Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Threat Actors Target Accounting Software Used by Construction Contractors

Malicious hackers are caught brute-forcing Foundation Accounting Software at scale, compromising organizations in the construction industry.

Cybersecurity firm Huntress is raising the alarm on a wave of cyberattacks targeting Foundation Accounting Software, an application commonly used by contractors in the construction industry.

Starting September 14, threat actors have been observed brute forcing the application at scale and using default credentials to gain access to victim accounts.

According to Huntress, multiple organizations in plumbing, HVAC (heating, ventilation, and air conditioning), concrete, and other sub-industries have been compromised via Foundation software instances exposed to the internet.

“While it is common to keep a database server internal and behind a firewall or VPN, the Foundation software features connectivity and access by a mobile app. For that reason, the TCP port 4243 may be exposed publicly for use by the mobile app. This 4243 port offers direct access to MSSQL,” Huntress said.

As part of the observed attacks, the threat actors are targeting a default system administrator account in the Microsoft SQL Server (MSSQL) instance within the Foundation software. The account has full administrative privileges over the entire server, which handles database operations.

Additionally, multiple Foundation software instances have been seen creating a second account with high privileges, which is also left with default credentials. Both accounts allow attackers to access an extended stored procedure within MSSQL that enables them to execute OS commands directly from SQL, the company added.

By abusing the procedure, the attackers can “run shell commands and scripts as if they had access right from the system command prompt.”

According to Huntress, the threat actors appear to be using scripts to automate their attacks, as the same commands were executed on machines pertaining to several unrelated organizations within a few minutes.

Advertisement. Scroll to continue reading.

In one instance, the attackers were seen executing roughly 35,000 brute force login attempts before successfully authenticating and enabling the extended stored procedure to start executing commands.

Huntress says that, across the environments it protects, it has identified only 33 publicly exposed hosts running the Foundation software with unchanged default credentials. The company notified the affected customers, as well as others with the Foundation software in their environment, even if they were not impacted.

Organizations are advised to rotate all credentials associated with their Foundation software instances, keep their installations disconnected from the internet, and disable the exploited procedure where appropriate.

Related: Cisco: Multiple VPN, SSH Services Targeted in Mass Brute-Force Attacks

Related: Vulnerabilities in PiiGAB Product Expose Industrial Organizations to Attacks

Related: Kaiji Botnet Successor ‘Chaos’ Targeting Linux, Windows Systems

Related: GoldBrute Botnet Brute-Force Attacking RDP Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Defense contractor Nightwing has appointed Tricia Fitzmaurice as Chief Growth Officer.

Xage Security has appointed Russell McGuire as CRO and Ashraf Daqqa as VP of the META region.

Solana co-founder Stephen Akridge has been appointed the CEO of data protection firm Cyber Grant.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.