A cyber espionage group [2] [5], TAG-100 [1] [2] [3] [4] [5] [6], has been conducting a global campaign targeting government [1] [3], intergovernmental [1] [3] [4] [5] [6], and private sector organizations since February 2024 [2].

Description

TAG-100 has affected organizations in Africa [4], Asia [1] [2] [3] [4] [5] [6], North America [1] [2] [3] [4] [5] [6], South America [1] [2] [3] [4] [5] [6], and Oceania [1] [2] [3] [4] [5] [6], including Asia-Pacific intergovernmental organizations and entities in Cambodia [1] [3] [4] [5], Djibouti [1] [3] [4], Dominican Republic [1] [3] [4], Fiji [1] [3] [4], Indonesia [1] [3] [4], Netherlands [1] [3] [4], Taiwan [1] [3] [4], UK, US, and Vietnam [1] [3] [4]. The group exploits vulnerabilities in internet-facing devices such as Citrix NetScaler [6], F5 BIG-IP [1] [2] [3] [4] [5] [6], Zimbra [1] [2] [3] [4] [5] [6], Microsoft Exchange Server [1] [2] [3] [4], SonicWall [1] [3] [4] [5] [6], Cisco ASA [1] [3] [4] [5] [6], Palo Alto Networks GlobalProtect [1] [3] [4] [5] [6], and Fortinet FortiGate [1] [3] [4] [5] [6]. They use open-source backdoors like Pantegana [4] [5], Spark RAT [1] [3] [4] [5], and Cobalt Strike for post-exploitation activities [3] [4]. TAG-100 has been observed targeting Palo Alto Networks GlobalProtect firewalls with a critical remote code execution vulnerability (CVE-2024-3400 [4], CVSS score 10.0) [3] [4], deploying Pantegana [3] [4], Spark RAT [1] [3] [4] [5], and Cobalt Strike Beacon on compromised hosts [1] [4]. Their use of proof-of-concept exploits and open-source programs complicates attribution efforts and aids in evading detection, especially when targeting internet-facing appliances with limited visibility and logging capabilities [3] [4]. Reconnaissance activities have been observed targeting internet-facing appliances in countries like Cuba [3], France [1] [3], Italy [1] [3], Japan [1] [3], and Malaysia [1] [3], including Cuban embassies in Bolivia [3], France [1] [3], and the US [3].

Conclusion

This underscores the necessity for enhanced cybersecurity measures to protect critical infrastructure and sensitive data worldwide [2]. Additionally, the actors are conducting reconnaissance activities on internet-facing appliances in countries like Cuba [1], France [1] [3], Italy [1] [3], Japan [1] [3], and Malaysia [1] [3], targeting organizations in education [1] [2] [5], finance [1], legal [1], local government [1], and utilities sectors [1]. The ongoing activities of TAG-100 highlight the importance of vigilance and proactive measures to safeguard against cyber threats.

References

[1] https://www.443news.com/2024/07/new-threat-actor-uses-open-source-tools-for-widespread-attacks/
[2] https://insights.havosoft.com/2024/07/18/tag-100-new-cyber-espionage-threat-targets-global-organizations-with-open-source-tools/
[3] https://vulners.com/thn/THN:7AAD63782BB63EABE4765D920964DE27
[4] https://thehackernews.com/2024/07/tag-100-new-threat-actor-uses-open.html
[5] https://securityonline.info/tag-100s-global-espionage-campaign-exploiting-open-source-tools/
[6] https://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign