SonarQube misconfigurations lead to source code leaks.
The US FBI last week made public an alert issued on a restricted basis back in October. The alert warned that “unknown actors” had exploited insecurely configured instances of the SonarQube code review tool to steal source code from companies and Government agencies:
"Beginning in April 2020, the FBI observed source code leaks associated with insecure SonarQube instances from US government agencies and private US companies in the technology, finance, retail, food, eCommerce, and manufacturing sectors. SonarQube is an open-source automatic code review tool that detects bugs and security vulnerabilities in source code.
"In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks. This activity is similar to a previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises through poorly secured SonarQube instances and published the exfiltrated source code on a self-hosted public repository."
ZDNet summarizes the research into, and remediation of, the issue. While the industry has been rife with warnings of the ways in which MongoDB and Elasticsearch databases can be left exposed, the comparable problem of exposing SonarQube was often overlooked. But the consequences of an unsecured SonarQube instance are significant for the software supply chain, since the tool is used in checking code during development.
The typical problem is that organizations using SonarQube have left in place default configurations on port 9000 and default admin credentials. Those default credentials are "admin/admin," and those ought to be a red flag for anyone.