Researchers have spotted a new threat actor targeting organizations in the Asia-Pacific region with SQL injection attacks using nothing more than publicly available, open source penetration-testing tools.
The GambleForce Campaign In a report this week, Group-IB said it has so far observed GambleForce attacks on at least two dozen organizations across Australia, Indonesia, Philippines, India, and South Korea.
SQL injection attacks are exploits where a threat actor executes unauthorized actions - like retrieve, modify, or delete data - in a Web application database by taking advantage of vulnerabilities that allow malicious statements to be inserted into input fields and parameters that the database processes.
SQL injection vulnerabilities remain one the most common Web application vulnerabilities and accounted for 33% of all discovered Web application flaws in 2022.
What makes GambleForce's campaign noteworthy against this background is the threat actor's reliance on publicly available penetration testing software to carry out these attacks.
When Group-IB's analysts recently analyzed tools hosted on the threat actor's command-and-control server, they couldn't find a single custom tool.
Instead, all the attack weapons on the server were publicly available software utilities that the threat actor appears to have specifically selected for executing SQL injection attacks.
Publicly Available Pen-Testing Tools The list of tools that Group-IB discovered on the C2 server included dirsearch, a tool for discovering hidden files and directories on a system; redis-rogue-getshell, a tool that enables remote code execution on Redis installations; and sqlmap, for finding and exploiting SQL vulnerabilities in an environment.
Group-IB also discovered GambleForce using the popular open source pen-testing tool Cobalt Strike for post-compromise operations.
The Cobalt Strike version discovered on the C2 server used Chinese commands.
That alone is not evidence of the threat group's origin country, the security vendor said.
Another hint about the threat group's potential home base was the C2 server loading a file from a source that hosted a Chinese-language framework for creating and managing reverse shells on compromised systems.
According to Group-IB, available telemetry suggests that GambleForce actors are not looking for any specific data when attacking and extracting data from compromised Web application databases.
Instead, the threat actor has been attempting to exfiltrate whatever data it can lay its hands on, including plaintext and hashed user credentials.
It's unclear how exactly the threat actor might be using the exfiltrated data, the security vendor said.
Group-IB researchers took down the threat actor's C2 server soon after discovering it.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 14 Dec 2023 22:15:36 +0000