UPDATED 01:00 EST / DECEMBER 14 2023

SECURITY

New cyberthreat actor GambleForce targets websites in eight countries

Cybersecurity services company Group-IB Global Pvt. Ltd. today published details of a previously unknown threat group that has been active in targeting gambling, government, retail and travel websites in Australia, China, India, Indonesia, Philippines, South Korea, Thailand and Brazil.

Dubbed “GambleForce,” the threat group uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems to steal sensitive information, such as user credentials. The name GambleForce was coined in reference to the group’s initial targets in the gambling industry.

Group-IB’s Threat intelligence team first discovered GambleForce’s command and control server in September. The server was found to house the gang’s tools, including dirsearch, redis-rogue-getshell, Tinyproxy and sqlmap, the last one a popular open-source penetration testing tool designed to identify database servers vulnerable to SQL injections and exploit them.

Group-IB’s Computer Emergency Response Team was able to subsequently take the CnC server down. The company also issued notifications to identified victims of GambleForce.

The gang relies exclusively on publicly available open-source tools for initial access, reconnaissance and data exfiltration along with Cobalt Strike. A form of penetration testing software, Cobalt Strike has long been long popular with hackers, with the source code for the software being published on GitHub in 2020.

The version of Cobalt Strike discovered by Group-IB’s researchers on the gang’s server notably used commands in Chinese. However, the researchers say that using the Chinese language version of Cobalt Strike is not enough to attribute the group’s origin.

Between September and December 2023, GambleForce was found to have targeted 24 organizations. Victims include websites in the travel industry in Australia and Indonesia, a retail website in Indonesia, a government site in the Philippines and a gambling site in South Korea.

The actor vectors used by GambleForce can vary, but in one attack, the group exploited CVE-2023-23752, a known vulnerability in the Joomla CMS, which allowed them to bypass security restrictions. In another example, the group extracted data from website contact form submissions, highlighting their ability to exploit various entry points.

The researchers note that GambleForce’s approach to data theft is alarming, as rather than seeking specific information, they attempt to exfiltrate every possible piece of data from the targeted databases. This includes both hashed and plain text user credentials. Group-IB is yet to determine how the group utilizes or monetizes the stolen data.

“Web injections are among the oldest and most popular attack vectors,” explained Nikita Rostovcev, senior analyst at Group-IB’s Advanced Persistent Threat Research Team. “And the reason being is that sometimes developers overlook the importance of input security and data validation. Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks on web applications.”

Image: DALL-E 3

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU