Criminals are targeting Foundation accounting software, which is widely used by general contractors in the construction industry, using active exploits in the plumbing, heating, ventilation, air conditioning, and concrete sub-industries, among others.
Researchers at Huntress initially discovered the threat when they were monitoring activity on September 14. “What caught our attention were host/domain enumeration commands being generated by a parent process of sqlservr.exe,” the researchers wrote in their advice.
The software that the application uses includes a Microsoft SQL Server (MSSQL) instance for processing database operations. According to the researchers, it is common to keep database servers on an internal network or behind a firewall, but Foundation software includes features that allow access via a mobile app. This “allows TCP port 4243 to be exposed for use by the mobile app. This 4243 port provides direct access to MSSQL.”
At the same time, Microsoft SQL Server has a default system administrator account, known as “sa”, which has full administrative rights over the entire server. With such high rights, these accounts allow users to execute shell commands and scripts.
Threat actors targeting the application have been observed brute-forcing the application on a large scale and using default credentials to gain access to victim accounts. Additionally, threat actors appear to be using scripts to automate their attacks.
Organizations are advised to rotate their Foundation software credentials and disconnect their installations from the Internet to avoid falling victim to these types of attacks.