Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
Cybercriminals find loopholes in protecting governments.
Cyber espionage group TAG-100 conducted a large-scale attack on public and private organizations around the world, using devices with Internet access and the backdoor Pantegana. Among the victims were two intergovernmental organizations of the Asia-Pacific region and several diplomatic and trade structures.
Insikt Group discovered the campaign, emphasizing that TAG-100 uses remote access capabilities provided by open source software, as well as exploits various Internet devices to obtain initial access. Such activity demonstrates a growing trend of cyber espionage using open-source tools, which simplifies activities even for less experienced attackers and reduces the need to develop unique solutions.
The attack affected organizations in at least 10 countries, including Africa, Asia, North and South America, and Oceania. The band used the Golang tools Pantegana and SparkRAT after the infiltration:
The target devices included Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange, SonicWall, Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet FortiGate. Of particular concern is the exploitation of vulnerabilities in devices that have access to the Internet, as they have limited detection and logging capabilities. This reduces the likelihood of detecting attacks after they occur and puts organizations at risk of downtime, reputation damage, and fines.
The report highlights the command injection vulnerability CVE-2024-3400 (CVSS score: 10.0) in Palo Alto Networks GlobalProtect, which, due to an error in creating an arbitrary file in the GlobalProtect function, allows an unauthenticated attacker to execute arbitrary code with root privileges in the firewall. The bug was used for attacks on devices mainly based in the United States, which relate to various industries, including education, finance, and government agencies.
Organizations should take measures to protect their systems from such attacks. It is recommended to set up intrusion detection and prevention systems to block suspicious IP addresses and domains, monitor all externally accessible services and devices, prioritize the installation of fixes for vulnerabilities, especially those that are already actively exploited, and implement network segmentation and multi-factor authentication.
Source
Cyber espionage group TAG-100 conducted a large-scale attack on public and private organizations around the world, using devices with Internet access and the backdoor Pantegana. Among the victims were two intergovernmental organizations of the Asia-Pacific region and several diplomatic and trade structures.
Insikt Group discovered the campaign, emphasizing that TAG-100 uses remote access capabilities provided by open source software, as well as exploits various Internet devices to obtain initial access. Such activity demonstrates a growing trend of cyber espionage using open-source tools, which simplifies activities even for less experienced attackers and reduces the need to develop unique solutions.
The attack affected organizations in at least 10 countries, including Africa, Asia, North and South America, and Oceania. The band used the Golang tools Pantegana and SparkRAT after the infiltration:
- The Pantegana backdoor, written in Go, runs on various platforms (Windows, Linux, macOS) and uses HTTPS to communicate with the C2 server. Pantegana supports uploading and downloading files, collecting system information, and executing commands on an infected host.
- The open source tool SparkRAT based on Golang can run on Windows, macOS, Linux and offers remote access features. SparkRAT is capable of performing many actions, including remotely executing PowerShell and Windows system commands, uploading, uploading, and deleting files, and collecting system information.
The target devices included Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange, SonicWall, Cisco ASA, Palo Alto Networks GlobalProtect, and Fortinet FortiGate. Of particular concern is the exploitation of vulnerabilities in devices that have access to the Internet, as they have limited detection and logging capabilities. This reduces the likelihood of detecting attacks after they occur and puts organizations at risk of downtime, reputation damage, and fines.
The report highlights the command injection vulnerability CVE-2024-3400 (CVSS score: 10.0) in Palo Alto Networks GlobalProtect, which, due to an error in creating an arbitrary file in the GlobalProtect function, allows an unauthenticated attacker to execute arbitrary code with root privileges in the firewall. The bug was used for attacks on devices mainly based in the United States, which relate to various industries, including education, finance, and government agencies.
Organizations should take measures to protect their systems from such attacks. It is recommended to set up intrusion detection and prevention systems to block suspicious IP addresses and domains, monitor all externally accessible services and devices, prioritize the installation of fixes for vulnerabilities, especially those that are already actively exploited, and implement network segmentation and multi-factor authentication.
Source
