Threat actors have been targeting Foundation accounting software commonly used by general contractors in the construction industry, leveraging active exploits within the plumbing, HVAC, and concrete sub-industries, among others.
Researchers at Huntress initially discovered the threat when tracking activity on Sept. 14. “What tipped us off was host/domain enumeration commands spawning from a parent process of sqlservr.exe,” the researchers wrote in their advisory.
The software that the application uses includes a Microsoft SQL Server (MSSQL) instance for handling its database operations. According to the researchers, while it’s common to keep database servers on an internal network or behind a firewall, Foundation software contains features that allow access through a mobile app. Because of this, “the TCP port 4243 may be exposed publicly for use by the mobile app. This 4243 port offers direct access to MSSQL.”
In tandem, Microsoft SQL Server has a default system admin account, known as “sa,” which has full administrative privileges over the entire server. With such high privileges, these accounts can enable users to run shell commands and scripts.
The threat actors targeting the application have been observed brute-forcing the application at scale as well as using default credentials to gain access to victim accounts. In addition, threat actors appear to be using scripts to automate their attacks.
It’s recommended that organizations rotate their credentials associated with Foundation software and keep installations disconnected from the Internet to prevent falling victim to these attacks.
Source: www.darkreading.com