Recent cybersecurity research has revealed that cybercriminals are exploiting vulnerabilities in FOUNDATION Accounting Software, specifically targeting the construction sector. Huntress, a well-known cybersecurity company, has identified a surge in brute-force attacks that compromise the software using default credentials. These attacks are threatening a range of construction sub-industries, including plumbing, HVAC (heating, ventilation, and air conditioning), and concrete services.
FOUNDATION Accounting Software Vulnerability Exploited
Huntress reports that attackers have been infiltrating the FOUNDATION software by leveraging default login credentials that are often left unchanged. The software, used widely across construction-related industries, includes a Microsoft SQL (MS SQL) Server to manage databases, which, in some cases, leaves the TCP port 4243 open for access via a mobile app. This security flaw provides an opportunity for hackers to easily break into the system. Two high-privilege accounts, “sa” (the default system administrator) and “dba” (an account created by FOUNDATION), have been found with default passwords still intact. These accounts, once accessed, grant significant control over the system, making it a prime target for brute-force attacks.
Database Exploitation through xp_cmdshell
The attackers are not just infiltrating the system but also leveraging an MS SQL feature called xp_cmdshell, which allows users to execute operating system commands directly from the SQL database. This functionality, typically used for legitimate purposes, can be exploited by threat actors to run arbitrary shell commands, potentially gaining complete control over the system. Huntress explained that this extended stored procedure essentially gives attackers command-line access, making it easier for them to run scripts and perform unauthorized tasks as though they were using the system’s own command prompt.
Huntress first detected suspicious activity on September 14, 2024, after observing approximately 35,000 brute-force login attempts on a single MS SQL server before gaining access. Out of 500 hosts using FOUNDATION Accounting Software, 33 were found to be publicly accessible with default credentials, underscoring the widespread vulnerability across the construction sector.
Mitigation and Recommendations
To protect against these evolving threats, Huntress has issued several critical recommendations for companies using FOUNDATION Accounting Software. They emphasize the importance of rotating default account credentials, which are often the weakest link in system security. Additionally, companies are advised to stop exposing the software over the public internet whenever possible. Disabling the xp_cmdshell configuration option is also a key step in reducing the risk, as this feature is commonly exploited by attackers to gain unauthorized access.
As the construction industry increasingly adopts digital tools, the need for strong cybersecurity measures is more urgent than ever. Addressing these vulnerabilities promptly is essential to safeguarding not just the software but the entire infrastructure of companies operating in this vital sector.
