Cybersecurity services company Group-IB Global Pvt. Ltd. today published details of a previously unknown threat group that has been active in targeting gambling, government, retail and travel websites in Australia, China, India, Indonesia, Philippines, South Korea, Thailand and Brazil.

Dubbed “GambleForce,” the threat group uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems to steal sensitive information, such as user credentials. The name GambleForce was coined in reference to the group’s initial targets in the gambling industry.

Group-IB’s Threat intelligence team first discovered GambleForce’s command and control server in September. The server was found to house the gang’s tools, including dirsearch, redis-rogue-getshell, Tinyproxy and sqlmap, the last one a popular open-source penetration testing tool designed to identify database servers vulnerable to SQL injections and exploit them.

Group-IB’s Computer Emergency Response Team was able to subsequently take the CnC server down. The company also issued notifications to identified victims of GambleForce.

The gang relies exclusively on publicly available open-source tools for initial access, reconnaissance and data exfiltration along with Cobalt Strike. A form of penetration testing software, Cobalt Strike has long been long popular with hackers, with the source code for the software being published on GitHub in 2020.

The version of Cobalt Strike discovered by Group-IB’s researchers on the gang’s server notably used commands in Chinese. However, the researchers say that using the Chinese language version of Cobalt Strike is not enough to attribute the group’s origin.

Between September and December 2023, GambleForce was found to have targeted 24 organizations. Victims include websites in the travel industry in Australia and Indonesia, a retail website in Indonesia, a government site in the Philippines and a gambling site in South Korea.

The actor vectors used by GambleForce can vary, but in one attack, the group exploited CVE-2023-23752, a known vulnerability in the Joomla CMS, which allowed them to bypass security restrictions. In another example, the group extracted data from website contact form submissions, highlighting their ability to exploit various entry points.

The researchers note that GambleForce’s approach to data theft is alarming, as rather than seeking specific information, they attempt to exfiltrate every possible piece of data from the targeted databases. This includes both hashed and plain text user credentials. Group-IB is yet to determine how the group utilizes or monetizes the stolen data.

“Web injections are among the oldest and most popular attack vectors,” explained Nikita Rostovcev, senior analyst at Group-IB’s Advanced Persistent Threat Research Team. “And the reason being is that sometimes developers overlook the importance of input security and data validation. Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks on web applications.”

Image: DALL-E 3