September 19, 2024 at 12:21PM
Cybersecurity company Huntress has identified threat actors targeting the construction sector by infiltrating the FOUNDATION Accounting Software. Attackers use brute force to exploit default credentials, gaining access to plumbing, HVAC, concrete, and related sub-industries. To mitigate risk, it’s advised to rotate default credentials, avoid exposing the application over the public internet, and disable xp_cmdshell.
Meeting Notes Summary:
– Threat actors are targeting the construction sector by infiltrating the FOUNDATION Accounting Software, gaining access through default credentials and brute-forcing the software.
– The targeted sub-industries include plumbing, HVAC, concrete, and related sectors.
– The FOUNDATION software utilizes Microsoft SQL (MS SQL) Server with TCP port 4243 open for database access via a mobile app.
– Huntress has found two high-privileged accounts, “sa” and “dba,” often with unchanged default credentials, allowing threat actors to leverage xp_cmdshell for arbitrary shell commands.
– On September 14, 2024, 35,000 brute-force login attempts against an MS SQL server were detected, and 33 of 500 hosts running the software were found to be publicly accessible with default credentials.
– Mitigation recommendations include rotating default account credentials, ceasing public internet exposure if possible, and disabling xp_cmdshell where appropriate.
If you have further questions or need additional information, feel free to ask.