Unidentified hackers have targeted companies in the construction industry through accounting software known as Foundation, researchers said Tuesday.
The attackers go looking for installations of Foundation that are publicly accessible on the internet, then try combinations of default usernames and passwords that can allow for administrative access, according to cybersecurity firm Huntress.
The platform’s Ohio-based developer, Foundation Software, did not respond by publication time on Tuesday to a request for comment from Recorded Future News.
Huntress said it has seen active intrusions through the software among companies in the plumbing, concrete and heating, ventilation, and air conditioning (HVAC) industries. The researchers didn’t mention how successful the attacks were or what their goal was.
The researchers said they first discovered the malicious activity targeting Foundation last week. On one host, the researchers observed nearly 35,000 brute-force login attempts against the Microsoft SQL Server (MSSQL) used by the company to handle its database operations.
Normally, such databases are kept private and secured behind a firewall or virtual private network (VPN), but Foundation “features connectivity and access by a mobile app,” researchers said. This means that a certain TCP port — used to manage and distinguish network traffic on a computer — might be made available to the public, giving direct access to the MSSQL database.
In many cases, Foundation users kept the default, easy-to-guess passwords to protect high-privilege database accounts, according to the report. Researchers said they discovered 500 hosts running the Foundation software, and nearly 33 of them were publicly exposed with unchanged default credentials.
“In addition to notifying those where we saw suspicious activity, we also sent out a precautionary advisory notification to any of our customers and partners who have the FOUNDATION software in their environment,” Huntress said.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.