TAG-100 | |
Date of Initial Activity | 2024 |
Location | Unknown |
Suspected Attribution | Cybercriminals |
Motivation | Financial Gain |
Software | Servers |
Overview
In the realm of cybersecurity, the emergence of threat actor groups presents a significant challenge to organizations worldwide. Among these groups, TAG-100 has surfaced as a formidable player in global cyber-espionage campaigns, targeting high-profile government and private sector organizations across multiple continents. Recent reports from Recorded Future’s Insikt Group have detailed TAG-100’s sophisticated tactics, highlighting its reliance on open-source remote access tools and the exploitation of vulnerable internet-facing appliances to gain unauthorized access to sensitive networks.
TAG-100’s operations have not only focused on well-known enterprises but also on intergovernmental organizations in the Asia-Pacific region, revealing a breadth of ambition and capability. The group’s targeting strategy encompasses a wide array of sectors, including diplomatic entities, government ministries, semiconductor supply chains, and religious organizations. This extensive reach underscores the critical need for heightened vigilance among organizations that may be potential targets of espionage activities, particularly those involved in strategic sectors or international cooperation.
Common Targets
- Information
- Public Administration
- Manufacturing
- Retail Trade
- Cambodia
- Djibouti
- The Dominican Republic
- Fiji
- Indonesia
- Netherlands
- Taiwan
- The United Kingdom
- The United States
- Vietnam
Attack vectors
Software Vulnerabilities
How they work
At the core of TAG-100’s operations lies their exploitation of vulnerabilities in commonly used internet-facing appliances, such as Citrix NetScaler, Microsoft Exchange, and F5 BIG-IP. These appliances often operate with limited visibility and logging capabilities, making them attractive targets for cybercriminals. By deploying proof-of-concept (PoC) exploits, such as those for the Palo Alto Networks GlobalProtect firewall vulnerability (CVE-2024-3400), TAG-100 has been able to compromise numerous organizations with relative ease. Their tactics reveal a meticulous approach, as they conduct reconnaissance to identify potential vulnerabilities in these devices before launching their attacks. This preliminary research allows them to maximize the effectiveness of their exploitation efforts, often leading to successful infiltrations.
Once inside a target network, TAG-100 employs a range of tools and techniques to maintain access and exfiltrate sensitive data. The use of the open-source Go backdoors, such as Pantegana and SparkRAT, exemplifies their preference for readily available, customizable solutions that facilitate persistent access without the need for proprietary software. These backdoors not only allow for command execution but also support lateral movement across the network, enabling TAG-100 to escalate privileges and further compromise additional systems. Their ability to utilize remote services and scripting interpreters underscores their technical prowess, as they execute scripts and commands to gather intelligence and facilitate their espionage objectives.
Moreover, TAG-100’s operational model indicates a propensity for defense evasion and obfuscation. By employing techniques such as credential dumping and the deployment of web shells, they enhance their ability to remain undetected within compromised environments. Their actions are often masked by legitimate network activities, making it challenging for organizations to identify their presence. This capability is further reinforced by the group’s focus on low-risk operations that prioritize deniability, allowing them to exploit various entry points without raising immediate alarms.
As TAG-100 continues to expand its reach, the implications for organizations worldwide are profound. Their tactics highlight the necessity for heightened cybersecurity measures, especially concerning the security of internet-facing devices. Organizations must prioritize intelligence-led patching and regular audits of their perimeter appliances to mitigate the risks posed by such threat actors. Additionally, improving defense-in-depth strategies that focus on detecting post-exploitation activities is crucial to thwarting TAG-100’s operations. Unless significant steps are taken to bolster the security of vulnerable devices, the cyber-espionage landscape will likely remain rife with threats from groups like TAG-100.
In summary, TAG-100’s technical operations reflect a well-orchestrated strategy that capitalizes on the weaknesses of internet-facing appliances while employing sophisticated tools and techniques to achieve their espionage objectives. The group’s ability to exploit these vulnerabilities and maintain persistent access positions them as a significant threat to organizations across various sectors. As the cyber landscape evolves, so too must the strategies to defend against such adaptable and resourceful threat actors.
MITRE Tactics and Techniques
Initial Access (TA0001):
Exploitation of Public-Facing Applications (T1190): TAG-100 targets vulnerabilities in internet-facing appliances like Citrix NetScaler, Microsoft Exchange, and Palo Alto Networks GlobalProtect to gain initial access.
Execution (TA0002):
Command and Scripting Interpreter (T1059): The group utilizes remote access tools such as the Pantegana backdoor, allowing them to execute commands and scripts on compromised systems.
Persistence (TA0003):
Web Shell (T1100): TAG-100 may deploy web shells on compromised servers to maintain access over time.
Privilege Escalation (TA0004):
Exploitation of Vulnerabilities (T1068): The group exploits known vulnerabilities to gain higher privileges within the network.
Defense Evasion (TA0005):
Obfuscated Files or Information (T1027): By using open-source tools and custom scripts, TAG-100 can obfuscate their activities, making detection more challenging.
Credential Access (TA0006):
Credential Dumping (T1003): TAG-100 might attempt to gather credentials from compromised systems to facilitate lateral movement within the network.
Discovery (TA0007):
Network Service Scanning (T1046): The group conducts reconnaissance to identify network services and devices, which can lead to further exploitation opportunities.
Lateral Movement (TA0008):
Remote Services (T1021): TAG-100 can use legitimate remote access protocols to move laterally across the network after initial compromise.
Collection (TA0009):
Data from Information Repositories (T1005): Once inside a target network, TAG-100 collects sensitive data from various repositories, such as databases and file shares.
Exfiltration (TA0010):
Exfiltration Over Command and Control Channel (T1041): The group is likely to exfiltrate data over established command and control channels.