An unknown hacker outfit that used to be called GambleForce attributed to a series of SQL injection attacks against companies mainly in the Asia-Pacific region (APAC) since at least September 2023.
“GambleForce uses a set of basic but highly effective methods, including SQL injection and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials. users,” the Singapore-headquartered Group-IB SAYS in a report shared by The Hacker News.
The group is estimated to have targeted 24 organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of these attacks were successful.
Cook AI-Powered Threats with Zero Trust – Webinar for Security Professionals
Traditional security measures just won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.
GambleForce’s modus operandi is its exclusive reliance on open-source tools such as dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell in various stages of attacks with the ultimate goal of exfiltrating of sensitive information from compromised networks.
The threat actor also uses a legitimate post-exploitation framework known as Cobalt Strike. Interestingly, the version of the tool discovered in its attack infrastructure used Chinese commands, although the group’s origin is unclear.
Attack chains include abusing victim-facing public applications by exploiting SQL injection as well as exploiting CVE-2023-23752a medium-severe flaw in the Joomla CMS, to gain unauthorized access to a Brazilian company.
It is currently unknown how GambleForce used the stolen information. The cybersecurity firm said it also took down the enemy’s command-and-control (C2) server and notified identified victims.
“Web injections are one of the oldest and most popular attack vectors,” said Nikita Rostovcev, senior threat analyst at Group-IB.
“And the reason is that sometimes developers overlook the importance of input security and data validation. Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks in web applications.”