Hackers use default credentials in FOUNDATION software to break into construction companies

Sep 19, 2024Ravi LakshmananCyber attack/hacking

According to new findings from Huntress, attackers are targeting the construction sector by infiltrating FOUNDATION accounting software.

“Attackers have been observed brute-force attacking the software at scale and gaining access by simply leveraging the product’s default credentials,” the cybersecurity firm said.

The new threat primarily targets the plumbing, HVAC (heating, ventilation and air conditioning), concrete and other related sub-industries.

FOUNDATION software includes a Microsoft SQL server (MS SQL) to handle database operations, and in some cases has TCP port 4243 open to allow direct access to the database via the mobile application.

Huntress said there are two high-privilege accounts on the server, including “sa,” the default system administrator account, and “dba,” an account created by FOUNDATION, which often leave their default credentials unchanged.

The consequence of this action is the ability to perform a brute-force attack on the server and use the xp_cmdshell configuration option to run arbitrary shell commands.

“It’s an extended stored procedure that lets you execute operating system commands directly from SQL, allowing users to run shell commands and scripts as if they were accessing them directly from the operating system command line,” Huntress noted.

The first signs of this activity were detected by Huntress on September 14, 2024, when approximately 35,000 brute force login attempts were recorded to an MS SQL server on a single host before successful access was gained.

Of the 500 hosts running FOUNDATION software on endpoints protected by the company, 33 were found to be publicly accessible with default credentials.

To minimize the risk of such attacks, it is recommended to change the default login details for your account, stop making your application available on the public internet if possible, and disable the xp_cmdshell option if necessary.

Did you find this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we publish.