December 14, 2023 at 11:18AM
Group-IB reports a new hacking group, GambleForce, targeting 24 organizations in Asia-Pacific using SQL injections and CMS vulnerabilities to steal sensitive information. The group relies on open source tools and has successfully exfiltrated data from organizations in Australia, Indonesia, the Philippines, and South Korea. GambleForce’s C&C has been taken down but may regroup.
Key takeaways from the meeting notes:
– A threat actor named GambleForce has targeted 24 organizations across eight countries, predominantly in the Asia-Pacific region, since September.
– The group has been using SQL injections and exploiting vulnerabilities in the content management systems of organizations in the gambling, government, retail, and travel sectors to steal sensitive information, including user credentials.
– GambleForce relies exclusively on open source and publicly available tools for initial access, reconnaissance, and data theft, and has been observed using the Cobalt Strike pentesting framework in attacks.
– Group-IB identified tools such as dirsearch, redis-rogue-getshell, Tinyproxy, and sqlmap on the hacking group’s command-and-control server.
– The threat actor has successfully exfiltrated data from organizations in Australia, Indonesia, the Philippines, and South Korea.
– They have also been observed exploiting a specific vulnerability in Joomla and exfiltrating data through website contact forms.
– The C&C server has been taken down, but it is believed that the threat actor will regroup and rebuild its infrastructure.
– It is likely that GambleForce operates outside of the US and may have links to China, based on the specific command used on the C&C server and the use of a Cobalt Strike version that accepts commands in Chinese.
Let me know if you need any further information or assistance!