Analysis Summary

Recent findings highlight a new wave of attacks targeting the construction sector through vulnerabilities in FOUNDATION Accounting Software.

This software, commonly used by industries like plumbing, HVAC, and concrete, has become a focal point for cybercriminals who use brute-force attacks to exploit weak points. A primary concern is the use of default credentials, which attackers exploit to gain unauthorized access.

According to the report, FOUNDATION comes with an embedded Microsoft SQL Server (MS SQL) for database management. In many cases, TCP port 4243 is left open for remote access via mobile applications, exposing the system further. Of particular concern are two high-privileged accounts, "sa" (the default system administrator) and "dba" (created by FOUNDATION). These accounts often retain default passwords, making them easy targets for brute-force attempts.

Once attackers gain access, they can leverage the xp_cmdshell configuration, an extended stored procedure allowing them to run arbitrary shell commands. This level of access can enable threat actors to execute OS-level commands, essentially granting full system control. Researchers reported detecting signs of the attack on September 14, 2024, with 35,000 brute-force attempts recorded before the attackers successfully breached an MS SQL server.

To reduce the risk of such attacks, researchers recommend immediately rotating default credentials, restricting public exposure of the application, and disabling the xp_cmdshell option where possible. Of the 500 FOUNDATION software instances monitored, 33 were found vulnerable due to public accessibility and unchanged default credentials.

Impact

• Credentials Theft
• Unauthorized Access
• Command Execution

Remediation

• Ensure all operating systems and software are up to date with the latest security patches.
• Employ reliable antivirus and antimalware software to detect and block known threats.
• Regularly update these tools to maintain the latest threat intelligence.
• Implement IDPS to detect and prevent unusual network activity, system behavior, or similar threats.
• Enable two-factor authentication (2FA) on your accounts adds an extra layer of security and can help prevent unauthorized access even if your login credentials have been stolen.
• Regularly backing up your important data can help ensure that you don’t lose any critical information in the event of a malware infection or other data loss event.
• Be wary of emails, attachments, and links from unknown sources. Also, avoid downloading software from untrusted sources or clicking on suspicious ads or pop-ups.
• Use email filtering solutions to block malicious attachments and links that may deliver malware to users via phishing emails.
• Segment your network to limit lateral movement for attackers.
• Employ application whitelisting to only allow approved software to run on systems, reducing the risk of unauthorized applications being executed.
• Implement robust monitoring solutions to detect any unusual or suspicious activities, such as unauthorized access attempts or data exfiltration. Establish an effective incident response plan to respond to and mitigate any potential breaches quickly.
• Make sure all of your software, including your operating system and applications, is up-to-date with the latest security patches. This can help prevent vulnerabilities that info-stealers and other types of malware could exploit.