Cybersecurity company Huntress has discovered that threat actors are increasingly targeting the construction sector by infiltrating FOUNDATION Accounting Software. These attackers are brute-forcing access to the software at scale, taking advantage of default credentials that are often left unchanged.
FOUNDATION, widely used in industries such as plumbing, HVAC, and concrete, uses a Microsoft SQL (MS SQL) Server for database operations. In some instances, this server exposes TCP port 4243, allowing attackers to directly access the database via a mobile app.
Huntress found that the server includes two high-privileged accounts: the default "sa" system administrator account and another account called "dba," created by FOUNDATION. These accounts frequently retain their default credentials, providing attackers with an easy way to gain unauthorized access.
Once inside, threat actors can exploit the xp_cmdshell configuration option, a feature that allows the execution of operating system commands directly from SQL. This enables attackers to run shell commands as if they had direct access to the system command prompt.
Huntress first detected this malicious activity on September 14, 2024, identifying around 35,000 brute-force login attempts against an MS SQL server hosted on a single system before successful access was achieved. Among the 500 hosts running FOUNDATION software, 33 were found to be publicly accessible with unchanged default credentials.
To mitigate the risk, Huntress recommends that users immediately rotate default account credentials, avoid exposing the application to the public internet, and disable the xp_cmdshell option where feasible.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067