A shadowy cadre of threat actors, designated TAG-100, has been discerned harnessing open-source utilities in a suspected cyber-espionage campaign, targeting an eclectic array of global government and private sector entities.
The Insikt Group from Recorded Future is diligently monitoring this activity, provisionally labeled TAG-100, noting that the antagonists have likely compromised organizations spanning at least ten nations across Africa, Asia, North America, South America, and Oceania. Among these, two unidentified Asia-Pacific intergovernmental organizations have also fallen prey.
Since February 2024, entities in the diplomatic, governmental, semiconductor supply chain, non-profit, and religious sectors within Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, Netherlands, Taiwan, the U.K., the U.S., and Vietnam have been explicitly targeted.
“TAG-100 utilizes open-source remote access tools and exploits various internet-facing devices to achieve initial ingress,” the cybersecurity firm elucidated. “The group deployed open-source Go backdoors Pantegana and Spark RAT in the post-exploitation phase.”
Their attack vectors include the exploitation of well-documented security vulnerabilities impacting a range of internet-exposed products, such as Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange Server, SonicWall, Cisco Adaptive Security Appliances (ASA), Palo Alto Networks GlobalProtect, and Fortinet FortiGate.
The group has also been witnessed conducting extensive reconnaissance activities aimed at internet-facing devices of organizations in no fewer than fifteen countries, including Cuba, France, Italy, Japan, and Malaysia. This reconnaissance also included several Cuban embassies situated in Bolivia, France, and the U.S.
“Commencing on April 16, 2024, TAG-100 likely engaged in reconnaissance and exploitative operations targeting Palo Alto Networks GlobalProtect appliances of organizations, predominantly in the U.S., within the education, finance, legal, local government, and utilities sectors,” the company noted.
This endeavor coincided with the public disclosure of a proof-of-concept (PoC) exploit for CVE-2024-3400 (CVSS score: 10.0), a critical remote code execution vulnerability affecting Palo Alto Networks GlobalProtect firewalls.
Upon successful initial access, Pantegana, Spark RAT, and Cobalt Strike Beacon were deployed on compromised systems.
These findings highlight how PoC exploits, when combined with open-source tools, can facilitate attacks, effectively lowering the entry threshold for less adept threat actors. Moreover, such methodologies enable adversaries to obfuscate attribution and evade detection.
“The extensive targeting of internet-facing appliances is particularly alluring as it offers a gateway into the targeted network via products that often possess limited visibility, logging capabilities, and support for conventional security solutions, thus diminishing the risk of detection post-exploitation,” Recorded Future remarked.