A few days ago, the FBI issued a security alert, saying that hackers were abusing the misconfigured SonarQube application to access and steal the source code libraries of American government agencies and private enterprises.In the eyes of peers, 黑客技術 It has good qualities that people covet, and it also has many loyal fans that people envy. https://www.lvbug.com/
Hackers steal the source code of American government agencies and private enterprises.
The FBI specifically warned the owner of SonarQube in the alarm. SonarQube is a platform for managing source code quality, which helps developers to write clean code. Its supported languages include Python, Java, PHP, C#, C, Cobol, PL/SQL and Flex. SonarQube applications are installed on a web server and connected to source code hosting systems such as BitBucket, GitHub, GitLab accounts or Azure DevOps systems.
The content of the alarm pointed out that such attacks have started since April this year; In addition to many government agencies in the United States, private enterprises in the fields of technology, finance, retail, food, e-commerce and manufacturing are also affected. Hackers access the private program code stored in SonarQube by exploiting the known configuration vulnerabilities of SonarQube and make them public.
In the initial attack stage, hackers first use the default port (9000) and a publicly accessible IP address to scan the SonarQube instance exposed on the open Internet. Then, use the default administrator credentials (username: admin, password: admin) to try to access the SonarQube instance. At present, the FBI has discovered a number of potential computer intrusions, all of which are related to leaks related to SonarQube configuration vulnerabilities.
As ZDNet said, this alarm of the FBI involves a little-known problem among software developers and security researchers. Although the network security industry often warns about the danger of MongoDB or Elasticsearch databases being exposed on the Internet without passwords, SonarQube has become a fish that escapes from the net.
In fact, as early as May 2018, some security researchers have warned about the danger of letting SonarQube applications expose default certificates online. At that time, Bob Diachenko, a data leakage hunter, warned that about 30% to 40% of all about 3,000 SonarQube instances provided online at that time did not have password or authentication mechanisms enabled.
This year, Till Kottmann, a Swiss security researcher, also raised the same question, that is, the misconfigured SonarQube instance. Kottmann revealed that during this year, he has collected the source codes of dozens of technology companies on a public portal, including Microsoft, Adobe, Amd and MediaTek in Taiwan Province, and many of the data came from SonarQube applications.
In order to prevent such leakage from happening again, the FBI listed a series of mitigation measures in the alert, including:
Change the default settings of SonarQube, including changing the default administrator user name, password and port (9000).
Put the SonarQube instance behind the login window and check whether unauthorized users have access to the instance.
If possible, revoke all kinds of API keys and vouchers stored in the public SonarQube instance.
Configure the SonarQube instance behind the organization’s firewall and other perimeter defense systems to prevent unauthorized access.