FBI warn hackers stole source code via vulnerable SonarQube instances

The Federal Bureau of Investigation (FBI) issued a flash alert warning of hackers stealing data from government agencies and enterprise organizations via internet-exposed and insecure SonarQube instances. From the published data, it seems it has happened since April 2020.

The FBI did a good job at least detecting and being able to issue warning. You can imagine the open source nature of SonarQube, from there get the paid enterprise and government customers. Source code is intellectual property (IP) for most of the companies who develop source code, whether for being a developer house, enterprise or government own developer department.

SonarQube is an open-source platform for automated code quality auditing and static analysis to discover bugs and security vulnerabilities in projects using 27 programming languages, at the time we write this post.

As per FBI statement, “Vulnerable SonarQube servers have been actively exploited by attackers since April 2020 to gain access to data source code repositories owned by both government and corporate entities, later exfiltrating it and leaking it publicly”.  “It is classic misconfiguration and makes use of weak authentication and password, some is weak network security and infrastructure security, or leaks the abnormal and unusual access monitoring that if properly implemented, it can be avoided, if most of the enterprise and government put their employee, user and administrator for information security training, hand on lab and got the proper training and know how each piece of cyber security system and tools work together that can prevent or at least help them detect the attempt far before the first attempt happen”, said Vincent Lim, subject matter expert (SME), senior consultant for E-SPIN, who in the line of business over 20 years.

“This kind of incident, we can recall just like Qnap being globally attacked previously which end up all being ransomware infected, and the incident end up developers make the new update for the software and issue a list of mitigation measures and steps for the users to mitigate it over. This kind of incident can happen to every software, as long as users do not get the proper training and really invest the time to learn how to configure it right and make use of the other enterprise security tools and systems to proactive detect, protect or prevent it.  It is not said it only happens to public hosts, it will be the same for the private hosts, if they do not securely deploy it right. What the FBI report is just the tip of the iceberg of those incidents is too obvious to catch the public awareness only.” further said and explained by Vincent Lim, E-SPIN Group.

With the sampling of the leaked code over big corporation, we saw big name including Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, Disney, and more in a public GitLab repository. “Do not be confused, those are big names, that is why they catch the media attention, if companies with the resources also impact, what can you expect from the enterprise with less resources ? In the modern world, everyone is moving to the cloud, it at least sets the lesson, it is even more important to first determine how to secure what you want to do in the cloud first that matters. Of course, it does not mean on premise solutions will work without those issues, misconfiguration and weak security setup and internal intruder or own employee leak may also happen. What matters most is how you have the holistic framework and get every process, policy, procedure and people put together and work that matters most.” said Vincent Lim, from E-SPIN Group.

For those affected by the incident, it is worth taking The FBI mitigation they provide to immediate mitigation measures to those who used the software to prevent further source code leak (if yet), despite it is unlikely.

• Change the SonarQube default settings, including changing default administrator username, password, and port (9000).
• Place SonarQube instances behind a login screen, and check if unauthorized users have accessed the instance. (This needs some sort of web page and status monitoring, if you don’t know how to do it. For proactive, links it to trigger email notification to the owner to take action for abnormal user attempt lock in, talk with E-SPIN for the assistance)
• Revoke access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible. (Follow the leaked incident, it is advice to implement all the FBI mitigation advice, reset the API to fresh new one if possible)
• Configure SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access. (It is not just firewall, in some cases, may involve web application firewall, and like linking up the login page for monitoring unusual attempt access etc).