Hackers often exploit open-source tools as a means to conduct cyber-espionage campaigns targeting high-profile organizations globally. This approach allows them to take advantage of readily available tools, well-documented resources, and widespread community support, making it easy to customize and deploy attacks. Recorded Future’s Insikt Group recently uncovered a new campaign named TAG-100, utilizing open-source tools such as the Pantegana backdoor to execute sophisticated attacks.
The use of open-source tools enables threat actors to evade detection, automate tasks, and leverage existing vulnerabilities effectively. This strategy, combining weaponized PoC exploits with open-source frameworks, simplifies access for less capable actors while enabling more advanced groups to conceal their activities. Despite global efforts to address vulnerabilities in internet-facing devices, the lack of robust security measures continues to make them attractive targets for cyber attackers.
Researchers identified victim organizations in countries like Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, the Netherlands, Taiwan, the United Kingdom, the United States, and Vietnam. The recommendations put forth for organizations include intelligence-led patching, increasing attack surface awareness, and enhancing defense-in-depth measures to mitigate cyber threats. It is anticipated that state-sponsored actors will increasingly employ open-source tools, potentially subcontracting to proxy groups, leading to a rise in cybersecurity challenges.
TAG-100, a cyber espionage group, has been actively targeting organizations since February 2024 across various sectors like governments, intergovernmental bodies, and the private sector. They have been observed using internet-facing appliances like Citrix NetScaler, Zimbra, and Microsoft Exchange. Potential targets include intergovernmental organizations in Southeast Asia and Oceania, foreign ministries, embassies, religious groups, and semiconductor companies.
TAG-100’s tactics involve incorporating open-source post-exploitation frameworks such as Pantegana, SparkRAT, LESLIELOADER, Cobalt Strike, and CrossC2 alongside public exploits. Despite overlaps with previous China-sponsored operations, the group’s use of publicly available exploits like Zimbra’s CVE-2019-9621 underscores their capabilities in cyber espionage. Their use of CloudFlare CDN, ExpressVPN, and self-signed TLS certificates further complicates attribution by employing unique methods of operation.
The group’s attacks since November 2023 reflect a shift in the cyber threat landscape where accessible tools and basic operational security strategies converge. Mitigation strategies recommended include configuring IDS/IPS to block malicious connections, robust monitoring of external-facing services, and prioritizing the patching of critical vulnerabilities. Implementing network segmentation, multi-factor authentication, and leveraging threat intelligence are essential steps to enhance cybersecurity defenses against such sophisticated attacks.
IoCs identified in connection with TAG-100’s operations provide valuable insights for organizations to monitor and detect malicious activities. These indicators offer a proactive approach to identifying potential threats and defending against cyber intrusions. As cyber threats evolve, it is crucial for organizations to stay vigilant, implement best practices, and leverage advanced security technologies to safeguard their digital assets from malicious actors.