Group-IB, a cybersecurity solutions company, uncovered a new threat actor named GambleForce, also known as EagleStrike GambleForce in Group-IB’s Threat Intelligence Platform.
Group-IB’s Threat Intelligence experts reveal that between September and December 2023, GambleForce targeted 24 organizations across eigh countries, compromising six websites in Australia (travel), Indonesia (travel, retail), the Philippines (government), and South Korea (gambling).
According to Group-IB, since the emergence of GambleForce in September 2023, the hacker group targeted over 20 websites including gambling, government, retail, and travel sectors in Australia, China, India, Indonesia, the Philippines, South Korea, Thailand, and Brazil.
Group-IB finds brand scams in APAC shot up by 211% in 2022
Kaspersky reveals APT group Lazarus’ software exploitation
The group’s tactics, such as SQL injections and exploiting vulnerable content management systems (CMS), enabled the theft of sensitive data like user credentials. The name “GambleForce” stems from the gang’s initial focus on the gambling industry.
Publicly available data
Group-IB’s Threat Intelligence team detected GambleForce’s command and control server (CnC), subsequently dismantled by their Computer Emergency Response Team (CERT-GIB). Notifications were issued to identified victims for immediate action. This CnC, unearthed in September 2023, housed tools like dirsearch, redis-rogue-getshell, Tinyproxy, and sqlmap. The latter, an open-source pen-testing tool, exploits SQL vulnerabilities, allowing illicit access to sensitive data through injected code on web pages.
According to Group-IB, GambleForce relies solely on publicly available open-source tools for initial access, reconnaissance, and data extraction. The hacker group employed Cobalt Strike, a popular pen-testing framework, with commands in Chinese on their server.
“However, this detail alone isn’t conclusive in attributing the group’s origin,” Group-IB said.
You must be logged in to post a comment.