Attackers scan the Network for unprotected SonarQube servers and try to gain access to them.
The Federal Bureau of Investigation (FBI) has issued an emergency alert about hackers who have stolen data from US government agencies and corporate organizations through web-based and misconfigured SonarQube installations.
SonarQube is an open source platform for automated code quality auditing and static analysis to detect bugs and vulnerabilities in projects using 27 programming languages. Misconfigured SonarQube servers have been actively exploited by cybercriminals since April 2020 to gain access to data source code repositories owned by both government and corporate organizations.
According to the FBI, several such incidents have now been recorded, in which cybercriminals have actively abused the SonarQube configuration vulnerabilities since the beginning of the attacks.
"Starting in April 2020, the FBI has discovered source code leaks related to SonarQube from US government agencies and private US companies in the areas of technology, finance, retail, food, e-commerce and manufacturing," the FBI said.
Security researcher Tillie Kottmann has collected and published leaked data from more than 50 companies, including Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, and Disney on an open repository. at GitLab.
There are thousands of companies out there that disclose proprietary source code after failing to properly protect their SonarQube installations, Kottmann said.
The Federal Bureau of Investigation (FBI) has issued an emergency alert about hackers who have stolen data from US government agencies and corporate organizations through web-based and misconfigured SonarQube installations.
SonarQube is an open source platform for automated code quality auditing and static analysis to detect bugs and vulnerabilities in projects using 27 programming languages. Misconfigured SonarQube servers have been actively exploited by cybercriminals since April 2020 to gain access to data source code repositories owned by both government and corporate organizations.
According to the FBI, several such incidents have now been recorded, in which cybercriminals have actively abused the SonarQube configuration vulnerabilities since the beginning of the attacks.
"Starting in April 2020, the FBI has discovered source code leaks related to SonarQube from US government agencies and private US companies in the areas of technology, finance, retail, food, e-commerce and manufacturing," the FBI said.
Security researcher Tillie Kottmann has collected and published leaked data from more than 50 companies, including Microsoft, Adobe, Lenovo, AMD, Qualcomm, Motorola, Hisilicon (owned by Huawei), Mediatek, GE Appliances, Nintendo, Roblox, and Disney on an open repository. at GitLab.
There are thousands of companies out there that disclose proprietary source code after failing to properly protect their SonarQube installations, Kottmann said.