Threat actors have been targeting the construction sector by infiltrating the FOUNDATION Accounting Software, as per Huntress.
Huntress mentioned that attackers have been brute-forcing the software at scale and accessing it using default credentials.
The affected industries include plumbing, HVAC, concrete, and related sub-industries.
FOUNDATION software uses a Microsoft SQL (MS SQL) Server to handle database tasks, and sometimes has the TCP port 4243 open for direct database access via a mobile app.
Huntress identified two high-privileged accounts on the server, “sa” and “dba,” with default credentials often left unchanged.
Threat actors could exploit this vulnerability to run arbitrary shell commands using the xp_cmdshell configuration option.
Huntress detected the activity on September 14, 2024, with 35,000 brute-force login attempts before successful access.
Out of 500 hosts running FOUNDATION software, 33 were found to be accessible with default credentials.
To mitigate the risk, it is advised to change default credentials, avoid exposing the application publicly if possible, and disable the xp_cmdshell option when needed.
