09/11/2020
FBI: Hackers stole source code from US government agencies and private companies
FBI blames intrusions on improperly configured SonarQube source code management tools.
FBI
The Federal Bureau of Investigation has sent out a security alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and private businesses.
Intrusions have taken place since at least April 2020, the FBI said in an alert sent out last month and made public this week on its website.
The alert specifically warns owners of SonarQube, a web-based application that companies integrate into their software build chains to test source code and discover security flaws before rolling out code and applications into production environments.
SonarQube apps are installed on web servers and connected to source code hosting systems like BitBucket, GitHub, or GitLab accounts, or Azure DevOps systems.
But the FBI says that some companies have left these systems unprotected, running on their default configuration (on port 9000) with default admin credentials (admin/admin).
FBI officials say that threat actors have abused these misconfigurations to access SonarQube instances, pivot to the connected source code repositories, and then access and steal proprietary or private/sensitive applications.
Officials provided two examples of past incidents:
"In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations' networks.
"This activity is similar toa previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises throughpoorly secured SonarQube instances and published the exfiltrated source codeon a self-hosted public repository."
The FBI alert touches on a little known issue among software developers and security researchers.
While the cyber-security industry has often warned about the dangers of leaving MongoDB or Elasticsearch databases exposed online without passwords, SonarQube has slipped through the cracks.
However, some security researchers have been warning about the dangers of leaving SonarQube applications exposed online with default credentials since as far back as May 2018.
At the time, data breach hunter Bob Diachenko warned that about 30% to 40% of all the ~3,000 SonarQube instances available online at the time had no password or authentication mechanism enabled.
This year, a Swiss security researcher named Till Kottmann has also raised the same issue of misconfigured SonarQube instances. Throughout the year, Kottmann has gathered source code from tens of tech companies in a public portal, and many of these came from SonarQube applications.
"Most people seem to change absolutely none of the settings, which are actually properly explained in the setup guide from SonarQube," Kottmann told ZDNet.
"I don't know the current number of exposed SonarQube instances, but I doubt it changed much. I would guess it's still far over 1,000 servers (that are indexed by Shodan) which are 'vulnerable' by either requiring no auth or leaving default creds," he said.
To prevent leaks like these, the FBI alert lists a series of steps that companies can take to protect their SonarQube servers, starting with altering the app's default configuration and credentials and then using firewalls to prevent unauthorized access to the app from unauthorized users.
The US government said today that a Russian state-sponsored hacking group has targeted and successfully breached US government networks.
Government officials disclosed the hacks in a joint security advisory published by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI).
US officials identified the Russian hacker group as Energetic Bear, a codename used by the cybersecurity industry. Other names for the same group also include TEMP.Isotope, Berserk Bear, TeamSpy, Dragonfly, Havex, Crouching Yeti, and Koala.
Officials said the group has been targeting dozens of US state, local, territorial, and tribal (SLTT) government networks since at least February 2020.
Companies in the aviation industry were also targeted, CISA and FBI said.
The two agencies said Energetic Bear "successfully compromised network infrastructure, and as of October 1, 2020, exfiltrated data from at least two victim servers."
The intrusions detailed in today's CISA and FBI advisory are a continuation of attacks detailed in a previous CISA and FBI joint alert, dated October 9. The previous advisory described how hackers had breached US government networks by combining VPN appliances and Windows bugs.
Today's advisory attributes those intrusions to the Russian hacker group but also provides additional details about Energetic Bear's tactics.
Hackers targeted internet-connected networking gear
According to the technical advisory, Russian hackers used publicly known vulnerabilities to breach networking gear, pivot to internal networks, elevate privileges, and steal sensitive data.
Targeted devices included Citrix access gateways (CVE-2019-19781), Microsoft Exchange email servers (CVE-2020-0688), Exim mail agents (CVE 2019-10149), and Fortinet SSL VPNs (CVE-2018-13379).
To move laterally across compromised networks, CISA and the FBI said the Russian hackers used the Zerologon vulnerability in Windows Servers (CVE-2020-1472) to access and steal Windows Active Directory (AD) credentials. The group then used these credentials to roam through a target's internal network.
In situations where the attacks succeeded, CISA and the FBI said the hackers moved to steal files from government networks. Based on the information they received, the two agencies said Energetic Bear exfiltrated:
Sensitive network configurations and passwords.
Standard operating procedures (SOP), such as enrolling in multi-factor authentication (MFA).
IT instructions, such as requesting password resets.
Vendors and purchasing information.
Printing access badges.
"To date, the FBI and CISA have no information to indicate this APT actor has intentionally disrupted any aviation, education, elections, or government operations. However, the actor may be seeking access to obtain future disruption options, to influence US policies and actions, or to delegitimize SLTT government entities," the two agencies said.
"As this recent malicious activity has been directed at SLTT government networks, there may be some risk to elections information housed on SLTT government networks. However, the FBI and CISA have no evidence to date that integrity of elections data has been compromised," the two added.
News publication Cyberscoop first reported on Monday that Energetic Bear (TEMP.Isotope) was the hacker group behind the breaches reported in the first CISA and FBI alert.
Energetic Bear is also the same hacker group which targeted the San Francisco airport earlier this spring.
