New cyber threats emerge regularly, and Group-IB, the cybersecurity technology provider, has recently identified a formidable one - GambleForce. First seen in September 2023, this threat actor has amassed over 20 victims from different sectors, including gambling, government, retail, and travel, across nations like Australia, China, India, Indonesia, Philippines, South Korea, Thailand, and Brazil.
GambleForce set a spotlight on the gambling industry initially, hence its name. They employ SQL injections and exploit the vulnerabilities in website content management systems (CMS) to extract sensitive information such as user credentials.
Despite relying solely on readily available open-source tools for initial access, reconnaissance, and data exfiltration, their activities have proved detrimental.
In discovering GambleForce, Group-IB's Threat Intelligence team played a vital role, notably spotting the command and control server (CnC) of the threat actor. Following this was a triumphant shutdown of the CnC by the Group-IB's Computer Emergency Response Team (CERT-GIB), after which notifications were sent out to the identified victims.
The tools found on GambleForce's server, after its exposure in September 2023, included publicly accessible open-source pentesting tools like sqlmap and Cobalt Strike. Sqlmap reveals and exploits database servers susceptible to SQL injections by injecting malicious SQL code into a public-facing webpage. This technique allows threat actors to skip default authentication and gain access to sensitive data. The Cobalt Strike on their server contained commands in Chinese, though the origin of the group remains uncertain.
Between September and December 2023, GambleForce targeted 24 organisations in 8 countries, ostensibly breaching six websites from sectors such as travel in Australia and Indonesia, government in the Philippines, and gambling in South Korea.
During successful attacks, they managed to obtain user databases, which included login details, hashed passwords, and other sensitive database information. Notably, they exploited SQL injections in almost all known attacks, bypassing security restrictions in one attack in Brazil.
GambleForce is characterised by its exhaustive attempts to extract every possible piece of information from targeted databases, which include hashed and plain text user credentials. This extraction, as stated by the Group-IB Threat Intelligence unit, is currently being used by the threat actor in unknown ways, and they continue to track GambleForce.
Nikita Rostovcev, Senior Analyst at the Advanced Persistent Threat Research Team of Group-IB, notes that, "Web injections are among the oldest and most popular attack vectors. And the reason being is that sometimes developers overlook the importance of input security and data validation."
"Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks on web applications."
Founded in 2003 and headquartered in Singapore,Group-IB creates cybersecurity technologies to investigate, prevent, and fight digital crime. Group-IBs Digital Crime Resistance Centers (DCRCs) are located in the Middle East, Europe, and Asia-Pacific to help critically analyse and promptly mitigate regional and country-specific threats. These mission-critical units help Group-IB strengthen its contribution to global cybercrime prevention and continually expand its threat-hunting capabilities.