New 'GambleForce' Threat Actor Behind String of SQL Injection Attacks

Researchers have spotted a new threat actor targeting organizations in the Asia-Pacific region with SQL injection attacks using nothing more than publicly available, open source penetration-testing tools.

Threat hunters at Group-IB first spotted the new group in September, targeting gambling companies in the region and named it "GambleForce." In the three months since, the group has targeted organizations in several other sectors, including government, retail, travel, and job websites.

The GambleForce Campaign

In a report this week, Group-IB said it has so far observed GambleForce attacks on at least two dozen organizations across Australia, Indonesia, Philippines, India, and South Korea. "In some instances, the attackers stopped after performing reconnaissance," Group-IB senior threat analyst Nikita Rostovcev wrote. "In other cases, they successfully extracted user databases containing logins and hashed passwords, along with lists of tables from accessible databases."

SQL injection attacks are exploits where a threat actor executes unauthorized actions — like retrieve, modify, or delete data — in a Web application database by taking advantage of vulnerabilities that allow malicious statements to be inserted into input fields and parameters that the database processes. SQL injection vulnerabilities remain one the most common Web application vulnerabilities and accounted for 33% of all discovered Web application flaws in 2022.

"SQL attacks persist because they are simple by nature," Group-IB said. "Companies often overlook how critical input security and data validation are, which leads to vulnerable coding practices, outdated software, and improper database settings," Rostovcev said.

What makes GambleForce's campaign noteworthy against this background is the threat actor's reliance on publicly available penetration testing software to carry out these attacks. When Group-IB's analysts recently analyzed tools hosted on the threat actor's command-and-control (C2) server, they couldn't find a single custom tool. Instead, all the attack weapons on the server were publicly available software utilities that the threat actor appears to have specifically selected for executing SQL injection attacks.

Publicly Available Pen-Testing Tools

The list of tools that Group-IB discovered on the C2 server included dirsearch, a tool for discovering hidden files and directories on a system; redis-rogue-getshell, a tool that enables remote code execution on Redis installations; and sqlmap, for finding and exploiting SQL vulnerabilities in an environment. Group-IB also discovered GambleForce using the popular open source pen-testing tool Cobalt Strike for post-compromise operations.

The Cobalt Strike version discovered on the C2 server used Chinese commands. But that alone is not evidence of the threat group's origin country, the security vendor said. Another hint about the threat group's potential home base was the C2 server loading a file from a source that hosted a Chinese-language framework for creating and managing reverse shells on compromised systems.

According to Group-IB, available telemetry suggests that GambleForce actors are not looking for any specific data when attacking and extracting data from compromised Web application databases. Instead, the threat actor has been attempting to exfiltrate whatever data it can lay its hands on, including plaintext and hashed user credentials. However, It's unclear how exactly the threat actor might be using the exfiltrated data, the security vendor said.

Group-IB researchers took down the threat actor's C2 server soon after discovering it. "Nonetheless, we believe that GambleForce is most likely to regroup and rebuild their infrastructure before long and launch new attacks," Rostovcev said.