GambleForce hacker group attacks gambling and other websites worldwide
Cybersecurity firm Group-IB has discovered a previously unknown threat group called GambleForce that is targeting websites across a variety of industries in at least eight countries.
Group-IB detailed the events in a press release issued on Thursday. The group explained that GambleForce uses basic but effective techniques such as SQL injection and exploits vulnerable website content management systems to steal sensitive information such as user credentials.
The name GambleForce hints at the group's original focus on gambling sites. However, an increase in attacks by the criminal gang has been reported. Group-IB already covers gaming, government, retail and travel websites in Australia, China, India, Indonesia, Philippines, South Korea, Thailand and Brazil.
GambleForce's command and control (CnC) servers were first identified by the cybersecurity firm's threat intelligence team in September. The server hosts the group's hacking tools, including sqlmap, a popular open source penetration testing tool used to identify and exploit vulnerable database servers through SQL injection.
Group-IB's Computer Emergency Response Team (CERT) successfully shut down the CnC server and notified the identified GambleForce victims. The company identified the target country but did not disclose any specific victims of the attack.
How GambleForce works
GambleForce relies entirely on open source tools for initial access, reconnaissance and data exfiltration, as well as Cobalt Strike, a penetration testing software commonly used by hackers. The version of Cobalt Strike found on GambleForce servers uses Chinese commands, but Group-IB researchers note that this alone is not enough to determine the group's origins.
Between September and December 2023, GambleForce attacked 24 organizations. These include travel sites in Australia and Indonesia, retail sites in Indonesia, government sites in the Philippines and gambling sites in South Korea.
Attack vectors vary, with one case exploiting CVE-2023-23752. According to the National Institute of Standards and Technology, this is a known vulnerability in the Joomla CMS (content management system) that allows hackers to bypass security restrictions.
According to WebTribunal.net, Joomla is used by more than 2.5 million websites worldwide. These include Harvard University, IKEA, the UK's National Crime Agency and the Swiss Federal Audit Office. A search for the CMS used by most major online gaming platforms did not reveal any users using Joomla.
Another example is extracting data from contact form submissions on websites. This shows GambleForce's ability to exploit a variety of entry points.
Unresolved issues
Researchers found GambleForce's method of data theft to be alarming because it did not target specific information. Instead, the group attempted to extract all possible data from the compromised database, including hashed and plain text user credentials.
Group-IB is still investigating how the group used or monetized the stolen data. In some cases, whether due to its design or a bug, GambleForce can only connect to a target but not gain access.
If this is intentional, it could mean the group is creating a list of potential targets to attack later. If this is a bug in the code, GambleForce hackers may be working on a solution and a way to attack without detection.
Read also:
- Blackjack Casino Advantage: How to Beat the Odds
- Football 101: What is relegation in football?
- Entain has seen Ricky Sandler join the board and could push for a sale of BetMGM
- Video game gambling streams remain active on Twitch despite ban
Source: www.casino.org
