Malicious actors have been increasingly observed homing in on the construction industry by penetrating the FOUNDATION Accounting Software, recent revelations from Huntress indicate.
“These attackers have been spotted executing large-scale brute-force attacks, effortlessly gaining entry by merely relying on the software’s unchanged default credentials,” noted the cybersecurity firm.
The primary targets of this evolving threat encompass sectors like plumbing, HVAC (heating, ventilation, and air conditioning), concrete works, and other affiliated sub-industries.
FOUNDATION’s software integrates a Microsoft SQL (MS SQL) Server for managing database activities, and in some instances, leaves TCP port 4243 open, allowing direct database access via mobile applications.
Huntress further highlighted that the server comes pre-configured with two high-level accounts: the “sa” default system administrator and the “dba” account, generated by FOUNDATION itself, both of which often retain their original default credentials.
The implication of such negligence is that cyber adversaries can employ brute-force techniques to break into the server and exploit the xp_cmdshell setting, facilitating the execution of arbitrary shell commands.
“This stored procedure permits executing OS-level commands directly through SQL, granting users the ability to run shell commands and scripts as though they were interfacing with the system’s command line,” Huntress elaborated.
The initial signs of this nefarious activity were flagged by Huntress on September 14, 2024, with approximately 35,000 brute-force attempts documented against a single MS SQL server host before the perpetrators successfully breached the system.
Out of the 500 hosts deploying FOUNDATION software within the endpoints secured by Huntress, 33 were found publicly exposed with their default credentials unaltered.
To minimize the potential damage of such incursions, it’s advisable to change default account credentials immediately, limit the exposure of the application to the public internet when feasible, and disable the xp_cmdshell feature where applicable.