SonarQube misconfigurations allowed hackers to access the source code of 3,000 government organizations, companies and banks

A report by the Federal Bureau of Investigation (FBI) mentions that a group of threat actors have found a way to abuse misconfigured SonarQube implementations to steal source code repositories belonging to private companies and government organizations in the U.S. In its report, the FBI mentions that this intrusion campaign has been active since the early 2020s, precisely since April.

The alert is specifically targeted at SonarQube users, a web application used by thousands of organizations to integrate their software authoring chains, test source code, and detect security flaws.

SonarQube deployments are installed on web servers and connect to source host systems such as BitBucket, GitHub, or GitLab accounts, or Azure DevOps systems. According to the FBI, some companies operate these sisthes without the necessary security measures, running in their default settings (port 9000) and without changing the default administrator credentials.

Malicious hackers have begun abusing these misconfigurations to access SonarQube instances and perform various attacks, such as switching to source code repositories to finally access and steal proprietary applications and other sensitive content.

Some security researchers have been warning about the dangers of leaving SonarQube applications exposed online for years. In 2018, researcher Bob Diachenko warned that nearly half of the 3,000 sonarqube instances available online at the time did not have the right security mechanisms.

Recently Till Kottmann, another security researcher, raised a similar problem after collecting source code from dozens of tech companies through a public portal: “Most SonarQube users do not change absolutely any default settings, something that is even requested during the deployment process.”

On Diachenko’s finding, Kottmann mentions: “I am not aware of the number of SonarQube instances currently exposed, although I don’t think things have changed much; there must be at least 1000 servers vulnerable to this kind of malicious activity,” he concludes.

The authorities recommend implementing some measures to mitigate the risk of attack against these deployments; modifying sonarQube’s default settings, as well as using firewalls and other security solutions are highly recommended practices.