Cybersecurity experts have raised alarm bells over a new threat targeting the construction industry. Hackers are actively exploiting vulnerabilities in Foundation, a widely-used accounting software, by launching brute force attacks against privileged accounts on unprotected servers.
The Anatomy of the Attack
According to specialists at Huntress, this malicious campaign was first detected on September 14, 2024. The attacks primarily affect companies in the plumbing, heating, ventilation, air conditioning, and concrete manufacturing sectors. Cybercriminals are taking advantage of weak security practices, such as unchanged default credentials for privileged accounts and inadequately protected servers.
Technical Vulnerabilities Exposed
The Foundation software package includes Microsoft SQL Server (MSSQL), which can be publicly accessible through TCP port 4243 to support a companion mobile application. This configuration leaves MSSQL servers vulnerable to external attacks. Hackers are specifically targeting two administrative accounts:
- The default MSSQL “sa” account
- The Foundation-specific “dba” account
If users haven’t changed the default passwords or have set weak ones, these accounts become easy targets for brute force attacks. Huntress reports observing aggressive campaigns reaching up to 35,000 attempts per hour on a single host.
Post-Breach Activities
Once attackers gain access, they activate the MSSQL xp_cmdshell function, allowing them to execute operating system commands through SQL queries. Currently, two primary commands have been observed in these attacks:
- ipconfig: To gather network configuration information
- wmic: To collect data about hardware, operating system, and user accounts
The Scale of the Threat
Researchers have identified 500 hosts running Foundation accounting software, with a concerning 33 instances where MSSQL databases were accessible using default administrative credentials. This highlights a significant security gap in the industry that needs immediate attention.
The construction industry must take urgent steps to protect their financial data and systems. Companies should immediately audit their Foundation software installations, change default passwords, implement strong authentication measures, and ensure proper network segmentation. Regular security assessments and employee training on cybersecurity best practices are crucial to mitigate such threats in the future. As cyber attacks continue to evolve, maintaining a proactive approach to security is no longer optional but a necessity for business continuity and data protection.
