Cybercriminals have increasingly targeted the non-profit sector, exploiting vulnerabilities to gain access and steal sensitive data, according to a recent report from Huntress.
“Cybercriminals have been exploiting the software at an alarming rate, effortlessly breaching security using default login credentials, according to a recent warning issued by the cybersecurity firm.”
The escalating threat primarily affects sectors such as plumbing, heating, ventilation, and air conditioning (HVAC), as well as concrete construction and related subsidiaries.
The FOUNDATION software program is bundled with a Microsoft SQL Server for efficient database management, occasionally featuring an accessible TCP port 4243 that enables seamless database entry via mobile applications.
The Huntress report notes that the compromised server contains not one, but two high-level user accounts: “sa”, the default system administrator account, and “dba”, a custom-created account established by FOUNDATION, often left with its original login credentials untouched.
As a direct result, malicious individuals may employ brute-force tactics to breach the server, subsequently utilizing it to execute unauthorized shell commands.
“That’s a feature-rich process that allows for the direct execution of OS instructions from within SQL, empowering users to execute shell commands and scripts with the same ease as if they had system-level access directly.”
The initial signs of the cyberattack were identified by Huntress on September 14, 2024, with approximately 35,000 brute-force login attempts logged against a single MS SQL server host before successful access was achieved.
A staggering 6.6% of the five hundred hosts running the FOUNDATION software across the corporation’s endpoints were found to be vulnerable, with a shocking 33 instances having default credentials exposed to the public domain.
To minimize the risks associated with these attacks, consider rotating default account credentials, restricting access to your application via a secure network or disabling public exposure whenever possible, and disabling the xp_cmdshell feature where feasible.
