Recorded Future’s Insikt Group identified a suspected cyber-espionage campaign by TAG-100, targeting global government and private sector organizations. TAG-100 exploited internet-facing devices and used open-source tools like the Go backdoor Pantegana. The campaign compromised two Asia-Pacific intergovernmental organizations and targeted multiple diplomatic and trade entities.
- TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies
- TAG-100 employs open-source remote access capabilities and exploits various internet-facing devices to gain initial access. This activity highlights the increasing trend of cyber-espionage using open-source tools, making it easier for less capable threat actors and reducing the need for customized capabilities. Two major Asia-Pacific intergovernmental organizations, along with multiple diplomatic, trade, and private sector entities globally, were likely compromised by TAG-100.
- TAG-100 has compromised organizations in at least ten countries across Africa, Asia, North America, South America, and Oceania. The group used open-source Go backdoors Pantegana and SparkRAT post-exploitation.
- TAG-100 targeted various internet-facing products, including Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange, SonicWall, Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet FortiGate.
Following the release of a PoC exploit for Palo Alto Networks GlobalProtect firewall vulnerability CVE-2024-3400, TAG-100 conducted reconnaissance and attempted exploitation against dozens of US-based organizations.[1]
Impact and Implications - The exploitation of vulnerable internet-facing devices by TAG-100 is particularly concerning due to the limited visibility and logging capabilities of these devices. This reduces the risk of detection post-exploitation and exposes organizations to operational downtime, reputational damage, and regulatory fines. The use of open-source tools also allows state-sponsored threat actors to outsource cyber operations to less capable groups, increasing the intensity and frequency of attacks on enterprise networks.
What organizations should:
- Configure intrusion detection and prevention systems to alert on and block suspicious IP addresses and domains.
- Ensure security monitoring for all external-facing services and devices.
- Prioritize patching vulnerabilities, especially those exploited in the wild.
- Implement network segmentation and multi-factor authentication.
- Use the Recorded Future® Threat Intelligence module to detect and block malicious infrastructures like Pantegana, SparkRAT, and Cobalt Strike command-and-control (C2) servers in real-time.
- The Recorded Future® Third-Party Intelligence module helps monitor real-time outputs to identify suspected intrusion activities involving key vendors and partners.
- Monitoring Malicious Traffic Analysis (MTA) enables Recorded Future clients to proactively alert and monitor infrastructure involved in communication with known TAG-100 C2 IP addresses.
Outlook - TAG-100’s activities highlight a persistent threat to internet-facing devices, with both financially motivated and state-sponsored threat actors likely to continue exploiting these vulnerabilities. The US and UK governments are working to improve security, but vulnerable network edges remain a significant risk. Financially motivated and state-sponsored threat actors will likely continue exploiting these vulnerabilities.
Link to full report:
This article is shared at no charge for educational and informational purposes only.
We’d like to again thank Sentinel Labs for this great analysis. Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign/
Comments