Attacks exploiting known security flaws impacting internet-facing systems, including Microsoft Exchange Server, SonicWall, and F5 BIG-IP instances, as well as the open-source Pantegana and Spark RAT backdoors have been deployed by the new TAG-100 threat operation as part of a cyberespionage campaign against private and government organizations in the U.S. and other parts of the world, according to The Hacker News.
TAG-100 further intensified the targeting of U.S. organizations in mid-April with reconnaissance intrusions leveraging the maximum severity remote code execution flaw impacting Palo Alto Networks GlobalProtect firewalls, tracked as CVE-2024-3400, facilitating Pantegana, SparkRAT, and Cobalt Strike Beacon deployment, an analysis from Recorded Future's Insikt Group revealed.
"The widespread targeting of internet-facing appliances is particularly attractive because it offers a foothold within the targeted network via products that often have limited visibility, logging capabilities, and support for traditional security solutions, reducing the risk of detection post-exploitation," said Recorded Future researchers.