Accounting software brute force attacks hit construction companies

Construction companies using Foundation are being attacked

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Hackers are targeting construction companies with brute-force attacks, breaking into their networks and executing different commands remotely, experts have warned.

Cybersecurity researchers Huntress, who recently observed the attacks in the wild, noted cybercriminals are going after Foundation - a piece of software used by construction companies foraccountingand project management. It helps manage financials, job costing, payroll, and reporting, and offers tools for tracking expenses, managing contracts, and staying compliant with industry regulations.

This software also has an accompanying mobile app, and in order for it to work properly, aMicrosoftSQL Server (MSSQL) needs to be configured to be publicly accessible via TCP port 4243. This server has two admin accounts, and in many instances - users never changed the defaultpasswords.

Running commands

Running commands

Cybercriminals seem to have picked up on this information, targeting dozens of organizations with brute-force attacks, in an attempt to log into these accounts. In fact, Huntress spotted 35,000 attempts on a single host, within an hour. The researchers said they saw “active breaches” in organizations working on plumbing, HVAC, concrete, and similar.

After gaining access, the attackers try to enable features that allow them to run commands on theoperating system. Some of the commands observed by the researchers were to retrieve network configuration details and pull information about the hardware, OS, and user accounts.

Huntress says that of all the endpoints it defends, 500 hosts were seen running Foundation, 33 of which had publicly exposed MSSQL databases with default admin credentials. The researchers notified the company of their findings, but Foundation said the problem only affects on-prem instances. In other words, software users should be the ones minding their security posture. The company did stress that not all servers have the same port open, and not everyone has the same default credentials.

ViaBleepingComputer

Are you a pro? Subscribe to our newsletter

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Dangerous Android banking malware looks to trick victims with fake money transfers

Sophos Firewall hack on government network used an all-new custom malware

Best genealogy tool of 2024