Unknown threat actors are leveraging open-source tools in a suspected cyber espionage campaign targeting global government and private sector organizations.
Recorded Future’s Insikt Group is monitoring this activity, temporarily named TAG-100, and reports that the adversary has likely compromised organizations in at least ten countries across Africa, Asia, North America, South America, and Oceania. This includes two unnamed Asia-Pacific intergovernmental organizations.
Since February 2024, the campaign has specifically targeted diplomatic, government, semiconductor supply chain, non-profit, and religious entities in countries such as Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, the Netherlands, Taiwan, the U.K., the U.S., and Vietnam.
Cybersecurity Details
“TAG-100 employs open-source remote access capabilities and exploits various internet-facing devices to gain initial access,” said the cybersecurity company. The group uses open-source Go backdoors Pantegana and Spark RAT post-exploitation.
Their attack methods involve exploiting known security flaws in various internet-facing products, including Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange Server, SonicWall, Cisco Adaptive Security Appliances (ASA), Palo Alto Networks GlobalProtect, and Fortinet FortiGate.
The group has also been conducting extensive reconnaissance on internet-facing appliances belonging to organizations in at least fifteen countries, including Cuba, France, Italy, Japan, and Malaysia. This reconnaissance has also included several Cuban embassies in Bolivia, France, and the U.S.
Open-Source Tools
“Beginning on April 16, 2024, TAG-100 conducted probable reconnaissance and exploitation activity targeting Palo Alto Networks GlobalProtect appliances of organizations, mostly based in the U.S., within the education, finance, legal, local government, and utilities sectors,” the company stated.
This effort coincided with the public release of a proof-of-concept (PoC) exploit for CVE-2024-3400 (CVSS score: 10.0), a critical remote code execution vulnerability affecting Palo Alto Networks GlobalProtect firewalls.
After gaining initial access, the threat actors deploy Pantegana, Spark RAT, and Cobalt Strike Beacon on compromised hosts.
These findings illustrate how PoC exploits can be combined with open-source programs to conduct attacks, effectively lowering the entry barrier for less sophisticated threat actors. Moreover, this approach complicates attribution efforts and aids in evading detection.
“The widespread targeting of internet-facing appliances is particularly attractive because it offers a foothold within the targeted network via products that often have limited visibility, logging capabilities, and support for traditional security solutions, reducing the risk of detection post-exploitation,” said Recorded Future.
