The Cyber ​​Division of the Federal Bureau of Investigation (FBI) has had some attacks on US government agencies as well as private ones since April 2020 American companies, among others, in the technology and financial sectors. The target of the attack were insecurely configured instances of the open source platform SonarQube, which is designed for automated static code analysis.

The hackers use a known vulnerability in the SonarQube Platform that allows operation with a standard configuration: Without modification it runs on port 9000 and offers administration access with username admin and password admin . Mind you, with software that the associated site advertises with the slogan “Your teammate for Code Quality and Security”, and that is designed to find bugs and vulnerabilities.

Static analysis including vulnerability search SonarQube carries out a static code analysis for a total of 27 programming languages. The platform examines the source code for possible errors such as null pointer assignments and security risks such as keys that are too short or the unchecked use of any user input.

SonarQube helps, among other things, to find inadequate safety precautions.

(Image: SonarQube)

Source code that gets into insecure SonarQube instances for testing can be downloaded from access there using the standard combination of name and password.

From April to today According to its own information, the FBI has detected source code leaks from insecurely configured SonarQube instances since April 2020. In August, unknown persons reportedly released internal data from two organizations via a public lifecycle repository tool. Previously, data from companies that had been tapped in the same way had already appeared in a privately hosted and publicly accessible repository in July.

The report recommends a few measures, the first of which should be self-evident: Administrators must use the default settings to change. In addition, the authority recommends that the SonarQube instances be placed behind a log-in process and to check whether unauthorized users had access to the platform. Those responsible should also exchange all credentials that were available in the affected instances. Finally, the FBI recommends placing SonarQube installations behind a firewall.

Since the FBI focuses on the United States, the findings mentioned in the report only relate to it. However, it can be assumed that European developers and administrators also operate unsecured SonarQube instances.

(rme )