Huntress warns of attacks on Foundation Software accounts

Huntress warned that attackers are targeting the construction industry with brute force attacks against accounting software accounts with default credentials.

In a blog post published Tuesday, the cybersecurity vendor detailed an emerging brute force attack campaign it first observed Sept. 14. The campaign is targeting customers of Foundation Software, which is commonly used in the construction industry for financial reporting and billing forms.

Max Rogers, senior director of Huntress' threat operations center, flagged suspicious activity Sept. 14 in a post on X, formerly Twitter. Rogers said Huntress was seeing "wide-spread attacks against Construction companies."

After detecting suspicious activity, Huntress said it isolated affected machines and initiated an investigation. Additionally, the company notified any affected individuals and sent a "precautionary advisory" to any Huntress customer who uses Foundation in their environment.

The attack scope may be limited for now. Huntress said it discovered around 500 hosts running the Foundation software and that 33 of them were publicly exposed with unchanged default credentials. John Hammond, principal security researcher at Huntress, told TechTarget Editorial that although the numbers may appear small, there are third-party risks to consider as affected customers may internal connections to other organizations.

Those concerns particularly apply to the 33 hosts with unchanged default passwords. Hammond said the security shortcoming provides attackers with "immediate and open-door access." The blog post expanded on the scope and affected industries.

"Attackers have been observed brute forcing the software at scale, and gaining access simply by using the product's default credentials. We're seeing active intrusions among plumbing, HVAC, concrete, and similar sub-industries," Huntress wrote in the blog post.

Huntress stated the attack takes advantage of publicly facing Foundation instances. Foundation uses the Microsoft SQL Server, which Huntress said is a database that includes a default system administrator account. If attackers compromise the account, dubbed "sa," they can gain full administrative privileges over the entire server.

Huntress observed that many high-privilege sa accounts still use default credentials, which unknown threat actors compromised through brute force attacks. Once threat actors access the accounts, they can use a feature called "xp_cmdshell" within SQL Server, which enables users to run operating system commands and scripts.

"On one host we observed ~35,000 brute force login attempts against the MSSQL server ending just an hour before a successful authentication and enabling xp_cmdshell to run commands," the blog post said.

Huntress recommended that users rotate credentials for accounts connected to the Foundation database, disable xp_cmdshell if possible, and remove the application from the public internet wherever possible.

Tracie Kuczkowski, vice president of marketing at Foundation, sent the following statement to TechTarget Editorial:

"The event potentially impacted a small subset of on-premise FOUNDATION users. It did not at all impact the bulk of our accounting users, which are under our secure, cloud-based SaaS offering. It also did not impact our internal systems or any of our other product offerings through our subsidiary companies. As a result of not following recommendations and security best practices that were provided (one example being not resetting the default credentials), this small subset of on-premise users might face possible vulnerabilities. We have been communicating and providing technical support to these users to mitigate this."

Kuczkowski also said that Foundation is currently working with Huntress to "correct the information they have posted."

Hammond provided TechTarget Editorial with more details on the disclosure process with Foundation. "Huntress attempted to reach out to Foundation throughout the weekend but had not received a response until Monday. Speaking over the phone, Foundation confirmed the default credentials that we saw abused and that they had received reports from a small number of their customers," he said. "They confirmed this was a default configuration for on-premises installations of the Foundation software."

Hammond also confirmed that communication with Foundation is ongoing.

"Huntress was in contact with Foundation as recently as yesterday. Over email, Foundation had asked for more specific statements to be included, suggesting their customers should follow their best practices and recommendations," he said. "Upon asking Foundation for a link to their best practices guide & documentation, Huntress has not received a response."

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.