In the ever-evolving landscape of cyber threats, a hitherto unknown hacker outfit named GambleForce has emerged as a formidable player, orchestrating a series of SQL injection attacks primarily targeting companies in the Asia-Pacific (APAC) region since September 2023. Employing a set of basic yet highly effective techniques, GambleForce has successfully breached organizations in the gambling, government, retail, and travel sectors across multiple countries, raising concerns about the vulnerabilities present in web applications.
The Techniques Unveiled:
GambleForce relies on a combination of tactics, with a focus on SQL injections and exploiting vulnerabilities in website content management systems (CMS). According to a report from Singapore-based cybersecurity firm Group-IB, the group utilizes open-source tools such as dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell in various stages of their attacks. Astonishingly, the hackers employ the legitimate post-exploitation framework Cobalt Strike, incorporating commands in Chinese, adding a layer of mystery to their origin.
Targets and Success Rate:
The hacker group has set its sights on 24 organizations spanning the APAC region, including Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Notably, six of these attacks have been successful, resulting in the compromise of sensitive information and potential data breaches. The sectors affected, including gambling, government, retail, and travel, underscore the broad scope of GambleForce’s operations.
GambleForce’s attack strategy involves exploiting victims’ public-facing applications through SQL injections and leveraging vulnerabilities like CVE-2023-23752 in Joomla CMS. The group utilizes sqlmap, an open-source penetration testing tool, to automate the identification of vulnerable database servers and weaponize them to gain unauthorized access. The attacks involve injecting malicious SQL code into the targeted website’s public-facing web page, bypassing default authentication protections and gaining access to sensitive data, including hashed and plaintext user credentials.
The Role of Cobalt Strike:
One intriguing aspect of GambleForce’s operations is the use of Cobalt Strike, a post-exploitation framework typically employed by advanced threat actors. The version discovered on their attack infrastructure features commands in Chinese, adding complexity to the group’s attribution. The motive behind using this framework and the significance of Chinese-language commands remain unclear.
Addressing the Root Causes:
Cybersecurity experts emphasize that web injections, such as SQL injection attacks, persist as one of the oldest yet effective attack vectors due to developers overlooking input security and data validation. Insecure coding practices, incorrect database settings, and outdated software create an environment ripe for exploitation, underscoring the importance of proactive cybersecurity measures.
As GambleForce continues to pose a significant threat in the APAC region, cybersecurity professionals, organizations, and governments must remain vigilant. Understanding and addressing the root causes of vulnerabilities, enhancing web application security, and adopting proactive measures are crucial steps in mitigating the risks posed by emerging cyber threats. The unmasking of GambleForce serves as a reminder of the dynamic and ever-evolving nature of cyber warfare, demanding continuous efforts to stay one step ahead of malicious actors.