Headline
New Hacker Group 'GambleForce' Tageting APAC Firms Using SQL Injection Attacks
A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023. "GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive
Vulnerability / Data Breach
A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023.
“GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials,” Singapore-headquartered Group-IB said in a report shared with The Hacker News.
The group is estimated to have targeted 24 organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of these attacks were successful.
UPCOMING WEBINAR
Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals
Traditional security measures won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.
Join Now
The modus operandi of GambleForce is its exclusive reliance on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell at different stages of the attacks with the ultimate goal of exfiltrating sensitive information from compromised networks.
Also used by the threat actor is the legitimate post-exploitation framework known as Cobalt Strike. Interestingly, the version of the tool discovered on its attack infrastructure used commands in Chinese, although the group’s origins are far from clear.
The attack chains entail the abuse of victims’ public-facing applications of victims by exploiting SQL injections as well as the exploitation of CVE-2023-23752, a medium-severity flaw in Joomla CMS, to gain unauthorized access to a Brazilian company.
It’s currently not known how GambleForce leverages the stolen information. The cybersecurity firm said it also took down the adversary’s command-and-control (C2) server and notified the identified victims.
“Web injections are among the oldest and most popular attack vectors,” Nikita Rostovcev, senior threat analyst at Group-IB, said.
“And the reason being is that sometimes developers overlook the importance of input security and data validation. Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks on web applications.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
A vulnerability in the popular Joomla! CMS has been added to CISA's known exploited vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution.
By Waqas Yet another day, yet another threat actor posing a danger to the cybersecurity of companies globally. This is a post from HackRead.com Read the original post: New Hacker Group GambleForce Hacks Targets with Open Source Tools
Joomla! versions prior to 4.2.8 suffer from an unauthenticated information disclosure vulnerability.
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.