Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
On Sept. 14, cybersecurity company Huntress discovered brute-force attempts against Foundation accounting software—a common tool for construction industry contractors.
The disclosed break-in revealed an increasingly targeted sector and an easily exploited software vector: default credentials.
“It’s not an elite tradecraft, no APT [advanced persistent threat] hacker shenanigans. It’s really just, ‘Hey, oops, [it’s] accidental defaults that were left on for the administrator user of the database,’” John Hammond, principal security researcher at Huntress, told IT Brew.
According to Huntress’s post:
- For databases, the Foundation software uses a Microsoft SQL Server—which can be accessed by a mobile app through the publicly exposed TCP port 4243.
- Huntress discovered high-privileged accounts for the database server had default credentials.
- Those compromising admin accounts, according to the Huntress report, can leverage OS commands within MSSQL “as if they had access right from the system command prompt.”
Observed commands demonstrated threat actors wanting to “survey the scene” and spot Active Directory domains and users within the environment, according to Hammond. While ransomware attacks had not been conducted, “the potential was certainly there,” Hammond said.
Huntress found approximately 500 customer hosts running the Foundation software—33 of which were publicly exposed with unchanged default credentials.
Tracie Kuczkowski, VP of Marketing at Foundation, in a statement shared with IT Brew, said the event affected “a very small subset of Foundation-on premise users.”
“The vast majority of our clients were not impacted, including our SaaS users and all product lines from our subsidiary companies. We proactively contacted the small subset of on-premise users who could have possibly been affected and provided thorough instructions on how to safeguard their systems,” Kuczkowski wrote in an email to IT Brew.
Build hack better. Construction saw more ransomware security incidents in 2023 than any other sector, according to a recent report from the Ransomware Task Force (231 incidents—a 49% increase from 2022).
Cybersecurity company Kroll saw an increase in construction-specific cyberthreats, making up 6% of the firm’s cases in the first quarter of the year.
Default of the manufacturer? In Dec. 2023, CISA advised against default credentials and called for vendors to build more secure authentication mechanisms, like time-limited setup passwords or processes requiring physical access for initial setup.
Breaches initiated by credential compromise led to an average cost of $4.81 million, according to IBM’s most recent Cost of a Data Breach report, published in July.
The Huntress-observed intrusion, which now only potentially impacts around 17 hosts as of Oct. 1, Hammond estimated, highlights the importance of segmenting networks, disabling port access via firewalls, and of course, changing credentials.
Threat actors may not be targeting the construction industry as much as they’re looking for an easy job.
“This is not by any means some extreme, incredible feat or novel, outstanding exploitation vector. It’s default credentials. So, I have to think this is an attack of opportunity,” Hammond said.