Application Security , Application Security & Online Fraud , Fraud Management & Cybercrime
Hackers Keep Winning by Gambling on SQL Injection Exploits
Gambling and Retail Firms Are Top Targets of 'GambleForce' Group, Researchers WarnA never-before-seen group of hackers has been hitting businesses and government agencies using a less-than-novel tactic: exploiting SQL injection flaws.
See Also: Gartner Guide for Digital Forensics and Incident Response
So warns cybersecurity firm Group-IB, which in September detected and gained access to a command-and-control server being used by a group it has given the codename GambleForce, on account of it regularly targeting gambling firms, among other types of organizations.
The attackers appear to employ a number of free tools, including the open-source penetration testing tool sqlmap, to "inject malicious SQL code into a public-facing web page, which allows them to bypass default authentication and access sensitive data," a new report from Group-IB says.
Out of 24 attack attempts recorded by the tools hosted on the attackers' command-and-control server, in six cases attackers "managed to obtain user databases containing logins, hashed passwords, as well as lists of main tables from accessible databases," the report says. "Rather than looking for specific data, the threat actor attempts to exfiltrate every possible piece of information within targeted databases, such as hashed and plaintext user credentials."
While the group has targeted organizations in Brazil, Group-IB researchers said the attackers appear to focus on the Asia-Pacific region, where its six victims included a travel firm in Australia, travel and retail firms in Indonesia, a government agency in the Philippines and a South Korean gambling concern. They found the group also had targeted other organizations in those countries, as well as in China, India and Thailand.
The researchers said they don't know how the attackers might be using the stolen information. They directly notified all victims and knocked attackers' command-and-control server offline, although they said it's like the attackers will simply "rebuild the infrastructure."
Beyond sqlmap, researchers said the group uses tools - often in their default configuration - that include brute-force directory and file attack tool dirsearch, the redis-rogue-getshell
Python script to gain root access to Redis databases, HTTP and HTTPS proxy daemon Tinyproxy, and the legitimate penetration testing framework Cobalt Strike, which many attackers repurpose to maintain remote, persistent control of compromised endpoints (see: Block This Now: Cobalt Strike and Other Red-Team Tools).
"The version of Cobalt Strike discovered on the gang's server used commands in Chinese, but this fact alone is not enough to attribute the group's origin," Nikita Rostovcev, a senior threat analyst at Group-IB, said in the report.
Victims being popped via SQL injection attacks is a reminder that application security so often is déjà vu all over again. Twenty years ago, injection attacks ranked sixth on the inaugural Open Worldwide Application Security Project's top 10 list of web application security concerns. In 2021, injection attacks ranked third, following broken access controls and cryptographic failures.
Applications may be vulnerable to injection - aka insertion - attacks for a variety of reasons, including when "user-supplied data is not validated, filtered or sanitized by the application," OWASP said.
Powered by SQL Injection
Successful SQL injection exploits allow attackers to execute predefined SQL commands, enabling them to access, alter or delete all data being stored in a database; gain database administrator-level privileges; and more. Experts say such attacks remain popular because they so often still work and remain difficult to detect.
"The severity of SQL injection attacks is limited by the attacker's skill and imagination, and to a lesser extent, defense-in-depth countermeasures, such as low privilege connections to the database server and so on," OWASP reported. "In general, consider SQL injection a high-impact severity."
Numerous nation-state attackers and cybercrime groups, including multiple ransomware rackets, continue to seek SQL injection flaws to exploit. "SQL attacks persist because they are simple by nature," Group-IB's Rostovcev said. "Companies often overlook how critical input security and data validation are, which leads to vulnerable coding practices, outdated software and improper database settings. The negligence creates the perfect landscape for SQL injection attacks on public-facing web applications."
Such flaws can give attackers enormous power, especially when uncovered in popular pieces of software.
As long ago as July 2021, the Clop ransomware group discovered or came into possession of a zero-day exploit for an SQL injection flaw in Progress Software's widely used MOVEit secure file transfer software. In late May, Clop used the vulnerability, now tracked as CVE-2023-34362, to run a mass attack against MOVEit file servers, stealing data from as many such servers as possible and holding it to ransom.
While Progress Software quickly patched the flaw, Clop's rapid, simultaneous exploits of so many MOVEit servers enabled the group to steal a massive amount of data from organizations using the software. As of Thursday, security firm Emsisoft reported that at least 2,667 organizations have been affected by the attacks, which exposed information pertaining to 84 million individuals. Fresh victims of Clop's May hacking spree are still coming to light.