Construction companies potentially vulnerable through accounting software, report says

Editor’s Note: Story updated September 18, 12:15 p.m. Eastern U.S. time, with statements from Foundation Software.

Unidentified hackers have targeted companies in the construction industry through accounting software known as Foundation, researchers said Tuesday.

The attackers go looking for installations of Foundation that are publicly accessible on the internet, then try combinations of default usernames and passwords that can allow for administrative access, according to cybersecurity firm Huntress. 

Huntress said it has seen active intrusions through the software among companies in the plumbing, concrete and heating, ventilation, and air conditioning (HVAC) industries. The researchers didn’t mention how successful the attacks were or what their goal was.

The platform’s Ohio-based developer, Foundation Software, said it was working with Huntress to clarify some of the information in the report.

“The event potentially impacted a small subset of on-premise FOUNDATION users. It did not at all impact the bulk of our accounting users, which are under our secure, cloud-based [software-as-a-service] offering. It also did not impact our internal systems or any of our other product offerings through our subsidiary companies,” Foundation said.

The Huntress researchers said they first discovered the malicious activity targeting Foundation last week. On one host, the researchers observed nearly 35,000 brute-force login attempts against the Microsoft SQL Server (MSSQL) used by the company to handle its database operations.

Normally, such databases are kept private and secured behind a firewall or virtual private network (VPN), but Foundation “features connectivity and access by a mobile app,” researchers said. This means that a certain TCP port — used to manage and distinguish network traffic on a computer — might be made available to the public, giving direct access to the MSSQL database. 

In many cases, Foundation users kept the default, easy-to-guess passwords to protect high-privilege database accounts, according to the report.  

“As a result of not following recommendations and security best practices that were provided (one example being not resetting the default credentials), this small subset of on-premise users might face possible vulnerabilities,” Foundation said. “We have been communicating and providing technical support to these users to mitigate this.”

Huntress said it discovered 500 hosts running the Foundation software, and nearly 33 of them were publicly exposed with unchanged default credentials.

“In addition to notifying those where we saw suspicious activity, we also sent out a precautionary advisory notification to any of our customers and partners who have the FOUNDATION software in their environment,” Huntress said.