Hackers stole source code from US government agencies and private companies

The Federal Bureau of Investigation (FBI) sent a warning last October to the security services of companies and government organizations.

The document leaked last week claims unknown hackers took advantage of a vulnerability on the SonarQube code verification platform to get access to source code repositories. This leads to source code leaks from government agencies and private companies.

The FBI alert warned SonarQube owners, a web application that companies integrate into their software build chains to test source code and discover security holes before releasing code and applications in production environments.

Hackers take advantage of known configuration vulnerabilities, allowing them to access proprietary code, exfiltrate it, and publish data. The FBI has identified multiple potential computer intrusions that correlate with leaks associated with SonarQube configuration vulnerabilities.

The applications of SonarQube are installed on web servers and connect to code hosting systems source such as BitBucket, GitHub or GitLab accounts, or Azure DevOps systems.

According to the FBI, some companies have left these systems unprotected, running with its default settings (on port 9000) and default administration credentials (admin / admin). Hackers have abused misconfigured SonarQube applications since at least April 2020.

“Since April 2020, unidentified doks have been actively targeting vulnerable SonarQube instances to gain access to source code repositories from US government agencies and private companies.

Hackers exploit known configuration vulnerabilities, allowing them to access proprietary code, exfiltrate it, and display data publicly. The FBI has identified multiple potential computer intrusions that correlate with leaks associated with vulnerabilities in the SonarQube configuration, ”the FBI document reads.

The officials of FBI Say Threat Hackers Abused These Incorrect Settings to access SonarQube instances, switch to connected source code repositories, and then access and steal proprietary or private / sensitive applications. FBI officials backed up their alert by providing two examples of past incidents that took place in previous months:

“In August 2020, they revealed internal data for two organizations through a public lifecycle repository tool. The stolen data came from SonarQube instances using default port settings and administrative credentials running on the affected organizations' networks.

“This activity is similar to a previous data breach in July 2020, in which an identified cyber actor exfiltrated the company's source code through poorly secured SonarQube instances and published the exfiltrated source code to a self-hosted public repository. . «, 

FBI alert touches on little-known topic by software developers and security researchers.

While the cybersecurity industry has often warned of dangerss from leaving MongoDB or Elasticsearch databases exposed online without a password, SonarQube has escaped surveillance.

In fact, Researchers have often found instances of MongoDB or Elasticsearch en línea that expose data over tens of millions of unprotected clients.

For example, in January 2019, Justin Paine, a security researcher, discovered a misconfigured online Elasticsearch database, exposing a significant number of customer records at the mercy of attackers who discovered the vulnerability.

Information on more than 108 million bets, including details of users' personal information, belonged to customers of a group of online casinos.

However, aSome security researchers have warned since May 2018 of the same dangers when companies leave SonarQube applications exposed online with default credentials.

At the time, the cybersecurity consultant who focuses on finding data breaches, Bob Diachenko, warned that around 30-40% of the roughly 3,000 SonarQube instances available online at the time had no password or authentication mechanism activated.

Source: https://blog.sonarsource.com

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.