New Hacker Group Uses SQL Injection to Hack Companies

A new threat actor has been discovered to be using SQL injection attacks to gain unauthorized access to organizations in the APAC region.

This threat actor has been named “GambleForce” and is using publicly available open-source instruments that are generally used by penetration testers.

The threat actor has targeted more than 20 websites, including government, gambling, retail, and travel sites in Australia, China, Indonesia, the Philippines, India, South Korea, Thailand, and Brazil. Among the 20, the threat actor successfully infiltrated six organizations with the legacy SQL injection attack.

Hacker Group Uses SQL Injection

In the case of the tool configurations, no unique modifications were found as the threat actors were using almost all the default settings of all the tools they used.

Some of the tools used by the threat actor include dirsearch, sqlmap, tinyproxy, redis-rogue-getshell, and Cobalt strike.

As an interesting factor, the threat actor used language-based “export” commands in 95 out of 750 commands they executed on each server. This means that the devices they compromise belong to a locale and this command is to ensure that the commands entered get executed without any errors.

Further steps used by the threat actor were loading a file from a remote source using a “wget” command. The remote server was hosted with supershell, a Chinese-language framework with a UI specifically used for creating and managing reverse shells.

*GambleForce Network Analysis (Source: Group-IB)*

Command and Control (C2)

Regarding the usage of Cobalt Strike, the threat actors made several modifications for launching their profile with the C2 domains such as Dns-supports[.]online and Windows.updates[.]wiki. However, the C2 servers used Chinese commands which could point to a fact about their origin.

Several IP addresses were also found to log in to the operator panel. In addition to this, the threat actor also used self-signed SSL certificates for using Cobalt Strike. These certificates mimicked “Microsec e-Szigno Root CA” and “Cloudflare”.

A complete report about this threat actor has been published which provides detailed information about the GambleForce threat actor, their attack methods, commands used, MITRE Framework, and other information.