According to the Federal Bureau of Investigation (FBI), bad actors are taking advantage of SonarQube applications to steal source code from the United States and private businesses.
Password: Admin
The FBI recently sent a warning to IT managers and software experts alike. Apparently, a vulnerability in SonarQube has allowed hackers to exfiltrate information, including source code, since at least April 2020. The April alert was made public this week.
Unfortunately, anyone who poorly secured their computers could fall victim. SonarQube is popular software that allows companies to test and debug source code. Hackers discovered a vulnerability when the code was set to default port settings (9000). This opened access to the program using the default username and password logins, both of which were the word “admin.”
Because SonarQube is used to debug code, hackers gained immediate access to new source code that had not even been released yet. In July 2020, a hacker used a similar method to steal source code from an unnamed company. They then published it for public viewing on a “self-hosted public repository.” There was a second attack in August 2020. Some government data was stolen.
The FBI recommended that SonarQube users put their application behind a firewall, place instances of the software behind a login screen, and most importantly, change the default port settings from 9000.
Ironically, SonarQube software is used to identify security flaws. It runs on a web-based application, making it an easier target for hackers.
The software is quite popular as well. It is installed on web servers and connected to popular code hosting sites like BitBucket, GitHub, and more. Unfortunately, the FBI said that these large companies have left the software running on the port 9000 configuration.
FBI Gets With the Program
For the last two years, the FBI has been paying closer attention to hacks and scams. Virtual scams are on the rise, and with the rise of crypto, scammers are finding ways to profit from it. Many crypto scams ask for investments that turn out to be donations to criminals.
In fact, the FBI warned that the COVID-19 pandemic has resulted in an increase in online scams, especially cryptocurrency scams.
Government hacks and crypto-reaping ransomware attacks have been visible in the media lately. In March 2018, hackers infiltrated the U.S. Department of Health and Human Services at the peak of coronavirus fears.
On June 17, 2020, Special Agent Tyson Fowler said in a press release:
“In the cyber world, it’s very hard to secure a network to the point that it’s never breachable, but you can make it as difficult as possible to break in.”
Some hackers install ransomware, which is software that makes a company’s computers unusable until a ransom is paid, usually in cryptocurrency.
Others, like the known SonarQube breaches, searched for source code information which could lead to technology leaks or ransomware attacks down the road.
The FBI suggests companies keep their data encrypted behind firewalls and passwords to prevent both. The SonarQube vulnerability, which uses default settings and easy-to-guess passwords, is unfortunately rudimentary.
Protecting data or funds with a blockchain is a possible way to keep assets safe. Despite the much-touted anonymity of the technology, the blockchain can actually help law enforcement to catch criminals.
Warnings Unheeded
The cyber industry often warns about the danger of leaving ceratin databases exposed online, ZDnet says. While MongoDB and Elasticsearch are scrutinized, SonarQube, they say, has slipped through the cracks.
Still, some experts have been decrying the faults of SonarQube since May 2018. Strikingly, Bob Diachenko, a data breach hunter, found that about 3000 instances of the software online had no effective username or password.
In 2018 Bob #Diachenko warned that about 30% to 40% of all the ~3,000 #SonarQube instances available online at the time had no password or authentication mechanism enabled. https://t.co/ARENXpHE9X
— Herm Cardona (@HermCardona) November 7, 2020
More recently, Till Kottmann, a Swiss security engineer, has been stealing information from dozens of tech companies in order to demonstrate the vulnerability. Kottmann says these breaches could have been avoided:
“Most people seem to change absolutely none of the settings, which are actually properly explained in the setup guide from SonarQube.”
To prevent leaks like these, the FBI alert lists a series of steps that companies can take to protect their SonarQube servers, starting with altering the app’s default configuration. Users can then strengthen credentials and use firewalls to prevent unauthorized access to the app.