FBI: Hackers Stole Government Source Code Via SonarQube Instances

The Federal Bureau of Investigation (FBI) issued a flash alert warning of hackers stealing data from U.S. government agencies and enterprise organizations via internet-exposed and insecure SonarQube instances.

SonarQube is an open-source platform for automated code quality auditing and static analysis to discover bugs and security vulnerabilities in projects using 27 programming languages.

Vulnerable SonarQube servers have been actively exploited by attackers since April 2020 to gain access to data source code repositories owned by both government and corporate entities, later exfiltrating it and leaking it publicly.

Dozens of companies already had their source code leaked

The FBI says that it has identified several such incidents where the attackers have abused SonarQube configuration vulnerabilities since the attacks have started.

“Beginning in April 2020, the FBI observed source code leaks associated with insecure SonarQube instances from US government agencies and private US companies in the technology, finance, retail, food, eCommerce, and manufacturing sectors,” the FBI says in the TLP:WHITE flash alert.

Even though the FBI doesn’t point to public reporting of such attacks, BleepingComputer reported in July of dozens of companies having their source code stolen and leaked online.

Developer and reverse engineer Tillie Kottmann collected and published the leaked code of over 50 companies including Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, Disney, and more in a public GitLab repository.

Kottmann said at the moment that there are thousands of companies that expose proprietary source code by failing to properly secure their SonarQube installations.

Kottmann also leaked roughly 20 GB of Intel confidential documents during August, after receiving them from an anonymous source who allegedly breached the company’s servers earlier.

The company later told BleepingComputer that the “information appears to come from the Intel Resource and Design Center, which hosts information for use by our customers, partners and other external parties who have registered for access.”

Previous attacks and mitigation measures

The threat actors start their attacks by first scanning for Internet-exposed SonarQube instances using the default port number (i.e., 9000) the FBI explains.

After discovering an exposed server, they attempt to gain access to vulnerable instances using default admin/admin credentials.

While not naming any names, the FBI highlights two such events in the flash alert, one conducted by an identified actor and one where the attackers are still unknown:

• In July 2020, an identified cyber actor exfiltrated proprietary source code from enterprises through poorly secured SonarQube instances and published the exfiltrated source code on a self-hosted public repository.

• In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks.

The FBI provides the following mitigation measures to block attacks:

• Change the SonarQube default settings, including changing default administrator username, password, and port (9000).
• Place SonarQube instances behind a login screen, and check if unauthorized users have accessed the instance.
• Revoke access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible.
• Configure SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access.