17 July 2024

TAG-100 cyberspies target Citrix, F5, Cisco appliances in at least 10 countries


TAG-100 cyberspies target Citrix, F5, Cisco appliances in at least 10 countries

Recorded Future has uncovered a new Advanced Persistent Threat (APT) group, tracked as TAG-100, which has been targeting internet-facing appliances for cyberespionage operations.

TAG-100 has compromised a wide array of networking equipment, including Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange, SonicWall, Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet FortiGate. This campaign has affected organizations in at least ten countries across Africa, Asia, North America, South America, and Oceania. The group's victims include diplomatic, trade, and private sector entities.

The threat actor has employed the Go-based backdoors Pantegana and SparkRAT for post-exploitation. Following the release of a proof-of-concept exploit for the Palo Alto Networks GlobalProtect firewall vulnerability (CVE-2024-3400), TAG-100 conducted reconnaissance and attempted exploitation against dozens of US-based organizations, the report said.

TAG-100's reconnaissance and exploitation activities have targeted a wide range of internet-facing appliances in at least fifteen countries, including Cuba, France, Italy, Japan, and Malaysia. Notably, this included targeting multiple Cuban embassies in Bolivia, France, and the United States.

In March 2024, TAG-100 was observed targeting Citrix NetScaler and F5 BIG-IP appliances, as well as Outlook Web App login portals globally. Several targeted organizations were later found communicating with TAG-100’s Pantegana command-and-control servers.

Beginning April 16, 2024, TAG-100 conducted reconnaissance and exploitation activities targeting Palo Alto Networks GlobalProtect appliances, particularly focusing on organizations in the US within the education, finance, legal, local government, and utilities sectors.

In addition to publicly available exploits, TAG-100 has used multiple open-source or offensive security post-exploitation frameworks, including LESLIELOADER, Cobalt Strike, and CrossC2, targeting various operating systems.


Back to the list

Latest Posts

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA phishing-as-a-service targets Microsoft 365 users with AiTM attacks

Rockstar 2FA appears to be an updated version of the DadSec (also known as Phoenix) phishing kit.
2 December 2024
Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

Phishing campaign targeting tax professionals in Ukraine with Litemanager malware

CERT-UA attributes the activity to the financially motivated group UAC-0050.
2 December 2024
Hackers steal $17M from Uganda's central bank

Hackers steal $17M from Uganda's central bank

The attackers breached the central bank’s IT systems earlier this month and transferred the funds to various accounts.
2 December 2024