Recent research from the cybersecurity firm Huntress has uncovered a new wave of attacks targeting the construction industry, specifically through vulnerabilities in FOUNDATION Accounting Software. Widely used by various sub-industries, including plumbing, HVAC, concrete, and other related fields, FOUNDATION has become a prime target for cybercriminals due to weak security practices. The attackers are exploiting the software’s default credentials and misconfigured settings, gaining unauthorized access to high-privileged accounts such as “sa” and “dba.” These accounts, often left with unchanged default passwords, make it easier for threat actors to brute-force their way into systems. Additionally, the software’s integration with Microsoft SQL (MS SQL) Server, which in some cases exposes the TCP port 4243 for mobile app access, further amplifies the risk. Once inside the system, attackers can exploit the xp_cmdshell configuration option to run arbitrary OS commands, allowing them to control the server as if they had direct system-level access. Huntress first detected this malicious activity on September 14, 2024, after logging over 35,000 brute-force login attempts against a single MS SQL server before the attackers succeeded in gaining access. A broader investigation revealed that of 500 hosts running FOUNDATION software, 33 were publicly accessible with default credentials, leaving them highly vulnerable to similar attacks. This incident highlights the ongoing need for strong cybersecurity practices, especially in sectors like construction, where specialized software like FOUNDATION is often relied upon but may not always be securely configured. Without prompt remediation, these vulnerabilities could result in significant data breaches or further malicious activities, underlining the urgency for users to rotate default credentials, limit public exposure, and disable risky features like xp_cmdshell.

Attack Overview

According to Huntress Security Researcher, attackers are conducting large-scale brute-force attempts on FOUNDATION Accounting Software, gaining unauthorized access through unchanged default credentials. The attacks particularly focus on two high-privileged accounts: “sa” (the default system administrator) and “dba” (a high-privileged account created by FOUNDATION). These accounts often remain vulnerable due to neglected security practices, such as not rotating or updating default passwords.

Technical Details:

• Vulnerability type: Default credential vulnerability.
• Affected Product: Unauthorized access to sensitive data, Data breaches, System compromise , Financial loss , Reputation damage etc .
• Impact: financial impact , Compliance and Regulatory Impact, Business Continuity Impact etc .
• Detection Rules: Network Traffic Analysis, System Log Monitoring, Configuration Scanning, Vulnerability Scanning , etc .

Detection Rules:

1. Network traffic Analysis: Detects unauthorized access attempts Identifies suspicious network activity Provides real-time visibility into network traffic and helps investigate and respond to incidents.
2. System log monitoring : To detect unauthorized access attempt that attack can’t do to attack easily. Identify the suspicious system activity and Provides audit trail for incident response.

Indicators of Compromise (IOCs):

While the constructor sector firm detect the Foundation software exploit Default credentials has indicator of compromise for those company as fallows and it’s beneficial for the organization too and here to follow these are :

1. Unusual login activity from unknown IP addresses.
2. Multiple failed login attempts from a single IP.
3. Successful login with default credentials.
4. Suspicious DNS queries. Unusual network traffic patterns.

5 . Default credential usage in system logs and unusual system configuration changes

6. Suspicious process creation. Modified system files or registry entries or unusual user account activity.

FOUNDATION Software Configuration Vulnerabilities

FOUNDATION utilizes Microsoft SQL (MS SQL) Server to handle its database functions, but its default setup can leave critical vulnerabilities exposed. In some cases, the TCP port 4243 is left open, allowing mobile applications to access the database remotely, which inadvertently opens the server to potential cyber threats. When this port is publicly accessible, it significantly increases the risk of brute-force attacks, enabling malicious actors to target high-privileged accounts that often retain default credentials. If attackers manage to gain access, they can exploit the xp_cmdshell option in SQL Server. This particular feature allows direct execution of operating system commands from within SQL, providing attackers with a powerful tool to execute arbitrary shell commands and scripts, effectively giving them full control over the system at a command prompt level. This could allow them to carry out a range of malicious actions, including data exfiltration, lateral movement across the network, and installing malware, all while remaining under the guise of legitimate database activity. The exploitation of this feature underscores the need for properly securing SQL servers, including disabling unnecessary features like xp_cmdshell and ensuring that default configurations and credentials are updated to protect against such brute-force attacks. The failure to do so can result in severe system compromise, emphasizing the critical importance of proactive configuration and security hygiene in protecting systems reliant on FOUNDATION.

Timeline of Attack Activity

The initial indications of this malicious campaign emerged on September 14, 2024, when Huntress identified over 35,000 brute-force login attempts aimed at a single MS SQL server running FOUNDATION Accounting Software. The attackers relentlessly targeted the server, trying to exploit weak security configurations and default credentials. Despite the significant number of failed attempts, the persistence of the attackers eventually paid off, as they managed to successfully breach the system. This incident highlighted the scale and determination of the threat actors involved, showcasing how a combination of brute force and misconfigured security settings can lead to system compromise.

Further investigation by Huntress revealed a concerning trend: out of 500 hosts running FOUNDATION software, 33 were found to be publicly exposed with their default credentials unchanged. This lack of basic security hygiene left these hosts vulnerable to similar brute-force attacks, significantly increasing the risk of compromise. The widespread use of default credentials across multiple installations made it easier for attackers to systematically target and exploit these weaknesses. These findings underscore the critical importance of securing systems, particularly those exposed to the internet, by rotating credentials and eliminating unnecessary public access points.

Remediation Steps for Securing FOUNDATION Accounting Software

1. Change Default Credentials: Immediately update the default “sa” and “dba” passwords to strong, unique credentials.
2. Disable xp_cmdshell: Disable the xp_cmdshell option in SQL Server to prevent the execution of arbitrary shell commands.
3. Restrict Public Access: Remove direct public access to the FOUNDATION server by ensuring the application is not exposed to the internet.
4. Close Unused Ports: Block or restrict TCP port 4243 to limit unnecessary access, particularly from mobile apps.
5. Enable Multi-Factor Authentication (MFA): Configure MFA for all high-privileged accounts to add an extra layer of security.
6. Implement Network Segmentation: Place the SQL server in a segmented network zone with restricted access to reduce exposure.
7. Monitor Login Activity: Set up alerts and regularly monitor for brute-force attempts or suspicious login activity on the server.
8. Apply Security Patches: Ensure both the MS SQL Server and FOUNDATION software are regularly updated with the latest security patches.