Risk actors have been noticed focusing on the development sector by infiltrating the FOUNDATION Accounting Software program, in response to new findings from Huntress.
“Attackers have been observed brute-forcing the software at scale, and gaining access simply by using the product’s default credentials,” the cybersecurity firm mentioned.
Targets of the rising risk embody plumbing, HVAC (heating, air flow, and air-con), concrete, and different associated sub-industries.
The FOUNDATION software program comes with a Microsoft SQL (MS SQL) Server to deal with database operations, and, in some instances, has the TCP port 4243 open to immediately entry the database through a cellular app.
Huntress mentioned the server consists of two high-privileged accounts, together with “sa,” a default system administrator account, and “dba,” an account created by FOUNDATION, which can be typically left with unchanged default credentials.
A consequence of this motion is that risk actors might brute-force the server and leverage the xp_cmdshell configuration possibility to run arbitrary shell instructions.
“This is an extended stored procedure that allows the execution of OS commands directly from SQL, enabling users to run shell commands and scripts as if they had access right from the system command prompt,” Huntress famous.
First indicators of the exercise was detected by Huntress on September 14, 2024, with about 35,000 brute-force login makes an attempt recorded towards an MS SQL server on one host earlier than gaining profitable entry.
Of the five hundred hosts operating the FOUNDATION software program throughout the endpoints protected by the corporate, 33 of them have been discovered to be publicly accessible with default credentials.
To mitigate the chance posed by such assaults, it is beneficial to rotate default account credentials, stop exposing the applying over the general public web if doable, and disable the xp_cmdshell possibility the place acceptable.
