Risk actors have been noticed focusing on the development sector by infiltrating the FOUNDATION Accounting Software program, in keeping with new findings from Huntress.
“Attackers have been noticed brute-forcing the software program at scale, and gaining entry just by utilizing the product’s default credentials,” the cybersecurity firm stated.
Targets of the rising menace embody plumbing, HVAC (heating, air flow, and air-con), concrete, and different associated sub-industries.
The FOUNDATION software program comes with a Microsoft SQL (MS SQL) Server to deal with database operations, and, in some instances, has the TCP port 4243 open to immediately entry the database by way of a cell app.
Huntress stated the server consists of two high-privileged accounts, together with “sa,” a default system administrator account, and “dba,” an account created by FOUNDATION, which are usually left with unchanged default credentials.
A consequence of this motion is that menace actors might brute-force the server and leverage the xp_cmdshell configuration choice to run arbitrary shell instructions.
“That is an prolonged saved process that enables the execution of OS instructions immediately from SQL, enabling customers to run shell instructions and scripts as if that they had entry proper from the system command immediate,” Huntress famous.
First indicators of the exercise was detected by Huntress on September 14, 2024, with about 35,000 brute-force login makes an attempt recorded towards an MS SQL server on one host earlier than gaining profitable entry.
Of the five hundred hosts working the FOUNDATION software program throughout the endpoints protected by the corporate, 33 of them have been discovered to be publicly accessible with default credentials.
To mitigate the danger posed by such assaults, it is advisable to rotate default account credentials, stop exposing the applying over the general public web if attainable, and disable the xp_cmdshell choice the place acceptable.