A new threat actor has been discovered to be using SQL injection attacks to gain unauthorized access to organizations in the APAC region.
Among the 20, the threat actor successfully infiltrated six organizations with the legacy SQL injection attack.
In the case of the tool configurations, no unique modifications were found as the threat actors were using almost all the default settings of all the tools they used.
Some of the tools used by the threat actor include dirsearch, sqlmap, tinyproxy, redis-rogue-getshell, and Cobalt strike.
This means that the devices they compromise belong to a locale and this command is to ensure that the commands entered get executed without any errors.
The remote server was hosted with supershell, a Chinese-language framework with a UI specifically used for creating and managing reverse shells.
Regarding the usage of Cobalt Strike, the threat actors made several modifications for launching their profile with the C2 domains such as Dns-supports[.
The C2 servers used Chinese commands which could point to a fact about their origin.
Several IP addresses were also found to log in to the operator panel.
In addition to this, the threat actor also used self-signed SSL certificates for using Cobalt Strike.
A complete report about this threat actor has been published which provides detailed information about the GambleForce threat actor, their attack methods, commands used, MITRE Framework, and other information.
This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 15 Dec 2023 11:10:04 +0000