Hackers breaching construction firms via specialized accounting software
Firms in the construction industry are getting breached by hackers via internet-exposed servers running Foundation accounting software, Huntress researchers are warning.
“We’re seeing active intrusions among plumbing, HVAC, concrete, and similar sub-industries,” they noted.
A way into corporate networks
Ohio-based Foundation develops and provides specialized software products and services for companies in the construction industry.
“The Foundation software includes a Microsoft SQL Server (MSSQL) instance to handle its database operations,” Huntress researchers explained.
Unfortunately, for users to be able to access it via a mobile app, the MSSQL instance has to be accessible via TCP port 4243.
Combined with the fact that users sometimes don’t change the default credentials of the default system administrator account (“sa”) and an existing “dba” account, attackers can gain access to those high-privilege accounts and use them to enable a feature known as xp_cmdshell within MSSQL.
“This is an extended stored procedure that allows the execution of OS commands directly from SQL, enabling users to run shell commands and scripts as if they had access right from the system command prompt,” the researchers noted.
And that is what the attackers are doing – after either using the default credentials or attempting to (and succeeding at) bruteforcing the (changed) passwords for those accounts.
“On one host we observed ~35,000 brute force login attempts against the MSSQL server ending just an hour before a successful authentication and enabling xp_cmdshell to run commands,” Huntress researchers shared.
Once they gained access, the attackers have been observed performing additional reconnaissance activities on the underlying host.
What to do?
According to recent reports, organizations in the construction industry are increasingly at risk from ransomware attacks.
While brute force attempts are “noisy” (i.e., can be detected and/or recognized by checking out logs), access with default credentials won’t trigger alarm bells.
The researchers are advising firms using Foundation accounting software to change the passwords for those accounts and make the new password strong.
“Where possible, cease exposing the Foundation application to the public Internet, and disable xp_cmdshell where appropriate.”