Recent cybersecurity reports have surfaced detailing a series of SQL injection attacks attributed to a newly identified hacker group named GambleForce. This group has predominantly targeted organizations across the Asia-Pacific (APAC) region since September 2023, raising significant concerns regarding the vulnerabilities in web application security practices.
According to Group-IB, a cybersecurity firm based in Singapore, GambleForce employs straightforward yet highly effective tactics, primarily leveraging SQL injection techniques alongside exploiting weaknesses in content management systems (CMS). The objective of these attacks is to extract sensitive data, including user credentials, from compromised networks. Between its activity, the group is estimated to have successfully attacked 24 organizations operating in sectors including gambling, government, retail, and travel, with significant incidents reported in Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand.
The techniques utilized by GambleForce heavily rely on open-source tools such as dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell. These tools play crucial roles at different stages of the attack and are instrumental in compromising the target’s security. Notably, the group also employs Cobalt Strike, a legitimate post-exploitation framework, although the version detected in their infrastructure utilized commands in Chinese. This adds layers of complexity to the group’s origin and operational methodologies.
The nature of the attacks suggests a clear modus operandi: exploiting public-facing applications through SQL injection. For instance, the exploitation of CVE-2023-23752, a medium-severity flaw present in Joomla CMS, has been identified as a method for gaining unauthorized access to specific Brazilian companies. Here, threat actors inject malicious SQL commands into vulnerable web pages, bypassing standard authentication mechanisms to access and extract sensitive information such as hashed and plaintext user credentials.
The implications of these SQL injection attacks extend beyond immediate data theft; they represent a broader failure in maintaining robust security measures related to input validation and secure coding practices. Nikita Rostovcev, a senior threat analyst at Group-IB, emphasized that web injections remain popular due to the common oversights by developers regarding input security. Vulnerabilities arise from insecure coding practices, misconfigured database settings, and outdated software, creating an environment conducive to SQL injection assaults.
At this stage, it remains unclear how GambleForce exploits the information gathered from these attacks. However, the cybersecurity firm has reported dismantling the group’s command-and-control (C2) infrastructure and actively notified the victims of these incidents.
In conjunction with the MITRE ATT&CK framework, it is essential to understand the potential adversarial tactics and techniques that could have been employed during these incidents. Techniques such as initial access via SQL injection, privilege escalation through exploiting unpatched vulnerabilities, and persistence via unauthorized access to web applications are all pertinent. These aspects underscore the critical need for organizations to adopt proactive measures in cybersecurity risk management to safeguard sensitive information.
It is advisable for business owners, particularly those in vulnerable sectors, to assess their security infrastructures and reinforce their defenses against such persistent threats.
