Sunday, December 8, 2024
HomeCyber AttackTAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Published on

SIEM as a Service

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making them easy to modify and deploy. 

Besides this, open-source tools can be customized to evade detection, automate tasks, and leverage existing vulnerabilities, enabling threat actors to conduct sophisticated attacks efficiently.

Recorded Future’s Insikt Group uncovered a new cyber-espionage campaign, dubbed TAG-100, targeting high-profile organizations globally.

- Advertisement - SIEM as a Service

TAG-100 Actors & Open-Source Tools

The group takes advantage of internet-facing appliances and employs open-source tools such as Pantegana backdoor, a trend that features weaponized PoC exploits combined with open-source frameworks.

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Such an approach simplifies entry for less capable actors and enables more advanced groups to hide their tracks.

However, they remain attractive to attackers since only a few security measures have been put in place despite global efforts to fix vulnerabilities on internet-facing devices.

Researchers discovered the victim organizations in the following countries:-

  • Cambodia
  • Djibouti
  • The Dominican Republic
  • Fiji
  • Indonesia
  • Netherlands
  • Taiwan
  • The United Kingdom
  • The United States
  • Vietnam
Geographical breakdown of TAG-100 targeting and victimology (Source – Recorded Future)

Some of the recommendations made to organizations include operationalizing intelligence-led patching, increasing attack surfaces, and enhancing defense-in-depth measures.

Open-source tools will continue to be used more frequently by state-sponsored actors who may contract out to proxy groups, leading to rising cyber threats overall.

Since February 2024, TAG-100, a group of cyber spies, has been attacking organizations from ten countries ranging from governments to intergovernmental and private sectors.

The researchers found that the gang uses various internet-facing appliances, including Citrix NetScaler, Zimbra, and Microsoft Exchange.

Overview of TAG-100 operations (Source – Recorded Future)

Noteworthy targets include Southeast Asian and Oceanian intergovernmental organizations, foreign ministries, embassies, religious groups as well as semiconductor companies.

By March TAG-100 was in at least fifteen countries with a major focus on Cuban Embassies. Overlapping with the CVE-2024-3400 exploit release in April they targeted Palo Alto Networks GlobalProtect appliances.

This group’s reliance on publicly available exploits like those used for Zimbra (CVE-2019-9621) reveals their initiative in the domain of cyber espionage.

TAG-100 combines open-source post-exploitation frameworks like Pantegana, SparkRAT, LESLIELOADER, Cobalt Strike, and CrossC2 with various public exploits.

This is evident in their targets’ profiles, which include national governments, religious institutions, and intergovernmental agencies.

Besides utilizing CloudFlare CDN for C2 communication and ExpressVPN to manage its services, the group has been seen employing self-signed TLS certificates.

Although some of the targets tended to overlap with previous China-sponsored operations, TAG-100 makes it difficult to attribute using off-the-shelf tools and unique modes of operation.

The activities linked to this group’s attacks that have been observed since at least November 2023 are indicative of the changing cyber threat landscape where basic operational security strategies fuse with easily accessible tools.

Mitigations

Here below we have mentioned all the mitigations:-

  • Configure IDS/IPS to alert on and potentially block connections to known malicious IP addresses and domains.
  • Implement robust monitoring for external-facing services and devices.
  • Watch for post-exploitation activities like web shells, backdoors, or lateral movement.
  • Prioritize patching high-risk vulnerabilities, especially RCE in external-facing appliances.
  • Implement network segmentation and multi-factor authentication for sensitive information.
  • Use threat intelligence to detect and block malicious infrastructure in real-time.
  • Monitor third-party vendors and partners for potential intrusion activity.
  • Utilize Malicious Traffic Analysis to monitor communications with known C2 servers proactively.

IoCs

IoCs (Source – Recorded Future)

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...

Russian BlueAlpha APT Exploits Cloudflare Tunnels to Distribute Custom Malware

BlueAlpha, a Russian state-sponsored group, is actively targeting Ukrainian individuals and organizations by using...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

DaMAgeCard Attack – New SD Card Attack Lets Hackers Directly Access System Memory

Security researchers have identified a significant vulnerability dubbed "DaMAgeCard Attack" in the new SD...

Deloitte Denies Breach, Claims Only Single System Affected

Ransomware group Brain Cipher claimed to have breached Deloitte UK and threatened to publish...

Top Five Industries Most Frequently Targeted by Phishing Attacks

Researchers analyzed phishing attacks from Q3 2023 to Q3 2024 and identified the top...