Security researchers have warned of a new threat group targeting gambling, government, retail and travel websites to steal sensitive information including user credentials.
It has targeted at least 20 websites in Australia, China, India, Indonesia, the Philippines, South Korea, Thailand and Brazil, and successful compromised six.
GambleForce employs fairly basic techniques to compromise these sites, including SQL injection and the exploitation of vulnerable content management system software like Joomla.
It uses only open source tools for initial access, reconnaissance and data exfiltration, and also employs Cobalt Strike.
Group-IB said it found a version of the pen testing software on the gang's server which used commands in Chinese, although it claimed that this isn't enough to link the group to a particular country.
Among the tools used by the group, and found by Group-IB on a command-and-control server, were dirsearch, redis-rogue-getshell, Tinyproxy and sqlmap - the latter being a penetration testing tool designed to scan for sites vulnerable to SQL injections.
GambleForce simply scans websites with sqlmap and then injects malicious SQL code which enables it to bypass default authentication and access sensitive data, the report noted.
It's unclear how GambleForce monetizes the stolen information.
Group-IB said it has already exfiltrated user databases containing logins and hashed passwords, as well as lists of main tables from accessible databases.
This Cyber News was published on www.infosecurity-magazine.com. Publication date: Thu, 14 Dec 2023 10:00:16 +0000