The FBI is sending security warnings that the hackers are abusing the misconfigured SonarQube applications to steal the source code directory from the government and the private firms. The FBI sent the alert warning last month and this week they made it public. According to FBI the hackers stole source code from unprotected default systems.
SonarQube (formerly Sonar) is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.
According to the FBI, some of the companies are running their system on the default port (port: 9000) and on default passwords by which hackers stole source code. According to the officials, the hackers are using these misconfigurations to steal proprietary or private/sensitive applications.
In past there have been many cases seen by cybersecurity experts that MongoDB or Elasticsearch databases are exposed to internet having plain text passwords, but SonarQube slipped through the hands.
However, there have been some security researcher that are warning about the exposed SonarQube with default passwords from May 2018. At the time of data breach hunter Bob Diachenko warned that about 30% to 40% of all the ~3,000 SonarQube that are exposed online that has no default credentials and passwords.
A Swiss researcher named Till Kottmann also raised same issue while about the misconfiguration of SonarQube. By the year Kottmann gained source code of tens of companies from misconfigured SonarQube.
Most people seem to change absolutely none of the settings, which are actually properly explained in the setup guide from SonarQubeKottmann told ZDNet.
To prevent such instances the FBI alert lists a series of steps that companies can take to protect their SonarQube servers by changing the default credentials and using the Firewalls to protect from unauthorized access.