Brute force attacks on accounting software hit construction companies
Hackers are targeting construction companies with brute-force attacks, breaking into their networks and remotely executing various commands, according to cybersecurity researchers Huntress, who recently observed the attacks in the wild.
According to the researchers, cybercriminals are targeting Foundation, a software program used by construction companies for accounting and project management. It helps manage finances, job costing, payroll and reporting, and provides tools for tracking expenses, managing contracts and complying with industry regulations.
This software also has a mobile app to go with it. For it to work properly, a Microsoft SQL Server (MSSQL) must be configured that is publicly accessible over TCP port 4243. This server has two administrator accounts, and in many cases, users have never changed the default passwords.
Execute commands
Cybercriminals appear to have picked up on this information and are now targeting dozens of organizations with brute-force attacks, trying to log into these accounts. Huntress even spotted 35,000 attempts on a single host, in an hour. The researchers said they saw “active breaches” in organizations working on plumbing, HVAC, concrete and the like.
Once they gain access, the attackers attempt to enable features that allow them to execute commands on the operating system. Some of the commands the researchers observed included retrieving network configuration details and retrieving information about the hardware, operating system, and user accounts.
Huntress said that of all the endpoints it defended, 500 hosts were running Foundation, 33 of which had publicly exposed MSSQL databases with default admin credentials. The researchers briefed the company on their findings, but Foundation said the issue only affects on-prem instances. In other words, software users should be the ones paying attention to their security posture. The company did emphasize that not all servers have the same ports open, and not everyone has the same default credentials.
Via BleepingComputer