Unauthorized Users Misuse Default Passcodes in FOUNDATION Software to Infiltrate Construction Companies
Threat actors have been targeting the construction industry by infiltrating the FOUNDATION Accounting Software based on recent discoveries from Huntress.
“Offenders have been found to brute-force the software on a large scale, and getting unauthorized entry by using the program’s default passcodes,” as reported by the cybersecurity company in a recent statement.
The entities under attack include plumbing, HVAC (heat, ventilation, and air conditioning), concrete, and other related sub-sectors.
The FOUNDATION software has a Microsoft SQL (MS SQL) Server for managing database activities and sometimes allows direct access to the database through a mobile app with the TCP port 4243 open.
Huntress highlighted that the server includes two high-privileged accounts, namely “sa,” a default system administrator account, and “dba,” an account set up by FOUNDATION, often with default passcodes that are not changed.
One consequence is that bad actors could brute-force the server and utilize the xp_cmdshell configuration option to execute arbitrary shell commands.
“This is an extended stored procedure enabling the execution of OS commands directly from SQL, allowing users to execute shell commands and scripts as if they possessed access directly from the system command prompt,” as noted by Huntress.
The first signs of suspicious behavior were detected by Huntress on September 14, 2024, with around 35,000 brute-force login attempts targeting an MS SQL server on a single host before achieving a successful breach.
Out of the 500 hosts operating the FOUNDATION software within the endpoints safeguarded by the company, 33 were discovered to be accessible to the public with default credentials.
To minimize the threat posed by such intrusions, it is recommended to alter default account passcodes, avoid exposing the application over the public internet if feasible, and deactivate the xp_cmdshell option when suitable.
About Author
