Accounting software brute force attacks hit construction companies

A padlock resting on a keyboard.
(Image credit: Passwork)

Hackers are targeting construction companies with brute-force attacks, breaking into their networks and executing different commands remotely, experts have warned.

Cybersecurity researchers Huntress, who recently observed the attacks in the wild, noted cybercriminals are going after Foundation - a piece of software used by construction companies for accounting and project management. It helps manage financials, job costing, payroll, and reporting, and offers tools for tracking expenses, managing contracts, and staying compliant with industry regulations.

This software also has an accompanying mobile app, and in order for it to work properly, a Microsoft SQL Server (MSSQL) needs to be configured to be publicly accessible via TCP port 4243. This server has two admin accounts, and in many instances - users never changed the default passwords.

Running commands

Cybercriminals seem to have picked up on this information, targeting dozens of organizations with brute-force attacks, in an attempt to log into these accounts. In fact, Huntress spotted 35,000 attempts on a single host, within an hour. The researchers said they saw “active breaches” in organizations working on plumbing, HVAC, concrete, and similar.

After gaining access, the attackers try to enable features that allow them to run commands on the operating system. Some of the commands observed by the researchers were to retrieve network configuration details and pull information about the hardware, OS, and user accounts.

Huntress says that of all the endpoints it defends, 500 hosts were seen running Foundation, 33 of which had publicly exposed MSSQL databases with default admin credentials. The researchers notified the company of their findings, but Foundation said the problem only affects on-prem instances. In other words, software users should be the ones minding their security posture. The company did stress that not all servers have the same port open, and not everyone has the same default credentials.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Avast cybersecurity
Hackers are hijacking government software to access sensitive servers
person at a computer
Infamous ransomware hackers reveal new tool to brute-force VPNs
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Huge cyber attack under way - 2.8 million IPs being used to target VPN devices
A concept image of someone typing on a computer. A red flashing danger sign is above the keyboard and nymbers and symbols also in glowing red surround it.
Microsoft Teams and other Windows tools hijacked to hack corporate networks
Ransomware
Fortinet firewall bugs are being targeted by LockBit ransomware hackers
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
Latest in Security
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Code Skull
Interpol operation arrests 300 suspects linked to African cybercrime rings
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Multiple routers hit by new critical severity remote command injection vulnerability, with no fix in sight
Code Skull
This dangerous new ransomware is hitting Windows, ARM, ESXi systems
An abstract image of a lock against a digital background, denoting cybersecurity.
Critical security flaw in Next.js could spell big trouble for JavaScript users
Latest in News
DeepSeek
Deepseek’s new AI is smarter, faster, cheaper, and a real rival to OpenAI's models
Open AI
OpenAI unveiled image generation for 4o – here's everything you need to know about the ChatGPT upgrade
Apple WWDC 2025 announced
Apple just announced WWDC 2025 starts on June 9, and we'll all be watching the opening event
Hornet swings their weapon in mid air
Hollow Knight: Silksong gets new Steam metadata changes, convincing everyone and their mother that the game is finally releasing this year
OpenAI logo
OpenAI just launched a free ChatGPT bible that will help you master the AI chatbot and Sora
An aerial view of an Instavolt Superhub for charging electric vehicles
Forget gas stations – EV charging Superhubs are using solar power to solve the most annoying thing about electric motoring