New GambleForce Threat Actor Behind String of SQL Injection Attacks

The fresh-faced cybercrime group has been using nothing but publicly available penetration testing tools in its campaign so far.

Researchers have spotted a new threat actor targeting organizations in the Asia-Pacific region with SQL injection attacks using nothing more than publicly available, open source penetration-testing tools.
Threat hunters at Group-IB first spotted the new group in September, targeting gambling companies in the region and named it GambleForce. In the three months since, the group has targeted organizations in several other sectors, including government, retail, travel, and job websites.
In a report this week, Group-IB said it has so far observed GambleForce attacks on at least two dozen organizations across Australia, Indonesia, Philippines, India, and South Korea. In some instances, the attackers stopped after performing reconnaissance, Group-IB senior threat analyst
Nikita Rostovcev wrote
. In other cases, they successfully extracted user databases containing logins and hashed passwords, along with lists of tables from accessible databases.
SQL injection attacks are exploits where a threat actor executes unauthorized actions — like retrieve, modify, or delete data — in a Web application database by taking advantage of vulnerabilities that allow
malicious statements to be inserted
into input fields and parameters that the database processes. SQL injection vulnerabilities remain one the most common Web application vulnerabilities and accounted for
33% of all discovered Web application flaws
in 2022.
SQL attacks persist because they are simple by nature, Group-IB said. Companies often overlook how critical input security and data validation are, which leads to vulnerable coding practices, outdated software, and improper database settings, Rostovcev said.
What makes GambleForces campaign noteworthy against this background is the threat actors reliance on publicly available penetration testing software to carry out these attacks. When Group-IBs analysts recently analyzed tools hosted on the threat actors command-and-control (C2) server, they couldnt find a single custom tool. Instead, all the attack weapons on the server were publicly available software utilities that the threat actor appears to have specifically selected for executing SQL injection attacks.
The list of tools that Group-IB discovered on the C2 server included dirsearch, a tool for discovering hidden files and directories on a system; redis-rogue-getshell, a tool that enables remote code execution on Redis installations; and sqlmap, for finding and exploiting SQL vulnerabilities in an environment. Group-IB also discovered GambleForce using the popular open source pen-testing tool Cobalt Strike for post-compromise operations.
The Cobalt Strike version discovered on the C2 server used Chinese commands. But that alone is not evidence of the threat groups origin country, the security vendor said. Another hint about the threat groups potential home base was the C2 server loading a file from a source that hosted a Chinese-language framework for creating and managing reverse shells on compromised systems.
According to Group-IB, available telemetry suggests that GambleForce actors are not looking for any specific data when attacking and extracting data from compromised Web application databases. Instead, the threat actor has been attempting to exfiltrate whatever data it can lay its hands on, including plaintext and hashed user credentials. However, Its unclear how exactly the threat actor might be using the exfiltrated data, the security vendor said.
Group-IB researchers took down the threat actors C2 server soon after discovering it. Nonetheless, we believe that GambleForce is most likely to regroup and rebuild their infrastructure before long and launch new attacks, Rostovcev said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
New GambleForce Threat Actor Behind String of SQL Injection Attacks