FBI: Hackers stole government source code via SonarQube instances


Level 83
Thread author
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
The Federal Bureau of Investigation (FBI) issued a flash alert warning of hackers stealing data from U.S. government agencies and enterprise organizations via internet-exposed and insecure SonarQube instances.

SonarQube is an open-source platform for automated code quality auditing and static analysis to discover bugs and security vulnerabilities in projects using 27 programming languages.

Vulnerable SonarQube servers have been actively exploited by attackers since April 2020 to gain access to data source code repositories owned by both government and corporate entities, later exfiltrating it and leaking it publicly.

The FBI says that it has identified several such incidents where the attackers have abused SonarQube configuration vulnerabilities since the attacks have started.
"Beginning in April 2020, the FBI observed source code leaks associated with insecure SonarQube instances from US government agencies and private US companies in the technology, finance, retail, food, eCommerce, and manufacturing sectors," the FBI says in the TLP:WHITE flash alert.