Since September 2023 [1] [5], the hacker group GambleForce has been carrying out SQL injection attacks on organizations in the Asia Pacific region. This group exploits vulnerabilities in website content management systems to gain unauthorized access to sensitive data.
Description
GambleForce targets various organizations in the Asia Pacific region, including gambling companies [3], government agencies [2] [3] [7], retail businesses [3] [7], travel companies [3], and job-seeking sectors [6]. They use tools like sqlmap [7], dirsearch [3] [6] [7], redis-rogue-getshell [3] [6] [7], and Cobalt Strike for initial access, reconnaissance [4], and data exfiltration [4]. The group has successfully compromised six out of the 20 websites they have targeted in countries such as Australia [4], China [3] [4] [6], India [4] [6], Indonesia [4] [6], the Philippines [4] [6], South Korea [4] [6], Thailand [4] [6], and Brazil [4]. They have managed to obtain user databases containing logins, hashed passwords [3] [4] [7], and lists of main tables [4] [7]. The purpose of the stolen information remains unknown, but it is possible that GambleForce is collecting data for future exploits or selling it on the dark web [6]. Despite the takedown of their command and control server, researchers anticipate that GambleForce will regroup and launch new attacks in the future. The origin of the group is still unknown [7], although Chinese commands were discovered in the Cobalt Strike version they used. It is worth noting that Chinese scammers have recently created cloned versions of legitimate websites and redirected visitors to gambling sites [6].
Conclusion
The actions of GambleForce have had significant impacts on the organizations they targeted, potentially compromising sensitive data and user information. While efforts have been made to disrupt their operations, it is likely that the group will continue to pose a threat in the future. Organizations in the Asia Pacific region [3] [7], particularly travel firms, government agencies [2] [3] [7], and gambling concerns [7], should take steps to strengthen their cybersecurity measures and protect against SQL injection attacks. Additionally, users should be cautious when accessing websites, especially those that may have been cloned by scammers. Vigilance and proactive security measures are crucial in mitigating the risks posed by groups like GambleForce.
References
[1] https://thehackernews.com/2023/12/new-hacker-group-gambleforce-tageting.html
[2] https://siliconangle.com/2023/12/14/group-ib-new-cyber-threat-actor-gambleforce-targets-websites-eight-countries/
[3] https://www.darkreading.com/cloud-security/gambleforce-threat-actor-sql-injection-attacks
[4] https://www.infosecurity-magazine.com/news/gambleforce-websites-sql-injection/
[5] https://cyber.vumetric.com/security-news/2023/12/14/new-hacker-group-gambleforce-tageting-apac-firms-using-sql-injection-attacks/
[6] https://www.hackread.com/gambleforce-hacks-targets-open-source-tools/
[7] https://www.bankinfosecurity.com/hackers-keep-winning-by-gambling-on-sql-injection-exploits-a-23882