Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
Just one open port became the key for unauthorized access.
Huntress recently reported a new wave of cyberattacks targeting Foundation Accounting Software, which is popular among contractors in the construction industry. On September 14, attackers began to hack this software en masse, using brute force attacks and default credentials to gain access to victims' accounts.
According to Huntress, companies operating in areas such as plumbing, heating, ventilation, air conditioning, concrete work and other sub-sectors of construction were hacked. In all cases, the Foundation was accessible via the Internet, which allowed the attackers to penetrate the system.
Experts explain that databases often remain inside the network and are protected by a firewall or VPN. However, Foundation Software offers the ability to connect remotely via a mobile app, which can make TCP port 4243 open to the public. This port is directly connected to the MSSQL server.
During the attack, the hackers use the system administrator account in MSSQL, which has full control over the server and databases. The problem is exacerbated by the fact that in some cases, additional accounts with high privileges are created, for which standard passwords are also left. These accounts allow attackers to gain access to an extended stored procedure in MSSQL, which opens up the ability to execute operating system commands directly from SQL queries.
According to Huntress, scripts are used to automate the attacks, as the same commands were executed on different servers in a short period of time. In one case, hackers made about 35,000 attempts to guess the password before they managed to log in and start executing commands.
So far, Huntress has found 33 publicly accessible Foundation hosts that have not had their default credentials changed. Affected customers have been notified, as well as other companies using this software have been warned.
Organizations at risk are advised to change all Foundation-related passwords, disconnect the system from the Internet, and deactivate vulnerable procedures to increase security.
Source
Huntress recently reported a new wave of cyberattacks targeting Foundation Accounting Software, which is popular among contractors in the construction industry. On September 14, attackers began to hack this software en masse, using brute force attacks and default credentials to gain access to victims' accounts.
According to Huntress, companies operating in areas such as plumbing, heating, ventilation, air conditioning, concrete work and other sub-sectors of construction were hacked. In all cases, the Foundation was accessible via the Internet, which allowed the attackers to penetrate the system.
Experts explain that databases often remain inside the network and are protected by a firewall or VPN. However, Foundation Software offers the ability to connect remotely via a mobile app, which can make TCP port 4243 open to the public. This port is directly connected to the MSSQL server.
During the attack, the hackers use the system administrator account in MSSQL, which has full control over the server and databases. The problem is exacerbated by the fact that in some cases, additional accounts with high privileges are created, for which standard passwords are also left. These accounts allow attackers to gain access to an extended stored procedure in MSSQL, which opens up the ability to execute operating system commands directly from SQL queries.
According to Huntress, scripts are used to automate the attacks, as the same commands were executed on different servers in a short period of time. In one case, hackers made about 35,000 attempts to guess the password before they managed to log in and start executing commands.
So far, Huntress has found 33 publicly accessible Foundation hosts that have not had their default credentials changed. Affected customers have been notified, as well as other companies using this software have been warned.
Organizations at risk are advised to change all Foundation-related passwords, disconnect the system from the Internet, and deactivate vulnerable procedures to increase security.
Source
