Dive Brief:
- Ellicott City, Maryland-based cybersecurity firm Huntress has discovered an emerging threat for users of Foundation Software, which bills itself as serving 43,000 construction professionals nationwide. In a Sept. 17 report, Huntress said plumbing, HVAC, concrete and similar subcontractors were actively impacted.
- Huntress described the hack as a “brute force” attack, where perpetrators use an automated trial-and-error engine to guess credentials or other sensitive information. The affected companies were using default credentials — i.e., usernames and passwords that come with the software on purchase and that are supposed to be changed on installation — at the time of the intrusion, according to Huntress.
- Huntress discovered about 500 hosts running the Foundation software from the 3 million-plus endpoints it monitors for its clients, according to the report. From that pool, the company confirmed that a sample of 33 hosts were publicly exposed with unchanged default credentials. On one impacted host, it observed more than 35,000 brute force login attempts.
Dive Insight:
Foundation told Construction Dive that some of the information in the Huntress report was inaccurate, and said that affected users were limited to clients still using legacy software physically installed at their own companies — i.e., on premise — rather than via Foundation’s hosted environment.
The impacted clients did not follow the protocol of changing their user ID and password, said Mike Ode, Foundation’s CEO, who noted the firm hosts the vast majority of its customers via its software-as-a-service offering.
“If you buy a software and you install it at your place, you are responsible for the security and the walls and the perimeter, right?” Ode told Construction Dive. “We're responsible for what we've been selling for the last decade, and that's a hosted solution.”
He urged impacted firms to adopt hosted software instead.
“We want everybody in our SaaS-hosted environment, right? Let us do it. Let us take on the responsibility,” Ode said. He asserted the attack mentioned in the report may have impacted just a single client, but acknowledged he didn’t know for certain.
The risks
The U.S. Cybersecurity and Infrastructure Agency has said use of default passwords is a major cybersecurity issue and has been urging organizations to reset them.
Even though the intrusions occurred, there was no compromise or malicious activity on those computers, said John Hammond, principal security researcher at Huntress. Hammond said that to protect themselves, contractors who use the software should change their credentials, including passwords.
Huntress noted that Foundation uses Microsoft SQL in its software. The combined platforms feature two high-privilege administrative accounts, dubbed “sa” and “dba” within the system. If their default credentials are left unchanged upon installation, perpetrators can have an easy entryway into the software.
When contacted, Microsoft pointed Construction Dive to its SQL security best practices web page.
For a hacker, Hammond described the effort needed to breach the impacted instances of Foundation’s software as “trivial,” and likened it to typing in a password.
“Once a threat actor finds an on-premise Foundation server, they could authenticate as the database administrator, and enable new settings to do whatever they might like on the whole computer,” Hammond said. “Candidly, it takes just one command to log in, and just two more to do real damage.”
Hammond said bad actors could access sensitive information, such as credentials or financial details, as well as gain entry into the computer itself.
“This is a foothold and initial access vector into a whole network, with administrator privileges right out of the gate,” Hammond told Construction Dive via email. “In some cases we have observed the SQL server installed directly onto an organization's domain controller, which means it is immediate keys to the kingdom for the entire environment.”
To protect SQL servers, Hammond recommended limiting access to the server if it’s not needed, alongside changing default passwords to secure credentials and restricting functionality for unnecessary components.