A beforehand unknown hacker outfit referred to as GambleForce has been attributed to a collection of SQL injection assaults towards firms primarily within the Asia-Pacific (APAC) area since at the very least September 2023.
“GambleForce makes use of a set of primary but very efficient strategies, together with SQL injections and the exploitation of weak web site content material administration techniques (CMS) to steal delicate data, comparable to person credentials,” Singapore-headquartered Group-IB mentioned in a report shared with The Hacker Information.
The group is estimated to have focused 24 organizations within the playing, authorities, retail, and journey sectors throughout Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of those assaults had been profitable.
The modus operandi of GambleForce is its unique reliance on open-source instruments like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell at totally different phases of the assaults with the final word purpose of exfiltrating delicate data from compromised networks.
Additionally utilized by the risk actor is the official post-exploitation framework often called Cobalt Strike. Apparently, the model of the software found on its assault infrastructure used instructions in Chinese language, though the group’s origins are removed from clear.
The assault chains entail the abuse of victims’ public-facing purposes of victims by exploiting SQL injections in addition to the exploitation of CVE-2023-23752, a medium-severity flaw in Joomla CMS, to realize unauthorized entry to a Brazilian firm.
It is presently not recognized how GambleForce leverages the stolen data. The cybersecurity agency mentioned it additionally took down the adversary’s command-and-control (C2) server and notified the recognized victims.
“Net injections are among the many oldest and hottest assault vectors,” Nikita Rostovcev, senior risk analyst at Group-IB, mentioned.
“And the reason is is that typically builders overlook the significance of enter security and knowledge validation. Insecure coding practices, incorrect database settings, and outdated software program create a fertile atmosphere for SQL injection assaults on internet purposes.”
