Cybersecurity firm Huntress is raising the alarm on a wave of cyberattacks targeting Foundation Accounting Software, an application commonly used by contractors in the construction industry.
Starting September 14, threat actors have been observed brute forcing the application at scale and using default credentials to gain access to victim accounts.
According to Huntress, multiple organizations in plumbing, HVAC (heating, ventilation, and air conditioning), concrete, and other sub-industries have been compromised via Foundation software instances exposed to the internet.
“While it is common to keep a database server internal and behind a firewall or VPN, the Foundation software features connectivity and access by a mobile app. For that reason, the TCP port 4243 may be exposed publicly for use by the mobile app. This 4243 port offers direct access to MSSQL,” Huntress said.
As part of the observed attacks, the threat actors are targeting a default system administrator account in the Microsoft SQL Server (MSSQL) instance within the Foundation software. The account has full administrative privileges over the entire server, which handles database operations.
Additionally, multiple Foundation software instances have been seen creating a second account with high privileges, which is also left with default credentials. Both accounts allow attackers to access an extended stored procedure within MSSQL that enables them to execute OS commands directly from SQL, the company added.
By abusing the procedure, the attackers can “run shell commands and scripts as if they had access right from the system command prompt.”
According to Huntress, the threat actors appear to be using scripts to automate their attacks, as the same commands were executed on machines pertaining to several unrelated organizations within a few minutes.
In one instance, the attackers were seen executing roughly 35,000 brute force login attempts before successfully authenticating and enabling the extended stored procedure to start executing commands.
Huntress says that, across the environments it protects, it has identified only 33 publicly exposed hosts running the Foundation software with unchanged default credentials. The company notified the affected customers, as well as others with the Foundation software in their environment, even if they were not impacted.
Organizations are advised to rotate all credentials associated with their Foundation software instances, keep their installations disconnected from the internet, and disable the exploited procedure where appropriate.
Related: Cisco: Multiple VPN, SSH Services Targeted in Mass Brute-Force Attacks
Related: Vulnerabilities in PiiGAB Product Expose Industrial Organizations to Attacks
Related: Kaiji Botnet Successor ‘Chaos’ Targeting Linux, Windows Systems
