The online gaming industry, as well as other sectors, has a new security threat to worry about. Cybersecurity firm Group-IB has uncovered a previously unknown threat group called GambleForce, which has been targeting websites in various industries across at least eight countries.
A man typing on a laptop keyboard. A new cybercriminal group has emerged that is targeting online gambling and other sites. (Image: Alamy)
Group-IB detailed the operations in a press release today. It explained that GambleForce employs basic but effective techniques, such as SQL injections and exploiting vulnerable website content management systems, to steal sensitive information like user credentials.
The name GambleForce alludes to the group’s initial focus on gambling websites. However, it has expanded its attacks. Group-IB indicated that it has hit gambling, government, retail and travel websites in Australia, China, India, Indonesia, the Philippines, South Korea, Thailand and Brazil.
How GambleForce Operates
The cybersecurity firm’s threat intelligence team first identified GambleForce’s command and control (CnC) server in September. The server houses the group’s various hacking tools, including sqlmap, a popular open-source penetration testing tool for identifying and exploiting vulnerable database servers through SQL injections.
Group-IB’s Computer Emergency Response Team (CERT) successfully took down the CnC server and notified identified GambleForce victims. While it identified the target countries, the company didn’t name the specific victims of the attacks.
GambleForce relies solely on readily available open-source tools for initial access, reconnaissance and data exfiltration, along with Cobalt Strike, a penetration testing software commonly used by hackers. The version of Cobalt Strike discovered on GambleForce’s server utilized Chinese language commands, but Group-IB’s researchers caution that this alone is insufficient to determine the group’s origin.
Between September and December 2023, GambleForce targeted 24 organizations. Among these were travel websites in Australia and Indonesia, a retail website in Indonesia, a government website in the Philippines and a gambling site in South Korea.
The attack vectors vary, with one instance involving the exploitation of CVE-2023-23752. This, according to the National Institute of Standards and Technology, is a known vulnerability in the Joomla CMS (content management system) that allows hackers to bypass security restrictions.
Data from WebTribunal.net shows that over 2.5 million websites around the world use Joomla. Among these are Harvard University, Ikea, the UK’s National Crime Agency, the Swiss Federal Audit Office and others. A search on the CMS in use by most major online gaming platforms didn’t identify one using Joomla.
Another example involved data extraction from website contact form submissions. This showcases GambleForce’s ability to exploit diverse entry points.
Many Questions Unresolved
The researchers found GambleForce’s data theft approach alarming, as it did not target specific information. Instead, the group attempted to extract all possible data from compromised databases, including both hashed and plain-text user credentials.
Group-IB is still investigating how the group utilizes or monetizes the stolen data. In some instances, GambleForce, either by design or flaw, was only able to make a connection to the target without gaining entrance.
If this is by design, it could mean that the group is compiling a list of potential targets it wants to hit later. If it’s a flaw in the code, then GambleForce’s hackers are likely working on a fix, as well as a way to attack without being detected.
The post Emerging Hacker Group GambleForce Hitting Gambling and Other Sites Worldwide appeared first on Casino.org.
