This audio is automatically generated. Please let us know if you have any comments.
Dive brief:
- Huntress, the cybersecurity company based in Ellicott City, Maryland has discovered an emerging threat for users of Foundation Software, which claims to serve 43,000 construction professionals nationwide. In a Sept. 17 report, Huntress said plumbing, HVAC, concrete and similar subcontractors were actively affected.
- Huntress described the hack as a “brute force” attack, where the perpetrators use an automated trial-and-error engine to guess credentials or other sensitive information. According to Huntress, the affected companies were using default credentials, meaning usernames and passwords that come with the software upon purchase and are supposed to be changed during installation.
- According to the report, Huntress discovered about 500 hosts running the Foundation’s software from the more than 3 million endpoints it monitors for its customers. From this group, the company confirmed that a sample of 33 hosts were publicly exposed with unchanged default credentials. On one affected host, he observed more than 35,000 brute force login attempts.
Diving knowledge:
Foundation told Construction Dive that some of the information in the Huntress report was inaccurate and said that the affected users were limited to customers who were still using legacy software physically installed in their own companies, meaning in its facilities, rather than the Foundation’s hosted environment.
Affected customers did not follow the protocol of changing their user ID and password, said Mike Ode, CEO of the Foundation, who noted that the company hosts the vast majority of its customers through its software offering as a service
“If you buy software and install it on your site, you’re responsible for the security and the walls and the perimeter, right?” Ode told Construction Dive. “We’re responsible for what we’ve been selling for the last decade, and that’s a hosted solution.”
He urged affected companies to adopt hosted software.
“We want everyone to be in our hosted SaaS environment, right? Let’s do it. Let’s take responsibility,” Ode said. He claimed that the attack mentioned in the report may have affected only one customer, but admitted that he did not know for sure.
the risks
The US Cybersecurity and Infrastructure Agency has said the use of default passwords is a major cybersecurity problem and has urged organizations to reset them.
Although the intrusions occurred, there was no compromise or malicious activity on those computers, said John Hammond, principal security researcher at Huntress. Hammond said that to protect themselves, contractors using the software should change their credentials, including passwords.
Huntress noted that Foundation uses Microsoft SQL in its software. Combined platforms include two high-privilege administrative accounts, called “sa” and “dba” within the system. If their default credentials are not changed during installation, authors can have easy entry into the software.
When contacted, Microsoft pointed Construction Dive to its SQL Security Best Practices Web Page.
For a hacker, Hammond described the effort required to breach affected instances of the Foundation’s software as “trivial” and compared it to typing a password.
“Once a threat actor finds a local Foundation server, they could authenticate themselves as a database administrator and enable new settings to do whatever they want on the entire computer,” Hammond said. “Honestly, it only takes one command to log in and only two more to do real damage.”
Bad actors could gain access to sensitive information, such as credentials or financial details, as well as gain access to your computer, Hammond said.
“This is a foothold and initial access vector to an entire network, with admin privileges right out of the gate,” Hammond told Construction Dive via email. “In some cases we’ve seen SQL Server installed directly on an organization’s domain controller, meaning they are immediate keys to the realm for the entire environment.”
To protect SQL servers, Hammond recommended limiting access to the server if not needed, as well as changing default passwords to secure credentials and restricting functionality for unnecessary components.