Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making them easy to modify and deploy.
Besides this, open-source tools can be customized to evade detection, automate tasks, and leverage existing vulnerabilities, enabling threat actors to conduct sophisticated attacks efficiently.
Recorded Future’s Insikt Group uncovered a new cyber-espionage campaign, dubbed TAG-100, targeting high-profile organizations globally.
The group takes advantage of internet-facing appliances and employs open-source tools such as Pantegana backdoor, a trend that features weaponized PoC exploits combined with open-source frameworks.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
Such an approach simplifies entry for less capable actors and enables more advanced groups to hide their tracks.
However, they remain attractive to attackers since only a few security measures have been put in place despite global efforts to fix vulnerabilities on internet-facing devices.
Researchers discovered the victim organizations in the following countries:-
- Cambodia
- Djibouti
- The Dominican Republic
- Fiji
- Indonesia
- Netherlands
- Taiwan
- The United Kingdom
- The United States
- Vietnam
Some of the recommendations made to organizations include operationalizing intelligence-led patching, increasing attack surfaces, and enhancing defense-in-depth measures.
Open-source tools will continue to be used more frequently by state-sponsored actors who may contract out to proxy groups, leading to rising cyber threats overall.
Since February 2024, TAG-100, a group of cyber spies, has been attacking organizations from ten countries ranging from governments to intergovernmental and private sectors.
The researchers found that the gang uses various internet-facing appliances, including Citrix NetScaler, Zimbra, and Microsoft Exchange.
.webp)
Noteworthy targets include Southeast Asian and Oceanian intergovernmental organizations, foreign ministries, embassies, religious groups as well as semiconductor companies.
By March TAG-100 was in at least fifteen countries with a major focus on Cuban Embassies. Overlapping with the CVE-2024-3400 exploit release in April they targeted Palo Alto Networks GlobalProtect appliances.
This group’s reliance on publicly available exploits like those used for Zimbra (CVE-2019-9621) reveals their initiative in the domain of cyber espionage.
TAG-100 combines open-source post-exploitation frameworks like Pantegana, SparkRAT, LESLIELOADER, Cobalt Strike, and CrossC2 with various public exploits.
This is evident in their targets’ profiles, which include national governments, religious institutions, and intergovernmental agencies.
Besides utilizing CloudFlare CDN for C2 communication and ExpressVPN to manage its services, the group has been seen employing self-signed TLS certificates.
Although some of the targets tended to overlap with previous China-sponsored operations, TAG-100 makes it difficult to attribute using off-the-shelf tools and unique modes of operation.
The activities linked to this group’s attacks that have been observed since at least November 2023 are indicative of the changing cyber threat landscape where basic operational security strategies fuse with easily accessible tools.
Mitigations
Here below we have mentioned all the mitigations:-
- Configure IDS/IPS to alert on and potentially block connections to known malicious IP addresses and domains.
- Implement robust monitoring for external-facing services and devices.
- Watch for post-exploitation activities like web shells, backdoors, or lateral movement.
- Prioritize patching high-risk vulnerabilities, especially RCE in external-facing appliances.
- Implement network segmentation and multi-factor authentication for sensitive information.
- Use threat intelligence to detect and block malicious infrastructure in real-time.
- Monitor third-party vendors and partners for potential intrusion activity.
- Utilize Malicious Traffic Analysis to monitor communications with known C2 servers proactively.
IoCs
.webp)
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.