Threat Research

TAG-100 Uses Open-Source Tools in Suspected Global Espionage Campaign, Compromising Two Asia-Pacific Intergovernmental Bodies

RecordedFuture

Recorded Future’s Insikt Group tracks TAG-100 as a suspected cyber-espionage operation that leveraged internet-facing devices and open-source tools such as the Go backdoor Pantegana. The campaign targeted two Asia-Pacific intergovernmental organizations and a broad set of diplomatic, trade, and private-sector entities globally. #TAG100 #Pantegana #SparkRAT #GlobalProtect #CVE-2024-3400

Keypoints

  • TAG-100 has compromised organizations in at least ten countries across Africa, Asia, North America, South America, and Oceania.
  • The group used open-source Go backdoors Pantegana and SparkRAT in post-exploitation activities.
  • TAG-100 targeted a range of internet-facing products, including Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange, SonicWall, Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet FortiGate.
  • After the PoC exploit for CVE-2024-3400, TAG-100 conducted reconnaissance and attempted exploitation against dozens of US-based organizations.
  • The exploitation of vulnerable internet-facing devices reduces visibility and logging, increasing detection difficulty and risk of downtime, reputational damage, and fines.
  • Mitigations emphasize IDS/IPS, monitoring external-facing services, prompt patching, network segmentation, MFA, and threat intelligence to detect and block TAG-100 infrastructure and activity.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Exploitation of internet-facing services, including the CVE-2024-3400 case. β€˜Following the release of a PoC exploit for Palo Alto Networks GlobalProtect firewall vulnerability CVE-2024-3400, TAG-100 conducted reconnaissance and attempted exploitation against dozens of US-based organizations.’
  • [T1133] External Remote Services – Gained initial access by targeting various internet-facing products to enable external access. β€˜TAG-100 targeted various internet-facing products, including Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange, SonicWall, Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet FortiGate.’
  • [T1595] Active Scanning – Conducted reconnaissance activities as part of preparing exploitation efforts. β€˜TAG-100 conducted reconnaissance and attempted exploitation against dozens of US-based organizations.’

Indicators of Compromise

  • [Tool] Pantegana – Go backdoor used post-exploitation; context: open-source tool referenced as part of the operation. Pantegana, SparkRAT
  • [Tool] SparkRAT – Post-exploitation remote access tool used by TAG-100; context: open-source tool referenced in findings. SparkRAT
  • [Vulnerability] CVE-2024-3400 – Palo Alto Networks GlobalProtect firewall vulnerability exploited; context: PoC exploit released and used. CVE-2024-3400
  • [Software] Citrix NetScaler – Internet-facing product targeted; context: used as an initial access vector. Citrix NetScaler
  • [Software] F5 BIG-IP – Internet-facing product targeted; context: used as an initial access vector. F5 BIG-IP

Read more: https://www.recordedfuture.com/research/tag-100-uses-open-source-tools-in-suspected-global-espionage-campaign