Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making them easy to modify and deploy.
Besides this, open-source tools can be customized to evade detection, automate tasks, and leverage existing vulnerabilities, enabling threat actors to conduct sophisticated attacks efficiently.
Recorded Future’s Insikt Group uncovered a new cyber-espionage campaign, dubbed TAG-100, targeting high-profile organizations globally.
The group takes advantage of internet-facing appliances and employs open-source tools such as Pantegana backdoor, a trend that features weaponized PoC exploits combined with open-source frameworks.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
Such an approach simplifies entry for less capable actors and enables more advanced groups to hide their tracks.
However, they remain attractive to attackers since only a few security measures have been put in place despite global efforts to fix vulnerabilities on internet-facing devices.
Researchers discovered the victim organizations in the following countries:-
Some of the recommendations made to organizations include operationalizing intelligence-led patching, increasing attack surfaces, and enhancing defense-in-depth measures.
Open-source tools will continue to be used more frequently by state-sponsored actors who may contract out to proxy groups, leading to rising cyber threats overall.
Since February 2024, TAG-100, a group of cyber spies, has been attacking organizations from ten countries ranging from governments to intergovernmental and private sectors.
The researchers found that the gang uses various internet-facing appliances, including Citrix NetScaler, Zimbra, and Microsoft Exchange.
Noteworthy targets include Southeast Asian and Oceanian intergovernmental organizations, foreign ministries, embassies, religious groups as well as semiconductor companies.
By March TAG-100 was in at least fifteen countries with a major focus on Cuban Embassies. Overlapping with the CVE-2024-3400 exploit release in April they targeted Palo Alto Networks GlobalProtect appliances.
This group’s reliance on publicly available exploits like those used for Zimbra (CVE-2019-9621) reveals their initiative in the domain of cyber espionage.
TAG-100 combines open-source post-exploitation frameworks like Pantegana, SparkRAT, LESLIELOADER, Cobalt Strike, and CrossC2 with various public exploits.
This is evident in their targets’ profiles, which include national governments, religious institutions, and intergovernmental agencies.
Besides utilizing CloudFlare CDN for C2 communication and ExpressVPN to manage its services, the group has been seen employing self-signed TLS certificates.
Although some of the targets tended to overlap with previous China-sponsored operations, TAG-100 makes it difficult to attribute using off-the-shelf tools and unique modes of operation.
The activities linked to this group’s attacks that have been observed since at least November 2023 are indicative of the changing cyber threat landscape where basic operational security strategies fuse with easily accessible tools.
Here below we have mentioned all the mitigations:-
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.
Cybercriminals have begun openly marketing a powerful new variant of the HiddenMiner malware on underground…
Security researchers at Shelltrail have discovered three significant vulnerabilities in the IXON VPN client that…
Jeffrey Bowie, the CEO of a local cybersecurity firm, has been arrested for allegedly planting…
Digital forensics has become a cornerstone of modern cybersecurity strategies, moving beyond its traditional role…
In the current digital landscape, Chief Information Security Officers (CISOs) are under mounting pressure to…
Two significant security vulnerabilities in generative AI systems have been discovered, allowing attackers to bypass…