December 14, 2023 at 02:18AM
From September 2023, hacker group GambleForce conducted SQL injection attacks in APAC, targeting 24 organizations in gambling, government, retail, and travel sectors. They used tools like dirsearch, sqlmap, and Cobalt Strike, and exploited a Joomla CMS flaw. Group-IB discovered and took down the group’s C2 server and notified the victims. The attacks highlight the prevalence of web injection vulnerabilities.
Based on the meeting notes, key takeaways include:
– The hacker outfit GambleForce has been attributed to a series of SQL injection attacks against companies in the Asia-Pacific region since at least September 2023.
– GambleForce has targeted organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand.
– The group utilizes basic yet effective techniques such as SQL injections and exploits vulnerable website content management systems to steal sensitive information.
– GambleForce relies on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell, as well as the legitimate post-exploitation framework Cobalt Strike.
– The attack chains involve exploiting SQL injections and a medium-severity flaw in Joomla CMS.
– It is currently not known how GambleForce leverages the stolen information.
– Group-IB took down GambleForce’s command-and-control server and notified the identified victims.
These takeaways provide a clear understanding of the hacker outfit’s tactics and the actions taken by Group-IB in response to the attacks.