From gambling to government websites, the Asia-Pacific region is under attack by a new threat actor, which has been spotted going after a wide range of targets to steal their data. Cybersecurity analyst Group-IB says it disabled the gang’s command and control center but expects it to regroup.
Dubbed GambleForce by the cybersecurity analyst, the gang uses structured query language (SQL) injection attacks, an old faithful in the cybercrime arsenal, to siphon off sensitive data. But what it does with that data, Group-IB’s investigators have been unable to determine so far.
What does seem beyond doubt is that GambleForce is not picky when it comes to selecting targets. Two dozen entities in the government, gambling, retail, travel, and jobseeking sectors have found themselves in the firing line across Asian-Pacific countries, including Australia, China, India, and South Korea.
The group uses open-source – in other words, freely available – digital tools, including the much-misused Cobalt Strike to launch its SQL injection attacks, which occur when deliberately contaminated data is sent to a target system as part of a seemingly routine query to trick it into allowing further data to be accessed without proper authorization.
Despite the basic nature of such attacks, GambleForce appears to have enjoyed some success since appearing on the scene in September, until Group-IB’s emergency response team knocked out its server and effectively disabled its operations.
“In some instances, the attackers stopped after performing reconnaissance,” added Group-IB. “In other cases, they successfully extracted user databases containing logins and hashed [i.e., protected] passwords, along with lists of tables from accessible databases.”
It added: “Rather than looking for specific data, the threat actor attempts to exfiltrate any available piece of information within targeted databases, such as hashed and plain text user credentials. What the group does with the stolen data remains unknown so far.”
Group-IB says it believes GambleForce will return before long to continue its campaign. It has already been spotted further afield during one attack on a target in Brazil that sought to exploit a vulnerability in the open-source content management system Joomla.
In that case, the cyberattack failed to extract any data, but Group-IB says it’s only a matter of time before the gang rearms.
“We believe that GambleForce is most likely to regroup and rebuild their infrastructure before long and launch new attacks,” it said.
More from Cybernews:
Subscribe to our newsletter