A sprawling network believed to be responsible for defrauding individuals through fraudulent online gambling platforms has reportedly been operating for 14 years. Researchers have indicated that this extensive operation is likely supported by a nation-state, targeting both government and private sector organizations in the United States and Europe.
Previous investigations have uncovered fragments of this intricate infrastructure. A recent analysis by the security firm Sucuri highlighted the group’s focus on identifying and compromising inadequately secured websites utilizing the WordPress content management system. Additionally, research conducted by Imperva revealed that the attackers actively scan for vulnerabilities in web applications developed with PHP, particularly those with existing security flaws. Once a vulnerability is exploited, they deploy a GSocket, a backdoor tool that allows them to manipulate servers and host unauthorized gambling content.
The gambling websites predominantly target Indonesian-speaking users. Given that gambling is illegal in Indonesia, many individuals are lured to these illicit services. The operation reportedly controls approximately 236,433 domains dedicated to gambling, the majority of which are hosted on Cloudflare. Moreover, around 1,481 subdomains have been hijacked from legitimate platforms, typically hosted on Amazon Web Services, Azure, and GitHub.
Recent insights from researchers at Malanta suggest that the observable aspects of this malicious network are only the tip of the iceberg. The operation appears to extend beyond mere financial gains; it is suspected to serve the interests of state-sponsored hackers. These actors are likely aiming at a diverse range of sectors, including manufacturing, transportation, healthcare, government, and education.
This speculation is reinforced by the considerable investment of time and resources in developing and maintaining this infrastructure over the years. The attackers have acquired 328,000 domains, a mix of 236,000 purchased addresses and 90,000 hijacked from compromised legitimate sites. Additionally, the operation encompasses nearly 1,500 hijacked subdomains belonging to authentic organizations. Estimates suggest that sustaining such a vast operation could cost between $725,000 and $17 million annually.
To analyze the tactics used in this operation, the MITRE ATT&CK framework provides critical insights. The initial access likely involves exploiting vulnerabilities in web applications, while persistence is achieved through establishing backdoors like GSocket. Furthermore, privilege escalation might occur as attackers manipulate compromised servers, allowing for broader exploitation of resources and additional targets within the network’s reach.
As cyber threats evolve, business owners must remain vigilant in assessing their cybersecurity measures. Understanding the methods and techniques used in attacks like this can help organizations better safeguard their assets against similar intrusions.
