SIGN IN YOUR ACCOUNT TO HAVE ACCESS TO DIFFERENT FEATURES

FORGOT YOUR PASSWORD?

FORGOT YOUR DETAILS?

AAH, WAIT, I REMEMBER NOW!
Need Help? Email [email protected]
  • LOGIN

E-SPIN Group

CONTACT US / GET A QUOTE
  • No products in cart.
  • HOME
  • PROFILE
    • Corporate Profile
    • About us
    • Customer Overview
    • Investor Relations
    • Procurement
  • GLOBAL THEMES
    • Artificial Intelligence (AI)
    • Big Data
    • Blockchain
    • Cloud Computing
    • Cognitive Computing
    • Cyber Security
    • DevSecOps
    • Digital Transformation (DT)
    • Modern Workplace
    • Internet of Things (IoT)
    • Quantum Computing
    • More theme and feature topics
  • SOLUTIONS
    • Application Security
    • DevSecOps
    • Digital Forensics
    • IT Operations Management (ITOM)
    • Malware Analysis and Reverse Engineering
    • Network Management System (NMS)
    • Network Operation (NetOps)
    • Network Performance Monitoring and Diagnostics (NPMD)
    • Penetration Testing
    • Secure Development
    • Security Information & Event Management (SIEM)
  • INDUSTRIES
    • Aerospace & Defense
    • Automotive
    • Banking & Financial Markets
    • Chemical & Petroleum
    • Commercial and Professional Services
    • Construction & Real Estate
    • Consumer Products
    • Education
    • Electronics
    • Energy & Utilities
    • Food & Beverage
    • Information Technology
    • Insurance
    • Healthcare
    • Goverment
    • Telecommunications
    • Transportation
    • Travel
    • Manufacturing
    • Media & Entertainment
    • Mining & Natural Resources
    • Life Sciences
    • Retail
  • PRODUCTS
    • Brand Overview
      • Acunetix
      • E-Lock
      • Hex-Rays
      • Immunity
      • Progress | Ipswitch
      • Metageek
      • Qualys
      • Parasoft
      • Tenable
      • Titania
      • Veracode
    • Rest of Brands
      • Adobe
      • BeyondTrust
      • Core Security
      • DefenseCode
      • HCL
      • ImmuniWeb
      • LiveAction
      • McAfee
      • Micro Focus
      • Microsoft
        • Microsoft Surface
      • Netsparker
      • Nutanix
      • Paessler
      • PECB
      • Portswigger
      • Red Hat
      • Riverbed
      • RSA
      • Solarwinds
      • TamoSoft
      • Trend Micro
      • TSFactory
      • Trustwave
      • VMware
      • VanDyke
      • Visiwave
    • Services Overview
    • Line Card
  • e-STORE
    • e-STORE
    • eSTORE Guide
    • SUPPORT
  • CAREERS
    • Careers
    • Culture, Values and CSR
    • How We Hire
    • Job Openings
  • BLOG / NEWS
    • Blogs and News
    • Resources Library
    • Calendar of Events
  • CONTACT
  • Home
  • Global Themes and Feature Topics
  • FBI warn hackers stole source code via vulnerable SonarQube instances
0
E-SPIN
Thursday, 05 November 2020 / Published in Global Themes and Feature Topics

FBI warn hackers stole source code via vulnerable SonarQube instances

The Federal Bureau of Investigation (FBI) issued a flash alert warning of hackers stealing data from government agencies and enterprise organizations via internet-exposed and insecure SonarQube instances. From the published data, it seems it has happened since April 2020.

The FBI did a good job at least detecting and being able to issue warning. You can imagine the open source nature of SonarQube, from there get the paid enterprise and government customers. Source code is intellectual property (IP) for most of the companies who develop source code, whether for being a developer house, enterprise or government own developer department.

SonarQube is an open-source platform for automated code quality auditing and static analysis to discover bugs and security vulnerabilities in projects using 27 programming languages, at the time we write this post.

As per FBI statement, “Vulnerable SonarQube servers have been actively exploited by attackers since April 2020 to gain access to data source code repositories owned by both government and corporate entities, later exfiltrating it and leaking it publicly”.  “It is classic misconfiguration and makes use of weak authentication and password, some is weak network security and infrastructure security, or leaks the abnormal and unusual access monitoring that if properly implemented, it can be avoided, if most of the enterprise and government put their employee, user and administrator for information security training, hand on lab and got the proper training and know how each piece of cyber security system and tools work together that can prevent or at least help them detect the attempt far before the first attempt happen”, said Vincent Lim, subject matter expert (SME), senior consultant for E-SPIN, who in the line of business over 20 years.

“This kind of incident, we can recall just like Qnap being globally attacked previously which end up all being ransomware infected, and the incident end up developers make the new update for the software and issue a list of mitigation measures and steps for the users to mitigate it over. This kind of incident can happen to every software, as long as users do not get the proper training and really invest the time to learn how to configure it right and make use of the other enterprise security tools and systems to proactive detect, protect or prevent it.  It is not said it only happens to public hosts, it will be the same for the private hosts, if they do not securely deploy it right. What the FBI report is just the tip of the iceberg of those incidents is too obvious to catch the public awareness only.” further said and explained by Vincent Lim, E-SPIN Group.

With the sampling of the leaked code over big corporation, we saw big name including Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, Disney, and more in a public GitLab repository. “Do not be confused, those are big names, that is why they catch the media attention, if companies with the resources also impact, what can you expect from the enterprise with less resources ? In the modern world, everyone is moving to the cloud, it at least sets the lesson, it is even more important to first determine how to secure what you want to do in the cloud first that matters. Of course, it does not mean on premise solutions will work without those issues, misconfiguration and weak security setup and internal intruder or own employee leak may also happen. What matters most is how you have the holistic framework and get every process, policy, procedure and people put together and work that matters most.” said Vincent Lim, from E-SPIN Group.

For those affected by the incident, it is worth taking The FBI mitigation they provide to immediate mitigation measures to those who used the software to prevent further source code leak (if yet), despite it is unlikely.

  • Change the SonarQube default settings, including changing default administrator username, password, and port (9000).
  • Place SonarQube instances behind a login screen, and check if unauthorized users have accessed the instance. (This needs some sort of web page and status monitoring, if you don’t know how to do it. For proactive, links it to trigger email notification to the owner to take action for abnormal user attempt lock in, talk with E-SPIN for the assistance)
  • Revoke access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible. (Follow the leaked incident, it is advice to implement all the FBI mitigation advice, reset the API to fresh new one if possible)
  • Configure SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access. (It is not just firewall, in some cases, may involve web application firewall, and like linking up the login page for monitoring unusual attempt access etc).
Source of the incident or further reading you read from the link https://www-bleepingcomputer-com.cdn.ampproject.org/c/s/www.bleepingcomputer.com/news/security/fbi-hackers-stole-government-source-code-via-sonarqube-instances/amp/
E-SPIN being active in the business of consulting, supply, project management, training and maintenance for enterprise and government customers, across the region E-SPIN operated, since 2005. The post touches on the topic of Static application security testing (SAST), secure code review, and DevSecOps, vulnerability assessment, penetration testing, red team ops, application security monitoring are some of the related point solutions E-SPIN delivered in the market. Feel free to engage E-SPIN for your operation and project requirements.
Tagged under: Application Security Testing (AST), Static Application Security Testing (SAST)

What you can read next

From Information Technology to Digital Transformation
From Information Technology to Digital Transformation
What is Robotic Process Automation ?
Cybersecurity Predictions for 2018
Cybersecurity Predictions for 2018

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recent Posts

  • IoC related to threat and vulnerability management

    More and more enterprise customers are now payi...
  • Operations in the next normal

    Operations in the next normal, it is time to re...
  • Top 4 Digital Technologies trends in Retail Industry

    Advantages of Composite AI Approach in Industries

    What are the advantages of Composite AI approac...
  • Composite AI Approach is a Key to Good Business

    Composite AI approach is a key to good business...
  • E-SPIN Seasonal Greeting Happy Ramadan 2021

    E-SPIN Group would like to take this season gre...

Recent Comments

  • Dorai M on 5 Common ML Challenges Data Scientists Face

Archives

  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • March 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • January 2015
  • December 2014
  • October 2014
  • September 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • August 2012
  • July 2012
  • June 2012
  • May 2012
  • February 2012
  • July 2011
  • June 2011
  • February 2009
  • July 2008

Categories

  • Acunetix
  • Adobe
  • Aerospace and Defence
  • AppSec Labs
  • Automotive
  • Banking and Financial Markets
  • BeyondTrust
  • Brand
  • Chemical and petroleum
  • Codified Security
  • Commercial and Professional Services
  • Construction and Real Estate
  • Consumer products
  • Contact Us
  • Core Impact
  • Core Security
  • DefenseCode
  • E-Lock
  • Education
  • Electronics
  • Energy and utilities
  • FAQ
  • Food and Beverage (F&B)
  • GFI
  • Global Themes and Feature Topics
  • Government
  • HCL
  • Healthcare
  • Hex-Rays
  • IBM
  • Immunity
  • ImmuniWeb
  • Industries
  • Information Technology
  • Insurance
  • Ipswitch
  • Job
  • Life Science
  • LiveAction
  • Logpoint
  • Manufacturing
  • McAfee
  • Media and Entertainment
  • Metageek
  • Micro Focus
  • Microsoft
  • Mining and Natural Resources
  • Nessus
  • Netsparker
  • News
  • Nutanix
  • Paessler
  • Parasoft
  • PECB
  • PortSwigger
  • Pradeo
  • Product
  • Qualys
  • Rapid7
  • RedHat
  • Retail
  • Retina
  • Riverbed
  • RSA
  • Security Innovation
  • Security Roots
  • Services
  • SILICA
  • Smart City
  • Soft Activity
  • SolarWinds
  • Solution
  • Symantec
  • TamoSoft
  • Telecommunications
  • Tenable
  • Titania
  • Transportation
  • Travel
  • Trend Micro
  • Trustwave
  • TSFactory
  • Uncategorized
  • Vandyke
  • Veracode
  • Videos
  • VisiWave
  • VMware
  • Webinar Archive

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

CORPORATE

  • Profile
  • About us
  • Careers
  • Investor Relations
  • Procurement

SOLUTIONS & PRODUCTS

  • Industries
  • Solutions
  • Products
  • Brand Overview
  • Services

STORE & SUPPORT

  • Shop
  • Cart
  • Checkout
  • My Account
  • Support

PRODUCTS & SERVICES

  • Industries
  • Solutions
  • Products
  • Brand Overview
  • Services

FOLLOW US

  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • YouTube
  • WordPress Blog
© 2005 - 2021 E-SPIN Group of Companies | All rights reserved.
  • Contact
  • Privacy
  • Terms of use
TOP