Danger actors had been seen focused on the development sector via infiltrating the FOUNDATION Accounting Tool, consistent with new findings from Huntress.
“Attackers had been seen brute-forcing the tool at scale, and gaining get right of entry to just by the use of the product’s default credentials,” the cybersecurity corporate mentioned.
Objectives of the rising danger come with plumbing, HVAC (heating, air flow, and air-con), concrete, and different comparable sub-industries.
The FOUNDATION tool comes with a Microsoft SQL (MS SQL) Server to maintain database operations, and, in some instances, has the TCP port 4243 open to without delay get right of entry to the database by means of a cellular app.
Huntress mentioned the server contains two high-privileged accounts, together with “sa,” a default machine administrator account, and “dba,” an account created via FOUNDATION, which can be regularly left with unchanged default credentials.
A result of this motion is that danger actors may just brute-force the server and leverage the xp_cmdshell configuration method to run arbitrary shell instructions.
“That is a longer saved process that permits the execution of OS instructions without delay from SQL, enabling customers to run shell instructions and scripts as though that they had get right of entry to proper from the machine command urged,” Huntress famous.
First indicators of the process was once detected via Huntress on September 14, 2024, with about 35,000 brute-force login makes an attempt recorded in opposition to an MS SQL server on one host earlier than gaining a success get right of entry to.
Of the five hundred hosts working the FOUNDATION tool around the endpoints safe via the corporate, 33 of them had been discovered to be publicly obtainable with default credentials.
To mitigate the chance posed via such assaults, it is beneficial to rotate default account credentials, stop exposing the applying over the general public web if imaginable, and disable the xp_cmdshell choice the place suitable.