Threat actors have been targeting the construction sector by infiltrating the FOUNDATION Accounting Software, according to new findings from Huntress.
Attackers have been observed brute-forcing the software at scale and gaining access simply by using the product’s default credentials, the cybersecurity company reported.
Plumbing, HVAC, concrete, and other related sub-industries are among the targets of this emerging threat.
The FOUNDATION software utilizes a Microsoft SQL (MS SQL) Server for database operations, with the TCP port 4243 open in some instances to directly access the database via a mobile app.
Huntress highlighted the presence of two high-privileged accounts on the server, namely “sa,” a default system administrator account, and “dba,” an account created by FOUNDATION, often left with unchanged default credentials.
As a result of these vulnerabilities, threat actors could brute-force the server and use the xp_cmdshell configuration option to run arbitrary shell commands.
This extended stored procedure allows the execution of OS commands directly from SQL, giving users the ability to run shell commands and scripts as if they had system command prompt access, Huntress pointed out.
Huntress first detected signs of this activity on September 14, 2024, with around 35,000 brute-force login attempts recorded against an MS SQL server on one host before successful access was achieved.
Out of the 500 hosts running the FOUNDATION software, 33 were found to be publicly accessible with default credentials, posing a significant risk.
To mitigate such attacks, it is advised to rotate default account credentials, avoid exposing the application over the public internet if possible, and disable the xp_cmdshell option when appropriate.