Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making them easy to modify and deploy.
Besides this, open-source tools can be customized to evade detection, automate tasks, and leverage existing vulnerabilities, enabling threat actors to conduct sophisticated attacks efficiently.
Recorded Future’s Insikt Group uncovered a new cyber-espionage campaign, dubbed TAG-100, targeting high-profile organizations globally.
The group takes advantage of internet-facing appliances and employs open-source tools such as Pantegana backdoor, a trend that features weaponized PoC exploits combined with open-source frameworks.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
Such an approach simplifies entry for less capable actors and enables more advanced groups to hide their tracks.
However, they remain attractive to attackers since only a few security measures have been put in place despite global efforts to fix vulnerabilities on internet-facing devices.
Researchers discovered the victim organizations in the following countries:-
Some of the recommendations made to organizations include operationalizing intelligence-led patching, increasing attack surfaces, and enhancing defense-in-depth measures.
Open-source tools will continue to be used more frequently by state-sponsored actors who may contract out to proxy groups, leading to rising cyber threats overall.
Since February 2024, TAG-100, a group of cyber spies, has been attacking organizations from ten countries ranging from governments to intergovernmental and private sectors.
The researchers found that the gang uses various internet-facing appliances, including Citrix NetScaler, Zimbra, and Microsoft Exchange.
Noteworthy targets include Southeast Asian and Oceanian intergovernmental organizations, foreign ministries, embassies, religious groups as well as semiconductor companies.
By March TAG-100 was in at least fifteen countries with a major focus on Cuban Embassies. Overlapping with the CVE-2024-3400 exploit release in April they targeted Palo Alto Networks GlobalProtect appliances.
This group’s reliance on publicly available exploits like those used for Zimbra (CVE-2019-9621) reveals their initiative in the domain of cyber espionage.
TAG-100 combines open-source post-exploitation frameworks like Pantegana, SparkRAT, LESLIELOADER, Cobalt Strike, and CrossC2 with various public exploits.
This is evident in their targets’ profiles, which include national governments, religious institutions, and intergovernmental agencies.
Besides utilizing CloudFlare CDN for C2 communication and ExpressVPN to manage its services, the group has been seen employing self-signed TLS certificates.
Although some of the targets tended to overlap with previous China-sponsored operations, TAG-100 makes it difficult to attribute using off-the-shelf tools and unique modes of operation.
The activities linked to this group’s attacks that have been observed since at least November 2023 are indicative of the changing cyber threat landscape where basic operational security strategies fuse with easily accessible tools.
Here below we have mentioned all the mitigations:-
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
In a significant development, the Trump administration is reportedly formulating a plan to prevent a…
IBM has announced the resolution of several security vulnerabilities affecting its IBM Security Directory Integrator…
A new security vulnerability has been uncovered in Apache Solr, affecting versions 6.6 through 9.7.0.…
A cybersecurity researcher recently disclosed several critical vulnerabilities affecting Git-related projects, revealing how improper handling…
Researchers from IIT Kharagpur and Intel Corporation have identified a significant security vulnerability in Intel…
Burp Suite 2025.1, is packed with new features and enhancements designed to improve your web…