Tech Support
Documentation
Login
Contact Us
GambleForce Attacks: APAC Firms Targeted With SQL Injections
Wajahat Raja
December 25, 2023 - TuxCare expert team
In light of recent GambleForce attacks, a new threat actor has emerged, targeting more than 20 organizations across the Asia-Pacific region. The hacker group is mainly known for deploying SQL injections to exploit vulnerabilities in content management systems (CMS).
Primary targets include organizations in varying sectors such as gambling, government, retail, and travel. In this article, we’ll focus on uncovering all the details of the SQL injection cyber threats posed by the GambleForce attacks.
GambleForce Tactics: The Underlying Threat
GambleForce employs a range of cunning yet effective techniques, including the notorious SQL injections, to exploit vulnerable content management systems (CMS) on websites. Based on the GambleForce cyber attack patterns, the group leverages pilfer sensitive information, particularly user credentials, causing significant cybersecurity concerns.
As of now, the group is estimated to have targeted organizations in Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Despite the use of basic techniques, the GambleForce attacks have been successful six times, which shows how vulnerable certain organizations are to SQL injection cyber threats.
Unmasking GambleForce Attacks
GambleForce’s CnC, discovered in September 2023, hosted an arsenal of tools such as dirsearch, redis-rogue-getshell, Tinyproxy, and sqlmap. Out of these tools, sqlmap, an open-source pen-testing tool, played a pivotal role in identifying and exploiting vulnerable database servers through SQL injections.
These injections involve injecting malicious SQL code into public-facing web pages, enabling unauthorized access to sensitive data. In addition, the exploitation of CVE-2023-23752 was identified as a part of GambleForce cyber attack patterns when the threat actor gained unauthorized access to a Brazilian company. It’s worth mentioning that this vulnerability is a medium-severity flaw in the Joomla CMS.
How GambleForce leverages the stolen information acquired by exploiting APAC cybersecurity vulnerabilities is currently unknown. GambleForce exclusively relies on publicly available open-source tools for initial access, reconnaissance, and data exfiltration.
Notably, the group employs the Cobalt Strike framework, with a version discovered on their server containing commands in Chinese. However, attributing the group’s origin solely based on this linguistic aspect remains inconclusive.
Swift Action: Takedown of Command and Control Server
Group-IB’s Threat Intelligence unit swiftly identified GambleForce’s command and control server (CnC). Taking decisive action, the company’s Computer Emergency Response Team (CERT-GIB) successfully brought down the CnC, dismantling the nerve center of GambleForce’s operations.
Additionally, Group-IB issued notifications to the identified victims, providing a crucial layer of defense against potential threats. In addition, the security firm has identified that the threat actor, as opposed to looking for specific data, attempts to exfiltrate a database of the information that lies within.
Their vulnerability and attack exploitation tactics serve as a stark reminder to organizations that strategies to defend against GambleForce attacks must be developed. Although cyber threats to APAC firms have been neutralized for the moment, reports have mentioned that the threat actor is likely to become active again.
Given that the threat actor aims to exfiltrate entire databases, preventing SQL injections in business networks is paramount.
Conclusion
GambleForce attacks in the Asia-Pacific region have highlighted the need for cybersecurity measures for SQL injection prevention. The threat actor is known to use open-source tools for the identification and exploitation of vulnerabilities in databases. The hackers’ use of basic techniques has resulted in six successful attacks. This not only shows how vulnerable organizational infrastructure is but calls for the use of proactive cybersecurity measures.
The sources for this piece include articles in The Hacker News and Security Week.
