Beware! Cyberattackers Target Foundation Accounting Software Used by Contractors
Cybersecurity threats have taken a concerning turn for the construction industry. A new wave of cyberattacks is specifically targeting Foundation Accounting Software, a widely used application by contractors, raising alarms across sectors such as plumbing, HVAC, concrete, and others. The cybersecurity firm Huntress has uncovered that threat actors are exploiting this software using brute force attacks and default credentials to infiltrate vulnerable systems.
Table of Contents
A Growing Threat to Contractors
The cyberattacks, first detected on September 14, involve hackers leveraging exposed instances of Foundation software on the internet. Typically, accounting software should be kept behind a firewall or VPN, but due to its mobile app functionality, some organizations have left TCP port 4243 publicly exposed, which provides direct access to the Microsoft SQL Server (MSSQL) database. This port exposure has proven to be an entry point for attackers.
Once inside, hackers target the default system administrator account in the MSSQL instance, which gives them full administrative control over the database server. Worryingly, some systems were also found to have a second account with high privileges left with default credentials, making the situation even more dangerous.
How the Attacks Work
By using these default accounts, attackers gain the ability to exploit an extended stored procedure within MSSQL. This gives them direct control over OS commands, allowing them to run shell commands and scripts as if they had full system access. Essentially, this makes the attackers capable of performing actions directly on the server, posing a significant risk to contractors' data and operational integrity.
One of the most disturbing findings from Huntress was the level of automation involved in these attacks. In some cases, hackers were able to execute scripts on multiple systems from various organizations within minutes. For example, one attack involved 35,000 brute force login attempts before the hackers successfully accessed the system, highlighting the relentless nature of these cybercriminals.
What You Can Do to Protect Your Business
Huntress identified 33 publicly exposed Foundation software hosts running on default credentials. While the number may seem low, the consequences of a breach can be disastrous. Construction contractors using Foundation Accounting Software should act immediately by taking the following steps:
- Change Default Credentials: Rotate all credentials for the software, especially the system administrator and high-privilege accounts.
- Limit Internet Exposure: Disconnect any unnecessary instances of the software from the internet and ensure proper security measures are in place, such as firewalls and VPNs.
- Disable Vulnerable Procedures: Disable the exploited extended stored procedure within MSSQL to prevent attackers from running OS-level commands.
Staying Ahead of the Threat
As cyberattacks continue to grow more sophisticated, organizations must remain vigilant, especially in industries that might not typically prioritize cybersecurity. Construction contractors, often focused on day-to-day operations, may overlook vulnerabilities like exposed accounting software, but the recent wave of attacks serves as a stark reminder of the importance of strong cybersecurity practices.
By securing your Foundation software and staying informed on the latest threats, you can safeguard your business from becoming the next target.