A previously undisclosed hacking group, GambleForce, has recently emerged, engaging in a series of SQL injection attacks against organizations primarily located in the Asia-Pacific (APAC) region since September 2023. The group’s modus operandi involves employing fundamental yet potent techniques, such as exploiting SQL vulnerabilities and targeting vulnerable website content management systems (CMS), to pilfer sensitive information, particularly user credentials. The attacks have impacted 24 organizations across diverse sectors, including gambling, government, retail, and travel, in countries like Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand.
GambleForce relies exclusively on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell throughout different stages of its attacks. The group’s primary objective is to exfiltrate sensitive data from compromised networks. Notably, the threat actor also employs the legitimate post-exploitation framework Cobalt Strike, but intriguingly, the version found in its attack infrastructure utilized commands in Chinese, adding an element of mystery to the group’s origins. The attack chain includes exploiting victims’ public-facing applications with SQL injections and taking advantage of a medium-severity Joomla CMS flaw (CVE-2023-23752) to gain unauthorized access to a Brazilian company.
While the specific motives behind GambleForce’s information theft remain unclear, cybersecurity firm Group-IB has taken down the group’s command-and-control (C2) server and informed the identified victims. The attacks underscore the enduring effectiveness of SQL injection vectors, highlighting the significance of secure coding practices, input security, and data validation in preventing such web application vulnerabilities.