Construction Industry Under Siege: Brute Force Attacks Target Foundation Accounting Software

Cybercriminals are intensifying efforts to breach corporate networks of construction firms by targeting exposed Foundation accounting servers. This particular software, extensively used within the construction industry, has become a prime target for hackers due to weak security measures on privileged accounts.

Attack Overview

  • Researchers from Huntress detected malicious activity on Foundation accounting software servers starting on September 14, 2024.
  • Attackers are brute-forcing passwords on accounts with highly privileged access to exposed servers, specifically targeting plumbing, HVAC, concrete, and other construction sub-industries.

Open Ports and Weak Passwords

  • The Microsoft SQL Server (MSSQL) used by Foundation is publicly exposed via TCP port 4243 to support a companion mobile app.
  • Two default admin accounts, 'sa' and 'dba', are frequently targeted. Servers with default or weak passwords on these accounts are vulnerable to hijacking.

Aggressive Brute-Force Attacks

  • Some servers experienced up to 35,000 brute force attempts per hour, overwhelming defenses and eventually cracking passwords.
  • Once inside, attackers activate the xp_cmdshell feature, allowing them to run system commands like ‘ipconfig’ and ‘wmic’, collecting network and system data.

SQL server process spawning cmd for command execution on Windows

Widespread Impact

  • Huntress monitored three million endpoints and identified 500 hosts running the vulnerable software, of which 33 publicly exposed MSSQL databases with default credentials.
  • While the cloud-based version of Foundation remains secure, the on-premise variant has been the primary target of these attacks.

Defensive Measures

  • Foundation Software has acknowledged the issue and recommended steps to mitigate the risks, advising users to rotate credentials and close unnecessary public ports.
  • Huntress further recommends not exposing MSSQL servers unless necessary and to disable default accounts or enforce stronger password policies.

This attack serves as a stark reminder that strong password practices and secure configurations are critical in preventing breaches. Net Protector Cyber Security offers advanced solutions to safeguard organizations against such threats by hardening security and monitoring for brute force attempts across vulnerable systems.