Unknown risk actors have been noticed leveraging open-source instruments as a part of a suspected cyber espionage marketing campaign concentrating on international authorities and personal sector organizations.
Recorded Future’s Insikt Group is monitoring the exercise beneath the short-term moniker TAG-100, noting that the adversary seemingly compromised organizations in at the very least ten international locations throughout Africa, Asia, North America, South America, and Oceania, together with two unnamed Asia-Pacific intergovernmental organizations.
Additionally singled out since February 2024 are diplomatic, authorities, semiconductor supply-chain, non-profit, and spiritual entities positioned in Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, Netherlands, Taiwan, the U.Ok., the U.S., and Vietnam.
“TAG-100 employs open-source distant entry capabilities and exploits numerous internet-facing gadgets to realize preliminary entry,” the cybersecurity firm mentioned. “The group used open-source Go backdoors Pantegana and Spark RAT post-exploitation.”
Attack chains contain the exploitation of recognized security flaws impacting numerous internet-facing merchandise, together with Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Alternate Server, SonicWall, Cisco Adaptive Safety Home equipment ASA), Palo Alto Networks GlobalProtect, and Fortinet FortiGate.
The group has additionally been noticed conducting wide-ranging reconnaissance exercise geared toward internet-facing home equipment belonging to organizations in at the very least fifteen international locations, together with Cuba, France, Italy, Japan, and Malaysia. This additionally comprised a number of Cuban embassies positioned in Bolivia, France, and the U.S.
“Starting on April 16, 2024, TAG-100 performed possible reconnaissance and exploitation exercise concentrating on Palo Alto Networks GlobalProtect home equipment of organizations, largely based mostly within the U.S., throughout the training, finance, authorized, native authorities, and utilities sectors,” the corporate mentioned.
This effort is alleged to have coincided with the general public launch of a proof-of-concept (PoC) exploit for CVE-2024-3400, a vital distant code execution vulnerability affecting Palo Alto Networks GlobalProtect firewalls.
Profitable preliminary entry is adopted by the deployment of Pantegana, Spark RAT, and Cobalt Strike Beacon on compromised hosts.
The findings illustrate how PoC exploits may be mixed with open-source applications to orchestrate assaults, successfully reducing the barrier to entry for much less subtle risk actors. Moreover, such tradecraft permits adversaries to complicate attribution efforts and evade detection.
“The widespread concentrating on of internet-facing home equipment is especially engaging as a result of it affords a foothold throughout the focused community by way of merchandise that usually have restricted visibility, logging capabilities, and assist for conventional security options, lowering the danger of detection post-exploitation,” Recorded Future mentioned.
