Since April 2020, unidentified cyber actors have actively targeted vulnerable SonarQube instances to access source code repositories of US government agencies and private businesses. The actors exploit known configuration vulnerabilities, allowing them to gain access to proprietary code, exfiltrate it, and post the data publicly. The FBI has identified multiple potential computer intrusions that correlate to leaks associated with SonarQube configuration vulnerabilities.
Beginning in April 2020, the FBI observed source code leaks associated with insecure SonarQube instances from US government agencies and private US companies in the technology, finance, retail, food, eCommerce, and manufacturing sectors. SonarQube is an open-source automatic code review tool that detects bugs and security vulnerabilities in source code.
In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks. This activity is similar to a previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises through poorly secured SonarQube instances and published the exfiltrated source code on a self-hosted public repository.
During the initial attack phase, cyber actors scan the internet for SonarQube instances exposed to the open Internet using the default port (9000) and a publicly accessible IP address. Cyber actors then use default administrator credentials (username: admin, password: admin) to attempt to access SonarQube instances.
Recommended Mitigations
- Change the SonarQube default settings, including changing default administrator username, password, and port (9000).
- Place SonarQube instances behind a login screen, and check if unauthorized users have accessed the instance.
- Revoke access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible.
- Configure SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access.
