A cybercrime group lengthy related to bank card theft has expanded into focused data stealing from provide chain organizations within the manufacturing and distribution sectors.
In a few of these new assaults the menace actor, whom a number of distributors observe because the XE Group and hyperlink to Vietnam, has exploited two zero-day vulnerabilities in VeraCore’s warehouse administration platform to put in Internet shells for executing quite a lot of malicious actions.
Zero-Day Exploits in VeraCore
In a joint report this week, researchers from Intezer and Solis described the exercise they noticed not too long ago as an indication of the heightened menace the group presents to organizations.
“XE Group’s evolution from bank card skimming operations to exploiting zero-day vulnerabilities underscores their adaptability and rising sophistication,” the researchers wrote. “By concentrating on provide chains within the manufacturing and distribution sectors, XE Group not solely maximizes the affect of their operations but in addition demonstrates an acute understanding of systemic vulnerabilities.”
XE Group is a possible Vietnamese menace actor that a number of distributors, together with Malwarebytes, Volexity, and Menlo safety have tracked for years. The group first surfaced in 2013, and thru at the least late 2024 was identified primarily for leveraging Internet vulnerabilities to deploy malware for skimming bank card numbers and related information from e-commerce websites.
In June 2023, the US Cybersecurity and Infrastructure Safety Company (CISA) recognized XE Group as one among a number of menace actors exploiting vulnerabilities in Progress Telerik software program operating on authorities IIS servers and executing distant instructions on them. One of many vulnerabilities that CISA recognized in its report (CVE-2017-9248) was the identical one which Malwarebytes first noticed XE Group exploiting again in 2020 in card skimmer assaults concentrating on ASP.Web websites. That marketing campaign, as Intezer and Solis famous of their report, was notable for its give attention to ASP.Web websites, which have been hardly ever focused on the time. In 2023, Menlo Safety reported seeing XE Group deploying a number of methods, together with provide chain assaults to deploy card skimmers on web sites, and likewise establishing pretend websites for stealing private data and promoting it in underground boards.
What Solis and Intezer have noticed now could be a continued growth of the menace actor’s actions, exploitation methods, and malware since then. The group’s newer assault techniques embrace injecting malicious JavaScript into webpages, exploiting vulnerabilities in extensively deployed merchandise, and utilizing customized ASPX Internet shells to take care of entry to compromised system.
XE Group’s Lengthy-Time period Cyberattack Goals
In a number of of the current assaults, the menace actor has used the 2 VeraCore zero-days (CVE-2024-57968, an add validation vulnerability with a CVSS severity rating of 9.9; and CVE-2025-25181, a SQL injection flaw with a 5.8 severity rating) to deploy a number of Internet shells on compromised techniques.
“In at the least one occasion, Solis and Intezer researchers found the menace actor had exploited one of many VeraCore vulnerabilities way back to January 2020 and had maintained persistent entry to the sufferer’s compromised setting since then,” based on the joint report. “In 2024, the group reactivated a webshell initially deployed [in January 2020], highlighting their capacity to stay undetected and reengage targets. Their capacity to take care of persistent entry to techniques … years after preliminary deployment, highlights the group’s dedication to long-term goals.”
The XE Group’s current shift in techniques and concentrating on are in keeping with a broader focus amongst menace actors on the software program provide chain. Although SolarWinds stays maybe the most effective identified instance, there have been a number of different important assaults on extensively used software program services and products. Examples embrace assaults on Progress Software program’s MOVEit file switch instrument, a breach at Okta that affected all of its clients, and a breach at Accellion that allowed attackers to deploy ransomware on among the firm’s clients.
