September 18, 2024 at 05:09PM
Threat actors have been targeting Foundation accounting software used in construction, exploiting vulnerabilities in plumbing, HVAC, and concrete sub-industries. Researchers at Huntress discovered the threat, involving host/domain enumeration commands. The software’s MSSQL instance allows mobile app access, potentially exposing TCP port 4243 to the public. Organizations are advised to rotate credentials and keep installations disconnected from the Internet.
The meeting notes highlight a significant security threat to Foundation accounting software commonly used in the construction industry. Threat actors have been targeting this software by leveraging active exploits within various sub-industries. Researchers at Huntress discovered the threat and identified the use of host/domain enumeration commands within the software’s Microsoft SQL Server instance. Notably, the software’s mobile app may expose TCP port 4243, providing direct access to MSSQL. Additionally, default system admin accounts with full administrative privileges pose a severe risk. The threat actors have been observed brute-forcing the application and using default credentials to gain access, while also automating their attacks using scripts. Recommendations include rotating credentials associated with the software and keeping installations disconnected from the internet to prevent such attacks.