December 14, 2023 at 05:20PM
Group-IB has detected a new threat group, “GambleForce,” engaged in SQL injection attacks on organizations in the Asia-Pacific region. This group has targeted various sectors, including gambling, government, retail, travel, and job websites, using publicly available penetration-testing tools. The threat actor’s activities have led to data breaches in multiple organizations, sparking concerns for potential future attacks.
Key Takeaways from the Meeting Notes:
1. GambleForce is a new threat actor targeting organizations in the Asia-Pacific region with SQL injection attacks, initially spotted by Group-IB in September.
2. The group targeted gambling companies initially, but has since expanded its attacks to various sectors including government, retail, travel, and job websites.
3. GambleForce has attacked at least two dozen organizations across Australia, Indonesia, Philippines, India, and South Korea, extracting user databases and other data, such as logins, hashed passwords, and lists of tables from accessible databases.
4. The attacks are executed through the use of publicly available penetration testing software on their command-and-control server, with no custom tools found.
5. The tools used include dirsearch, redis-rogue-getshell, sqlmap, and the open source pen-testing tool Cobalt Strike for post-compromise operations.
6. Additional hints about the threat group’s potential origin were observed, including the use of Chinese commands and loading files from a source hosting Chinese-language frameworks for managing compromised systems.
7. It’s unclear how the exfiltrated data will be used by GambleForce, and it is anticipated that they may regroup and launch new attacks despite the takedown of their command-and-control server.
These takeaways highlight the persistent threat posed by GambleForce, and the need for organizations to address SQL injection vulnerabilities, input security, and data validation to mitigate such attacks.