Construction Firms Targeted by Hackers via FOUNDATION Software
Emerging Threat in Construction Sector: A recent cybersecurity report by Huntress has revealed that hackers are exploiting default credentials in the FOUNDATION Accounting Software to target the construction industry. This software, widely used for financial management, is often deployed with a Microsoft SQL (MS SQL) Server for handling database operations.
How Hackers Exploit Default Credentials
The attack vector centers around the use of default credentials, which are the pre-set usernames and passwords that come with the software. In many instances, these credentials remain unchanged, allowing attackers to gain access with minimal effort. Particularly, the MS SQL Server associated with FOUNDATION software sometimes has port TCP 4243 open, which enables remote access through mobile applications.
Accounts at Risk: FOUNDATION software includes two critical accounts – "sa" and "dba". The "sa" account is a default system administrator, while "dba" is specifically created by FOUNDATION. Both accounts often retain their factory-set credentials, making them prime targets for brute-force attacks.
The Mechanics of the Attack
Brute-force attacks involve systematically trying every possible combination of passwords until the correct one is found. Once access is gained, hackers can utilize the xp_cmdshell feature, a powerful SQL command that allows them to execute system-level commands. This feature essentially gives hackers the ability to control the server as if they were directly using the system's command line.
Recorded Incidents and Impact
Huntress first detected this cyber threat on September 14, 2024, logging approximately 35,000 brute-force attempts on a single server before hackers successfully breached it. Across 500 monitored FOUNDATION installations, 33 were found vulnerable due to unchanged default credentials, highlighting a significant security oversight.
Recommended Mitigation Strategies
To protect against these types of attacks, experts recommend several measures:
- Change Default Credentials: Immediately update default usernames and passwords to strong, unique combinations.
- Restrict Public Access: Avoid exposing the software over the public internet unless absolutely necessary.
- Disable xp_cmdshell: This configuration should be disabled to prevent unauthorized command execution.
These steps are crucial for safeguarding sensitive financial data within the construction sector against emerging cyber threats.
Understanding Terminology:
- Default Credentials: The initial set of username and password provided by software vendors. It's crucial to change these to prevent unauthorized access.
- Brute-force Attack: A trial-and-error method used to decode passwords or encryption keys.
- xp_cmdshell: A feature in SQL Server that allows execution of commands directly from the SQL environment, potentially dangerous if misused.
By understanding these terms and implementing the recommended security practices, construction firms can better protect themselves from these types of cyber threats.
