Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, has discovered a previously unknown threat actor codenamed GambleForce (tracked under the name EagleStrike GambleForce in Group-IB’s Threat Intelligence Platform). Group-IB’s Threat Intelligence unit can confirm that, since emerging in September 2023, the group has targeted more than 20 gambling, government, retail and travel websites in Australia, China, India, Indonesia, the Philippines, South Korea, Thailand, and Brazil. GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials. The name, GambleForce, was coined due to the group’s initial targets being from the gambling industry.
GambleForce’s command and control server (CnC), which was discovered by Group-IB’s Threat intelligence team, was taken down by the company’s Computer Emergency Response Team (CERT-GIB). Additionally, Group-IB has issued notifications for the identified victims.
GambleForce’s CnC was initially discovered in September 2023. The server housed the gang’s tools, such as dirsearch, redis-rogue-getshell, Tinyproxy, and sqlmap. The latter is a popular open-source pentesting tool designed to identify database servers vulnerable to SQL injections and exploit them. Threat actors inject malicious SQL code into a public facing web page, which allows them to bypass default authentication and access sensitive data.
Notably, the gang relies exclusively on publicly available open-source tools for initial access, reconnaissance, and data exfiltration. GambleForce utilized another popular pentesting framework, Cobalt Strike. The version of Cobalt Strike discovered on the gang’s server used commands in Chinese. However, this fact alone is not enough to attribute the group’s origin.
According to Group-IB Threat Intelligence experts, between September 2023 and December 2023, GambleForce targeted 24 organizations in 8 countries. The gang was able to successfully compromise 6 websites from Australia (travel), Indonesia (travel, retail), the Philippines (government), and South Korea (gambling).
Figure 1. Distribution of GambleForce’s targets by industries and countries. Source: Group-IB Threat Intelligence
In some attacks, GambleForce stopped at the reconnaissance stage, failing to download the data. In six attacks, the threat actor managed to obtain user databases containing logins, hashed passwords, as well as lists of main tables from accessible databases. In almost all known attacks, GambleForce abused public-facing applications of victims by exploiting SQL injections. In one attack in Brazil, the attackers exploited CVE-2023-23752, a vulnerability in the Joomla CMS that allows threat actors to bypass security restrictions. In another attack, the threat actor managed to exfiltrate the data from requests submitted via the website’s contact form.
Rather than looking for specific data, the threat actor attempts to exfiltrate every possible piece of information within targeted databases, such as hashed and plain text user credentials. Group-IB’s Threat intelligence unit has not observed how GambleForce exploits the stolen information and continues tracking the group.
“Web injections are among the oldest and most popular attack vectors. And the reason being is that sometimes developers overlook the importance of input security and data validation. Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks on web applications.”
Senior Analyst at the Advanced Persistent Threat Research Team, Group-IB
Visit Group-IB’s latest blog post to delve deeper into the group’s modus operandi, toolset, acquire the list of indicators of compromise (IOCs), and recommendations on how to defend against GambleForce.
