GambleForce Hacker Group Hitting Gambling and Other Sites Worldwide
Posted on: December 14, 2023, 06:47h.
Last updated on: December 17, 2023, 05:14h.
Cybersecurity firm Group-IB has uncovered a previously unknown threat group called GambleForce, which has been targeting websites in various industries across at least eight countries.
Group-IB detailed the operations in a press release issued Thursday. The organization explained that GambleForce employs basic but effective techniques like SQL injections and exploiting vulnerable website content management systems to steal sensitive information like user credentials.
The name GambleForce alludes to the group’s initial focus on gambling websites. However, the criminal group has reportedly expanded its attacks. Group-IB has hit gambling, government, retail, and travel websites in Australia, China, India, Indonesia, the Philippines, South Korea, Thailand and Brazil.
In September, the cybersecurity firm’s threat intelligence team first identified GambleForce’s command and control (CnC) server. The server houses the group’s hacking tools, including sqlmap, a popular open-source penetration testing tool for identifying and exploiting vulnerable database servers through SQL injections.
Group-IB’s Computer Emergency Response Team (CERT) successfully took down the CnC server and notified identified GambleForce victims. While it identified the target countries, the company didn’t name the specific victims of the attacks.
How GambleForce Operates
GambleForce relies solely on open-source tools for initial access, reconnaissance, and data exfiltration, along with Cobalt Strike, a penetration testing software commonly used by hackers. The version of Cobalt Strike discovered on GambleForce’s server utilized Chinese language commands, but Group-IB’s researchers caution that this alone is insufficient to determine the group’s origin.
Between September and December 2023, GambleForce targeted 24 organizations. Among these were travel websites in Australia and Indonesia, a retail website in Indonesia, a government website in the Philippines, and a gambling site in South Korea.
The attack vectors vary, with one instance involving the exploitation of CVE-2023-23752. According to the National Institute of Standards and Technology, this is a known vulnerability in the Joomla CMS (content management system) that allows hackers to bypass security restrictions.
Data from WebTribunal.net shows that more than 2.5 million websites worldwide use Joomla. Among these are Harvard University, Ikea, the UK’s National Crime Agency, and the Swiss Federal Audit Office. A search on the CMS used by most major online gaming platforms didn’t identify one using Joomla.
Another example involved data extraction from website contact form submissions. This showcases GambleForce’s ability to exploit diverse entry points.
Questions Unresolved
Researchers found GambleForce’s data theft approach alarming, as it didn’t target specific information. Instead, the group attempted to extract all possible data from compromised databases, including both hashed and plain-text user credentials.
Group-IB is still investigating how the group utilizes or monetizes the stolen data. In some instances, GambleForce, either by design or flaw, could only connect to the target without gaining entrance.
If this is by design, it could mean that the group is compiling a list of potential targets it wants to hit later. If it’s a flaw in the code, then GambleForce’s hackers are likely working on a fix and a way to attack without being detected.
No comments yet