Huntress, a cybersecurity company, has discovered a serious vulnerability in Foundation accounting software, which is commonly used by general contractors in the construction industry. The threat actors are exploiting active loopholes within the software, particularly affecting the plumbing, HVAC, and concrete sub-industries. The vulnerability arises from the software’s use of Microsoft SQL Server (MSSQL) for its database operations.
Researchers noted an unusual series of host/domain enumeration commands originating from a process of `sqlservr.exe` on September 14. This discovery led them to identify that the software’s mobile app feature exposes the TCP port 4243, which grants direct access to MSSQL. Foundation software’s database servers, typically kept behind firewalls, can be accessed publicly through this port.
The MSSQL database system also comes with a default system admin account, “sa,” which has full administrative privileges. Threat actors have been observed brute-forcing this account and using default credentials to gain unauthorized access. Max Rogers, Senior Director of Huntress’ Threat Operations Center, flagged suspicious activity on September 14.
Rogers stated that Huntress has been seeing “widespread attacks against construction companies.” Upon detecting suspicious activity, Huntress isolated affected machines and initiated an investigation. The company also notified any affected individuals and sent precautionary advisories to Huntress customers using the software in their environments.
vulnerability exposes contractors to attacks
Huntress discovered about 500 hosts running the software, with 33 of them publicly exposed and using default credentials. John Hammond, Principal Security Researcher at Huntress, explained that despite the seemingly small number of affected hosts, there are third-party risks to consider as affected customers may have internal connections to other organizations. He emphasized that the security shortcoming provides attackers with “immediate and open-door access.”
Once inside, these attackers leverage their high privileges to run shell commands and scripts, automating their malicious activities.
Two frequent commands observed in the attacks are ‘ipconfig,’ to retrieve network configuration details, and ‘wmic,’ to extract information about the hardware, OS, and user accounts. In response, experts recommend that organizations using Foundation software rotate their credentials regularly and ensure installations remain disconnected from the Internet to mitigate the risk of such breaches. Huntress also recommended that users disable xp_cmdshell if possible, and remove the application from the public internet wherever feasible.
Tracie Kuczkowski, Vice President of Marketing at the software company, stated: “The event potentially impacted a small subset of on-premise users. It did not affect the majority of our accounting users under our secure, cloud-based SaaS offering, nor did it impact our internal systems or other product offerings. The vulnerabilities arose due to not following security best practices, such as resetting default credentials.
We are providing technical support to mitigate these issues.”
As cyber threats evolve, staying vigilant and proactive in safeguarding digital assets remains crucial for organizations in all industries. Communication between Huntress and the software company is ongoing, as they work together to address the vulnerability and protect their customers from further attacks.
Feeling stuck in self-doubt?
Stop trying to fix yourself and start embracing who you are. Join the free 7-day self-discovery challenge and learn how to transform negative emotions into personal growth.
