Security researchers have warned of a new threat group targeting gambling, government, retail and travel websites to steal sensitive information including user credentials.
Group-IB named the threat actor “GambleForce” because its initial targets were in the online betting sector.
It has targeted at least 20 websites in Australia, China, India, Indonesia, the Philippines, South Korea, Thailand and Brazil, and successfully compromised six.
GambleForce employs basic techniques to compromise these sites, including SQL injection and the exploitation of vulnerable content management system (CMS) software like Joomla.
It uses only open source tools for initial access, reconnaissance and data exfiltration, and also employs Cobalt Strike. Group-IB said it found a version of the pen testing software on the gang’s server which used commands in Chinese, although it claimed that this isn’t enough to link the group to a particular country.
Read more on Group-IB: Over 100,000 ChatGPT Accounts Found in Dark Web Marketplaces
Among the tools used by the group, and found by Group-IB on a command-and-control (C2) server, were dirsearch, redis-rogue-getshell, Tinyproxy and sqlmap – the latter being a penetration testing tool designed to scan for sites vulnerable to SQL injections.
GambleForce simply scans websites with sqlmap and then injects malicious SQL code which enables it to bypass default authentication and access sensitive data, the report noted.
It’s unclear how GambleForce monetizes the stolen information. However, Group-IB said it has already exfiltrated user databases containing logins and hashed passwords, as well as lists of main tables from accessible databases.
“Web injections are among the oldest and most popular attack vectors. And the reason being is that sometimes developers overlook the importance of input security and data validation,” said Nikita Rostovcev, senior analyst at Group-IB’s Advanced Persistent Threat Research Team.
“Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks on web applications.”