X-Industry

TAG-100 Cyber Espionage Group

Posted by Bill Schenkelberg on July 19, 2024 at 8:15am

12739617887?profile=RESIZE_400xRecorded Future’s Insikt Group identified a suspected cyber-espionage campaign by TAG-100, targeting global government and private sector organizations.  TAG-100 exploited internet-facing devices and used open-source tools like the Go backdoor Pantegana. The campaign compromised two Asia-Pacific intergovernmental organizations and targeted multiple diplomatic and trade entities.

  • TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies
  • TAG-100 employs open-source remote access capabilities and exploits various internet-facing devices to gain initial access. This activity highlights the increasing trend of cyber-espionage using open-source tools, making it easier for less capable threat actors and reducing the need for customized capabilities. Two major Asia-Pacific intergovernmental organizations, along with multiple diplomatic, trade, and private sector entities globally, were likely compromised by TAG-100.
  • TAG-100 has compromised organizations in at least ten countries across Africa, Asia, North America, South America, and Oceania. The group used open-source Go backdoors Pantegana and SparkRAT post-exploitation.
  • TAG-100 targeted various internet-facing products, including Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange, SonicWall, Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet FortiGate.

Following the release of a PoC exploit for Palo Alto Networks GlobalProtect firewall vulnerability CVE-2024-3400, TAG-100 conducted reconnaissance and attempted exploitation against dozens of US-based organizations.[1]

Impact and Implications - The exploitation of vulnerable internet-facing devices by TAG-100 is particularly concerning due to the limited visibility and logging capabilities of these devices. This reduces the risk of detection post-exploitation and exposes organizations to operational downtime, reputational damage, and regulatory fines. The use of open-source tools also allows state-sponsored threat actors to outsource cyber operations to less capable groups, increasing the intensity and frequency of attacks on enterprise networks.

What organizations should:

  • Configure intrusion detection and prevention systems to alert on and block suspicious IP addresses and domains.
  • Ensure security monitoring for all external-facing services and devices.
  • Prioritize patching vulnerabilities, especially those exploited in the wild.
  • Implement network segmentation and multi-factor authentication.
  • Use the Recorded Future® Threat Intelligence module to detect and block malicious infrastructures like Pantegana, SparkRAT, and Cobalt Strike command-and-control (C2) servers in real-time.
  • The Recorded Future® Third-Party Intelligence module helps monitor real-time outputs to identify suspected intrusion activities involving key vendors and partners.
  • Monitoring Malicious Traffic Analysis (MTA) enables Recorded Future clients to proactively alert and monitor infrastructure involved in communication with known TAG-100 C2 IP addresses.

Outlook - TAG-100’s activities highlight a persistent threat to internet-facing devices, with both financially motivated and state-sponsored threat actors likely to continue exploiting these vulnerabilities.  The US and UK governments are working to improve security, but vulnerable network edges remain a significant risk. Financially motivated and state-sponsored threat actors will likely continue exploiting these vulnerabilities.

Link to full report:

This article is shared at no charge for educational and informational purposes only.

We’d like to again thank Sentinel Labs for this great analysis.  Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://register.gotowebinar.com/register/5378972949933166424

[1] https://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign/

Views: 14
Tags: ir-200-001, tag-100, espionage, citrix netscaler, f5 big-ip, sonicwall, cisco asa
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!