It has been observed that threat actors are targeting the construction sector by infiltrating the FOUNDATION accounting softwareaccording to Huntress’ new findings.
“It has been observed that attackers are mass exploiting the software and gaining access simply by using the product’s default credentials,” the cybersecurity company said. said.
Plumbing, HVAC, concrete and other related industries are being targeted by the new threat.
The FOUNDATION software comes with a Microsoft SQL (MS SQL) server to handle database operations and, in some cases, has TCP port 4243 open for direct database access via a mobile application.
Huntress said the server includes two high-privilege accounts, including “sa,” the default system administrator account, and “dba,” an account created by FOUNDATION, which are often left with unchanged default credentials.
The consequence of this action is that threat actors can brute force the server and exploit it The xp_cmdshell configuration option to execute arbitrary shell commands.
“It’s an extended stored procedure that allows you to execute OS commands directly from SQL, allowing users to run shell commands and scripts as if they had access directly from the system command line,” Huntress noted.
The first signs of activity were detected by Huntress on September 14, 2024, with approximately 35,000 brute force login attempts to MS SQL Server on a single host recorded before successful access was obtained.
Of the 500 hosts running FOUNDATION software on company-protected endpoints, 33 were publicly accessible with default credentials.
To reduce the risk posed by such attacks, it is recommended that you change the default account credentials, stop the application from accessing the public Internet if possible, and disable the xp_cmdshell option if necessary.
