Threat actors have been seen infiltrating and targeting the construction sector. Foundation Accounting Softwareaccording to new findings from Huntress.
The cybersecurity company says “attackers have been widely observed brute-forcing software, and gaining access using only the product’s default credentials”. said.
Emerging threat targets include plumbing, HVAC (heating, ventilation, and air conditioning), concrete, and other related sub-industries.
The Foundation software comes with a Microsoft SQL (MS SQL) server to handle database operations, and, in some cases, TCP port 4243 is open for direct access to the database through a mobile app.
Huntress said the server contained two highly privileged accounts, including “sa”, a default system administrator account, and “dba”, an account created by FOUNDATION, which often remained with unchanged default credentials. go
The consequence of this action is that threat actors can brute force the server and take advantage. xp_cmdshell configuration option To run arbitrary shell commands.
“It is an extended stored procedure that allows the execution of OS commands directly from SQL, enabling users to run shell commands and scripts as if they had access from the system command prompt, ” Huntress noted.
The first signs of activity were detected by Huntress on September 14, 2024, recording approximately 35,000 brute force login attempts against MS SQL Server on a host before successful access was achieved.
Of the 500 hosts running the Foundation software on company-protected endpoints, 33 were found to be publicly accessible with default credentials.
To reduce the risk of such attacks, it is recommended to rotate the default account credentials, stop exposing the application to the public Internet if possible, and disable the xp_cmdshell option where appropriate. Disable the