TAG-100: New Threat Actor Uses Open-Source Tools for Widespread Attacks

Summary:
Unknown threat actors, tracked by Recorded Future's Insikt Group under the temporary moniker TAG-100, have been leveraging open-source tools in a suspected cyber espionage campaign targeting global government and private sector organizations. The adversary has likely compromised entities in at least ten countries across Africa, Asia, North America, South America, and Oceania, including two unnamed Asia-Pacific intergovernmental organizations. Since February 2024, TAG-100 has focused on diplomatic, government, semiconductor supply-chain, non-profit, and religious entities in Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, the Netherlands, Taiwan, the U.K., the U.S., and Vietnam. The group employs open-source remote access tools such as Pantegana and Spark RAT post-exploitation.

TAG-100's attack chains involve exploiting known security flaws in various internet-facing products, including Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange Server, SonicWall, Cisco Adaptive Security Appliances (ASA), Palo Alto Networks GlobalProtect, and Fortinet FortiGate. The group conducts extensive reconnaissance activity aimed at internet-facing appliances belonging to organizations in at least fifteen countries, including Cuba, France, Italy, Japan, and Malaysia, also targeting several Cuban embassies in Bolivia, France, and the U.S.

Beginning on April 16, 2024, TAG-100 conducted probable reconnaissance and exploitation activities targeting Palo Alto Networks GlobalProtect appliances of organizations mostly based in the U.S., spanning sectors such as education, finance, legal, local government, and utilities. This activity coincided with the public release of a proof-of-concept (PoC) exploit for CVE-2024-3400, a critical remote code execution vulnerability affecting Palo Alto Networks GlobalProtect firewalls with a CVSS score of 10.0. After successful initial access, TAG-100 deploys Pantegana, Spark RAT, and Cobalt Strike Beacon on compromised hosts. This approach illustrates how PoC exploits can be combined with open-source programs to orchestrate attacks, effectively lowering the barrier to entry for less sophisticated threat actors. Additionally, such tradecraft enables adversaries to complicate attribution efforts and evade detection.

Security Officer Comments:
The widespread targeting of internet-facing appliances is particularly attractive because these devices often have limited visibility, logging capabilities, and support for traditional security solutions, reducing the risk of detection post-exploitation. Recorded Future's Insikt Group's monitoring of TAG-100 reveals a complex and multi-faceted cyber espionage campaign. By leveraging open-source tools and known vulnerabilities, TAG-100 exemplifies how modern threat actors can efficiently and effectively penetrate multiple organizations across the globe.

Suggested Corrections:

IOCs:

PDF: https://go.recordedfuture.com/hubfs/reports/cta-2024-0716.pdf


Organizations should:
  • Configure intrusion detection and prevention systems to alert on and block suspicious IP addresses and domains.
  • Ensure security monitoring for all external-facing services and devices.
  • Prioritize patching vulnerabilities, especially those exploited in the wild.
  • Implement network segmentation and multi-factor authentication.
  • Monitoring Malicious Traffic Analysis (MTA) enables Recorded Future clients to proactively alert and monitor infrastructure involved in communication with known TAG-100 C2 IP addresses.

Link(s):
https://thehackernews.com/2024/07/tag-100-new-threat-actor-uses-open.html