TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Cracks in the Foundation: FOUNDATION Accounting Intrusions | Huntress

2024-09-17 · Read original ↗

ATT&CK techniques detected

5 predictions
T1110.001Password Guessing
65%
“attempts in c : \ program files \ microsoft sql server \ mssql12. foundation \ mssql \ log \ errorlog where the version mssql12 may vary between mssql11, mssql13, mssql15, etc. on one host we observed ~ 35, 000 brute force login attempts against the mssql server ending just an ho…”
T1098Account Manipulation
65%
“mssql with a command : alter login sa with password = ' newstrongpassword ' ; alter login dba with password = ' anothernewpassword ' ; - this can be done within mssql with a command : - where possible, cease exposing the foundation application to the public internet. - disable xp…”
T1078.001Default Accounts
46%
“cracks in the foundation : foundation accounting intrusions | huntress on september 14, huntress discovered an emerging threat involving foundation accounting software, which is commonly used by contractors in the construction industry. attackers have been observed brute forcing …”
T1078.001Default Accounts
43%
“multiple instances where these high - privilege accounts are left with unchanged default credentials. because these accounts have such a high privilege, these administrator accounts can readily enable and leverage a feature known as xp _ cmdshell within mssql. this is an extended…”
T1098Account Manipulation
32%
“multiple instances where these high - privilege accounts are left with unchanged default credentials. because these accounts have such a high privilege, these administrator accounts can readily enable and leverage a feature known as xp _ cmdshell within mssql. this is an extended…”

Summary

Threat actors have been successful in gaining entry using accounting software commonly used by construction companies.