Unknown threat actors have been observed leveraging open-source tools as part of a suspected cyber espionage campaign targeting global government and private sector organizations.
Recorded Future’s Insikt Group is tracking the activity under the temporary moniker TAG-100, noting that the adversary likely compromised organizations in at least ten countries across Africa, Asia, North America, South America, and Oceania, including two unnamed Asia-Pacific intergovernmental organizations.
Also singled out since February 2024 are diplomatic, government, semiconductor supply-chain, non-profit, and religious entities located in Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, Netherlands, Taiwan, the U.K., the U.S., and Vietnam.
“TAG-100 employs open-source remote access capabilities and exploits various internet-facing devices to gain initial access,” the cybersecurity company said. “The group used open-source Go backdoors Pantegana and Spark RAT post-exploitation.”
Attack chains involve the exploitation of known security flaws impacting various internet-facing products, including Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange Server, SonicWall, Cisco Adaptive Security Appliances ASA), Palo Alto Networks GlobalProtect, and Fortinet FortiGate.
The group has also been observed conducting wide-ranging reconnaissance activity aimed at internet-facing appliances belonging to organizations in at least fifteen countries, including Cuba, France, Italy, Japan, and Malaysia. This also comprised several Cuban embassies located in Bolivia, France, and the U.S.
“Beginning on April 16, 2024, TAG-100 conducted probable reconnaissance and exploitation activity targeting Palo Alto Networks GlobalProtect appliances of organizations, mostly based in the U.S., within the education, finance, legal, local government, and utilities sectors,” the company said.
This effort is said to have coincided with the public release of a proof-of-concept (PoC) exploit for CVE-2024-3400, a critical remote code execution vulnerability affecting Palo Alto Networks GlobalProtect firewalls.
Successful initial access is followed by the deployment of Pantegana, Spark RAT, and Cobalt Strike Beacon on compromised hosts.
The findings illustrate how PoC exploits can be combined with open-source programs to orchestrate attacks, effectively lowering the barrier to entry for less sophisticated threat actors. Furthermore, such tradecraft enables adversaries to complicate attribution efforts and evade detection.
“The widespread targeting of internet-facing appliances is particularly attractive because it offers a foothold within the targeted network via products that often have limited visibility, logging capabilities, and support for traditional security solutions, reducing the risk of detection post-exploitation,” Recorded Future said.
