Summary: Unidentified hackers are targeting companies in the construction industry by exploiting vulnerabilities in the Foundation accounting software, particularly through brute-force login attempts. Researchers from Huntress have identified numerous instances of these attacks, highlighting the risks associated with default credentials and public accessibility of the software.
Threat Actor: Unidentified hackers | unidentified hackers
Victim: Construction companies | construction companies
Key Point :
- Hackers are exploiting publicly accessible installations of Foundation software in the construction sector.
- Researchers observed nearly 35,000 brute-force login attempts against a single MSSQL database.
- Many Foundation users have not changed default passwords, making them vulnerable to attacks.
- Huntress identified 500 hosts running Foundation software, with 33 exposed using unchanged default credentials.
- The attacks highlight the risks of inadequate security measures in software with remote access features.
Unidentified hackers have targeted companies in the construction industry through accounting software known as Foundation, researchers said Tuesday.
The attackers go looking for installations of Foundation that are publicly accessible on the internet, then try combinations of default usernames and passwords that can allow for administrative access, according to cybersecurity firm Huntress.
The platform’s Ohio-based developer, Foundation Software, did not respond by publication time on Tuesday to a request for comment from Recorded Future News.
Huntress said it has seen active intrusions through the software among companies in the plumbing, concrete and heating, ventilation, and air conditioning (HVAC) industries. The researchers didn’t mention how successful the attacks were or what their goal was.
The researchers said they first discovered the malicious activity targeting Foundation last week. On one host, the researchers observed nearly 35,000 brute-force login attempts against the Microsoft SQL Server (MSSQL) used by the company to handle its database operations.
Normally, such databases are kept private and secured behind a firewall or virtual private network (VPN), but Foundation “features connectivity and access by a mobile app,” researchers said. This means that a certain TCP port — used to manage and distinguish network traffic on a computer — might be made available to the public, giving direct access to the MSSQL database.
In many cases, Foundation users kept the default, easy-to-guess passwords to protect high-privilege database accounts, according to the report. Researchers said they discovered 500 hosts running the Foundation software, and nearly 33 of them were publicly exposed with unchanged default credentials.
“In addition to notifying those where we saw suspicious activity, we also sent out a precautionary advisory notification to any of our customers and partners who have the FOUNDATION software in their environment,” Huntress said.
Recorded Future
Intelligence Cloud.
Source: https://therecord.media/foundation-software-construction-industry-accounting-software-vulnerability