Asia Pacific Hit by GambleForce Hacker Group with SQL Injection Attacks
Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, has discovered a previously unknown threat actor codenamed GambleForce (tracked under the name EagleStrike GambleForce in Group-IB’s Threat Intelligence Platform). Group-IB’s Threat Intelligence unit can confirm that, since emerging in September 2023, the group has targeted more than 20 gambling, government, retail and travel websites in Australia, China, India, Indonesia, Philippines, South Korea, Thailand, and Brazil. GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials. The name, GambleForce, was coined due to the group’s initial targets being from the gambling industry.
GambleForce’s command and control server (CnC), which was discovered by Group-IB’s Threat intelligence team, was taken down by the company’s Computer Emergency Response Team (CERT-GIB). Additionally, Group-IB has issued notifications for the identified victims.
GambleForce’s CnC was initially discovered in September 2023. The server housed the gang’s tools, such as dirsearch, redis-rogue-getshell, Tinyproxy, and sqlmap. The latter is a popular open-source pen-testing tool designed to identify database servers vulnerable to SQL injections and exploit them. Threat actors inject malicious SQL code into a public-facing web page, which allows them to bypass default authentication and access sensitive data.
Notably, the gang relies exclusively on publicly available open-source tools for initial access, reconnaissance, and data exfiltration. GambleForce utilized another popular pen-testing framework, Cobalt Strike. The version of Cobalt Strike discovered on the gang’s server used commands in Chinese. However, this fact alone is not enough to attribute the group’s origin.
According to Group-IB Threat Intelligence experts, between September 2023 and December 2023, GambleForce targeted 24 organizations in 8 countries. The gang was able to successfully compromise 6 websites from Australia (travel), Indonesia (travel, retail), the Philippines (government), and South Korea (gambling).
In some attacks, GambleForce stopped at the reconnaissance stage, failing to download the data. In six attacks, the threat actor managed to obtain user databases containing logins, hashed passwords, as well as lists of main tables from accessible databases. In almost all known attacks, GambleForce abused the public-facing applications of victims by exploiting SQL injections. In one attack in Brazil, the attackers exploited CVE-2023-23752, a vulnerability in the Joomla CMS that allows threat actors to bypass security restrictions. In another attack, the threat actor managed to exfiltrate the data from requests submitted via the website’s contact form.
Rather than looking for specific data, the threat actor attempts to exfiltrate every possible piece of information within targeted databases, such as hashed and plain text user credentials. Group-IB’s Threat intelligence unit has not observed how GambleForce exploits the stolen information and continues tracking the group.
“Web injections are among the oldest and most popular attack vectors,” Nikita Rostovcev, Senior Analyst at the Advanced Persistent Threat Research Team, Group-IB, said. “And the reason is that sometimes developers overlook the importance of input security and data validation. Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks on web applications.”