REPORT-100: Fresh Menace Actor Utilizes Open-Source Instruments for Broad Attacks
Anonymous menace actors have been sighted utilizing open-source instruments as components of a suspected cyber espionage campaign pointed at global government and private sector organizations.
Insikt Group from Recorded Future is monitoring the activity under the provisional title REPORT-100, indicating that the foe possibly infiltrated organizations in at least ten countries across Africa, Asia, North America, South America, and Oceania, including two undisclosed Asia-Pacific intergovernmental organizations.
Additionally targeted since February 2024 are diplomatic, government, semiconductor supply-chain, non-profit, and religious entities situated in Cambodia, Djibouti, the Dominican Republic, Fiji, Indonesia, Netherlands, Taiwan, the U.K., the U.S., and Vietnam.
“REPORT-100 deploys open-source remote access abilities and exploits diverse internet-facing devices for initial entry,” the cybersecurity corporation stated. “The group utilized open-source Go backdoors Pantegana and Spark RAT post-exploitation.”
Assault chains involve the utilization of recognized security defects affecting various internet-facing products, such as Citrix NetScaler, F5 BIG-IP, Zimbra, Microsoft Exchange Server, SonicWall, Cisco Adaptive Security Appliances (ASA), Palo Alto Networks GlobalProtect, and Fortinet FortiGate.
The group has also been caught out carrying out wide-ranging reconnaissance activity directed at internet-facing devices owned by organizations in at least fifteen countries, including Cuba, France, Italy, Japan, and Malaysia. This also involved several Cuban embassies in Bolivia, France, and the U.S.
“Commencing on April 16, 2024, REPORT-100 conducted potential reconnaissance and exploitation operations targeting Palo Alto Networks GlobalProtect devices of organizations, predominantly in the U.S., across the education, finance, legal, local government, and utilities sectors,” the corporation relayed.
This endeavor supposedly coincided with the public unveiling of a proof-of-concept (PoC) exploit for CVE-2024-3400 (CVSS score: 10.0), a critical remote code execution vulnerability affecting Palo Alto Networks GlobalProtect firewalls.
Once access is established, the deployment of Pantegana, Spark RAT, and Cobalt Strike Beacon on compromised hosts occurs.
The discoveries show how PoC exploits can be coupled with open-source applications to orchestrate assaults, effectively reducing the obstacle for less sophisticated menace actors. Moreover, such tactics allow adversaries to complicate identification efforts and evade detection.
“The extensive targeting of internet-facing appliances is particularly appealing because it offers an entry point into the targeted network through products often lacking visibility, logging capabilities, and support for conventional security solutions, minimizing the detection risk post-exploitation,” Recorded Future remarked.
About Author
