TAG-100: A New Cyber Threat Actor Leveraging Open-Source Tools for Global Attacks

July 18, 2024

A new cyber threat actor, known as TAG-100, has been discovered using open-source tools as part of a suspected global cyber espionage campaign. This campaign targets a range of government and private sector organizations. The activity has been tracked by Recorded Future's Insikt Group, who have noted that the adversary has likely infiltrated organizations in at least ten countries spanning Africa, Asia, North America, South America, and Oceania. This includes two anonymous intergovernmental organizations in the Asia-Pacific region.

Notable targets since February 2024 include diplomatic, government, semiconductor supply-chain, non-profit, and religious entities located in a wide range of countries, such as Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, Netherlands, Taiwan, the U.K., the U.S., and Vietnam. TAG-100 utilizes open-source remote access capabilities and exploits various internet-facing devices to gain initial access. Post-exploitation, the group employs open-source Go backdoors Pantegana and Spark RAT.

The attack chains involve the exploitation of known security vulnerabilities affecting various internet-facing products, including Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange Server, SonicWall, Cisco Adaptive Security Appliances (ASA), Palo Alto Networks GlobalProtect, and Fortinet FortiGate. The group has also been observed conducting extensive reconnaissance activity aimed at internet-facing appliances owned by organizations in at least fifteen countries, including Cuba, France, Italy, Japan, and Malaysia. This includes several Cuban embassies located in Bolivia, France, and the U.S.

Starting on April 16, 2024, TAG-100 initiated probable reconnaissance and exploitation activity targeting Palo Alto Networks GlobalProtect appliances of organizations, mostly based in the U.S., within the education, finance, legal, local government, and utilities sectors. This activity coincided with the public release of a proof-of-concept (PoC) exploit for CVE-2024-3400, a critical remote code execution vulnerability affecting Palo Alto Networks GlobalProtect firewalls. After successful initial access, the deployment of Pantegana, Spark RAT, and Cobalt Strike Beacon on compromised hosts follows.

This case demonstrates how PoC exploits can be combined with open-source programs to orchestrate attacks, effectively lowering the entry barrier for less sophisticated threat actors. Additionally, such tactics allow adversaries to complicate attribution efforts and evade detection. The widespread targeting of internet-facing appliances is particularly attractive as it offers a foothold within the targeted network via products that often have limited visibility, logging capabilities, and support for traditional security solutions, reducing the risk of detection post-exploitation, as stated by Recorded Future.

Related News

• CISA and FBI Call on Developers to Eliminate OS Command Injection Vulnerabilities
• Siemens Developing Solution for Device Impacted by Palo Alto Firewall Vulnerability
• Ongoing Attacks Target 22,500 Palo Alto Firewalls Vulnerable to CVE-2024-3400
• Exploit Code Released for Critical PAN-OS Vulnerability, Immediate Patching Urged
• CISA Adds Critical Palo Alto Networks PAN-OS Flaw to Known Exploited Vulnerabilities Catalog

Latest News

• Critical Vulnerability in Cisco SSM On-Prem Allows Hackers to Alter User Passwords
• CISA Issues Warning on Active Exploitation of GeoServer GeoTools RCE Vulnerability
• Void Banshee APT Exploits Microsoft Zero-Day to Launch Spear-Phishing Attacks
• HardBit Ransomware 4.0 Utilizes Passphrase Protection to Elude Detection
• Rapid Exploitation of PoC Exploits by Hackers: A Cloudflare Security Report