Threat Actors Stole Source Code from SonarQube Instances of US Government Agencies, Says FBI


FBI issues a warning of a successful intrusion into some US government agencies and private businesses by unnamed threat actors who used SonarQube configuration vulnerabilities in their attacks.

SonarQube is an open-source platform used by many private and governmental agencies to track metrics history, inspect code quality and automatically review projects written in 20+ languages, among other features.

The FBI observed source code leaks from various SonarQube instances belonging to US government agencies and private US companies in the technology, finance, retail, food, eCommerce and manufacturing sectors.

“In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool,” says the FBI. “The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks. This activity is similar to a previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises through poorly secured SonarQube instances and published the exfiltrated source code on a self-hosted public repository.”

The attackers simply scanned the Internet for open SonarQube instances that had the 9000 default port open and a publicly available IP address. In all cases, the attackers tried the default login credentials (username: admin, password: admin). This means the attacks only succeeded in all of these situations because the SonarQube instances were misconfigured.

The FBI also published a list of possible mitigations to help protect entities using SonarQube:

  • Change the SonarQube default settings, including default administrator username, password, and port (9000).
  • Place SonarQube instances behind a login screen, and check if unauthorized users have accessed the instance.
  • Revoke access to any application programming interface keys or other credentials that were exposed in a SonarQube instance, if feasible.
  • Configure SonarQube instances to sit behind your organization’s firewall and other perimeter defenses to prevent unauthenticated access.