menace actors leaked inner knowledge from two organizations via a public lifecycle repository instrument. The stolen knowledge was sourced from SonarQube cases that used default port settings and admin credentials operating on the affected organizations’ networks.
“This exercise is comparable toa earlier knowledge leak in July 2020, during which an recognized cyber actor exfiltrated proprietary supply code from enterprises throughpoorly secured SonarQube cases and printed the exfiltrated supply codeon a self-hosted public repository.”
Forgot downside resurfaces in 2020
The FBI alert touches on a little bit identified difficulty amongst software program builders and safety researchers.
Whereas the cyber-security business has usually warned concerning the risks of leaving MongoDB or Elasticsearch databases uncovered on-line with out passwords, SonarQube has slipped via the cracks.
Nevertheless, some safety researchers have been warning concerning the risks of leaving SonarQube purposes uncovered on-line with default credentials since way back to Could 2018.
On the time, knowledge breach hunter Bob Diachenko warned that about 30% to 40% of all of the ~3,000 SonarQube cases out there on-line on the time had no password or authentication mechanism enabled.
This 12 months, a Swiss safety researcher named Until Kottmann has additionally raised the identical difficulty of misconfigured SonarQube cases. All year long, Kottmann has gathered supply code from tens of tech corporations in a public portal, and plenty of of those got here from SonarQube purposes.
“Most individuals appear to vary completely not one of the settings, which are literally correctly defined within the setup information from SonarQube,” Kottmann informed ZDNet.
“I do not know the present variety of uncovered SonarQube cases, however I doubt it modified a lot. I’d guess it is nonetheless far over 1,000 servers (which are listed by Shodan) that are ‘weak’ by both requiring no auth or leaving default creds,” he mentioned.
To forestall leaks like these, the FBI alert lists a collection of steps that corporations can take to guard their SonarQube servers, beginning with altering the app’s default configuration and credentials after which utilizing firewalls to forestall unauthorized entry to the app from unauthorized customers.