Threat actors have been targeting Foundation accounting software commonly used by general contractors in the construction industry, leveraging active exploits within the plumbing, HVAC, and concrete sub-industries, among others. This discovery was initially made by researchers at Huntress on Sept. 14, when they noticed host/domain enumeration commands originating from a parent process of sqlservr.exe. The researchers shared their findings in an advisory.
The software in question operates using a Microsoft SQL Server (MSSQL) instance for its database operations. While it is typical practice to keep database servers on internal networks or behind firewalls, the Foundation software includes features that allow access through a mobile app, meaning the TCP port 4243 could be publicly exposed for the mobile app’s use. This port grants direct access to MSSQL, which could pose a security risk.
Moreover, Microsoft SQL Server comes with a default system admin account known as “sa,” which holds full administrative privileges over the entire server. Such high-level privileges enable users to execute shell commands and scripts, which the threat actors have been exploiting in their attacks on the application. They have been observed engaging in brute-force attacks on a large scale and utilizing default credentials to compromise victim accounts. Additionally, the threat actors are using automated scripts to streamline their attacks.
To mitigate the risk of falling victim to these attacks, organizations are advised to regularly rotate their credentials associated with Foundation software and maintain disconnected installations to prevent unauthorized access. By taking these precautions, businesses can enhance their cybersecurity posture and safeguard sensitive information from malicious actors. It is essential for companies to stay vigilant and proactive in protecting their systems and data assets from evolving cyber threats in the digital landscape.