Last month, the U.S. Federal Police(FBI) issued a warning to the security agencies of several U.S. government organizations and private companies.
According to the latter, cybercriminals took advantage of a security flaw on the platform without using the verification of errors in the SonarQube code. As a result, they were able to access the source code repository.
This article will also interest you: Computer security: the FBI alerts foreign companies based in China
A computer hack that exposed several source code from several government and private agencies.
The U.S. Federal Police has not hesitated to automatically warn the owners of the web platform, which allows organizations to test the source codes of their software, to detect security vulnerabilities, before launching the application in any production line. Of course, as we know, you have to test the source codes first before deploying the application.
This kind of context is also very favourable to cyber criminals. By exploiting security vulnerabilities, they can get application codes to be able to easily infiltrate them. The sequel is a classic data theft and hacking game. In this regard, the US Federal Police has already observed several attempts at intrusions or concrete intrusions by cyber-actors. All associated with SonarQube.
It should be noted that SonarQube applications are installed on servers or connected to famous source code hosting systems such as GitHub, BitBucket or GitLab. These same applications are present in systems such as Azure DevOps. Otherwise, the U.S. Federal Police, companies haven't even bothered to change some default configurations such as logins and passwords. It has been said that cyber criminals have been taking advantage of the security breach since April 2020.
"Since April 2020, unidentified cyber actors have actively targeted vulnerable SonarQube authorities to gain access to source code repositories of U.S. government agencies and private companies. Actors exploit known configuration vulnerabilities, allowing them to access proprietary code, exfiltrate it and view data publicly. The FBI has identified multiple potential computer intrusions correlated with leaks associated with vulnerabilities in the SonarQube configuration," the FBI document read.
Hackers according to the FBI take advantage of this vulnerability all the while to infiltrate applications and computer systems, run malware on proprietary applications of the private or public sector. Two palpable examples provided by the U.S. Federal Police justify this. Incidents that took place over the past month.
"In August 2020, actors in the unknown threat leaked internal data from two organizations through a public lifecycle repository tool. The stolen data came from SonarQube instances that used default port settings and administration identifiers running on the networks of the organizations concerned."
"This activity is similar to a previous data leak in July 2020, in which an identified cyber actor exfiltrated the proprietary source code of businesses through improperly secured SonarQube instances and published the exfiltrated source code on a self-hosted public repository," the FBI notes in its report.
Computer security named Till Kottmann reported in August that some instances of the web platform had been misconfigured. To prove what it is saying, it brings together source codes from major technology companies on a public platform.
"Most people seem to change absolutely none of the settings, which are actually properly explained in the SonarQube configuration guide," Kottmann said in a statement. "I don't know the current number of SonarQube cases on display, but I doubt that has changed much. I think there are still more than 1000 servers (indexed by Shodan) that are "vulnerable", either because they do not require authentication or because they leave slots by default," notes the researcher.
Now access an unlimited number of passwords: