Recorded Future has uncovered a new Advanced Persistent Threat (APT) group, tracked as TAG-100, which has been targeting internet-facing appliances for cyberespionage operations.
TAG-100 has compromised a wide array of networking equipment, including Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange, SonicWall, Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet FortiGate. This campaign has affected organizations in at least ten countries across Africa, Asia, North America, South America, and Oceania. The group's victims include diplomatic, trade, and private sector entities.
The threat actor has employed the Go-based backdoors Pantegana and SparkRAT for post-exploitation. Following the release of a proof-of-concept exploit for the Palo Alto Networks GlobalProtect firewall vulnerability (CVE-2024-3400), TAG-100 conducted reconnaissance and attempted exploitation against dozens of US-based organizations, the report said.
TAG-100's reconnaissance and exploitation activities have targeted a wide range of internet-facing appliances in at least fifteen countries, including Cuba, France, Italy, Japan, and Malaysia. Notably, this included targeting multiple Cuban embassies in Bolivia, France, and the United States.
In March 2024, TAG-100 was observed targeting Citrix NetScaler and F5 BIG-IP appliances, as well as Outlook Web App login portals globally. Several targeted organizations were later found communicating with TAG-100’s Pantegana command-and-control servers.
Beginning April 16, 2024, TAG-100 conducted reconnaissance and exploitation activities targeting Palo Alto Networks GlobalProtect appliances, particularly focusing on organizations in the US within the education, finance, legal, local government, and utilities sectors.
In addition to publicly available exploits, TAG-100 has used multiple open-source or offensive security post-exploitation frameworks, including LESLIELOADER, Cobalt Strike, and CrossC2, targeting various operating systems.