Recorded Future’s Insikt Group has identified a new threat actor, TAG-100, that is leveraging open-source tools for a global cyber espionage campaign. This group is suspected of targeting both government and private sector organizations across ten countries, spanning Africa, Asia, North America, South America, and Oceania. Specific targets include diplomatic, government, semiconductor supply-chain, non-profit, and religious entities in various locations such as Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, the Netherlands, Taiwan, the U.K., the U.S., and Vietnam.
TAG-100 is known for using open-source remote access tools, including Go backdoors like Pantegana and Spark RAT, to gain initial access. Their attack chains exploit known security vulnerabilities in internet-facing products such as Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange Server, SonicWall, Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet FortiGate. The group has conducted reconnaissance activities targeting these appliances, which are attractive due to their limited visibility and logging capabilities.
A significant aspect of TAG-100’s tactics is their use of public proof-of-concept exploits. For example, since April 16, 2024, the group targeted Palo Alto Networks GlobalProtect appliances in the U.S., exploiting the CVE-2024-3400 vulnerability, a critical remote code execution flaw. This aligns with their strategy of combining open-source programs with PoC exploits to enhance their attack capabilities and lower the barrier to entry for less sophisticated threat actors.
The group’s extensive reconnaissance and exploitation of internet-facing appliances highlight the challenges of detecting and mitigating such attacks. These appliances often have limited security measures, making them attractive targets. By using these methods, TAG-100 complicates attribution and detection efforts, showcasing how combining open-source tools with PoC exploits can facilitate widespread and effective cyber attacks.