New ‘GambleForce’ Threat Actor Behind String of SQL Injection Attacks

  • Home
  • New ‘GambleForce’ Threat Actor Behind String of SQL Injection Attacks

New ‘GambleForce’ Threat Actor Behind String of SQL Injection Attacks

Security researchers have recently identified a new threat actor, known as “GambleForce,” engaging in a series of SQL injection attacks against organizations in the Asia-Pacific region. The group, first detected by threat hunters at Group-IB in September, initially targeted gambling companies but has expanded its focus to include government entities, retail businesses, travel companies, and job websites.

The GambleForce Campaign

Group-IB’s report reveals that GambleForce has conducted attacks on at least two dozen organizations across Australia, Indonesia, the Philippines, India, and South Korea. The threat actor demonstrated a flexible approach, ceasing attacks after reconnaissance in some instances and successfully extracting user databases containing login credentials and hashed passwords in others.

SQL injection attacks exploit vulnerabilities in web application databases, allowing threat actors to execute unauthorized actions, such as retrieving, modifying, or deleting data. Despite being a well-known vulnerability, SQL injection remains prevalent, constituting 33% of all discovered web application flaws in 2022.

“GambleForce’s campaign stands out due to the group’s reliance on publicly available penetration testing tools for executing SQL injection attacks,” noted Nikita Rostovcev, Group-IB senior threat analyst.

Publicly Available Pen-Testing Tools

Group-IB’s analysis of the threat actor’s command-and-control (C2) server uncovered the use of publicly available penetration testing tools, demonstrating GambleForce’s avoidance of custom tools. Among the tools identified were dirsearch for discovering hidden files and directories, redis-rogue-getshell for remote code execution on Redis installations, and sqlmap for finding and exploiting SQL vulnerabilities. Additionally, the threat actor utilized Cobalt Strike, a popular open-source pen-testing tool, for post-compromise operations.

While the Cobalt Strike version employed by GambleForce featured Chinese-language commands, it is crucial to note that this alone does not definitively attribute the threat group to a specific country. Another potential indicator of the group’s origin is the use of a Chinese-language framework for creating and managing reverse shells on compromised systems.

Future Threat Landscape

Group-IB took down GambleForce’s C2 server upon discovery, but the researchers anticipate the threat actor regrouping and rebuilding its infrastructure to launch new attacks. The group’s motivation and specific use of exfiltrated data remain unclear, as telemetry suggests they are not targeting specific information during their attacks.

In conclusion, GambleForce’s utilization of publicly available tools underscores the importance of organizations prioritizing input security, data validation, and regularly updating software to mitigate SQL injection vulnerabilities. As this threat group may resurface with renewed tactics, organizations must remain vigilant and employ robust security measures to safeguard against SQL injection and similar cyber threats.