FBI blames intrusions on improperly configured SonarQube source code management tools.
The Federal Bureau of Investigation has sent out a security alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and private businesses. Intrusions have taken place since at least April 2020, the FBI said in an alert sent out last month and made public this week on its website. The alert specifically warns owners of SonarQube, a web-based application that companies integrate into their software build chains to test source code and discover security flaws before rolling out code and applications into production environments. SonarQube apps are installed on web servers and connected to source code hosting systems like BitBucket, GitHub, or GitLab accounts, or Azure DevOps systems. But the FBI says that some companies have left these systems unprotected, running on their default configuration (on port 9000) with default admin credentials (admin/admin). FBI officials say that threat actors have abused these misconfigurations to access SonarQube instances, pivot to the connected source code repositories, and then access and steal proprietary or private/sensitive applications.
