A cybercrime group lengthy related to bank card theft has expanded into focused info stealing from provide chain organizations within the manufacturing and distribution sectors.
In a few of these new assaults the risk actor, whom a number of distributors observe because the XE Group and hyperlink to Vietnam, has exploited two zero-day vulnerabilities in VeraCore’s warehouse administration platform to put in Internet shells for executing a wide range of malicious actions.
Zero-Day Exploits in VeraCore
In a joint report this week, researchers from Intezer and Solis described the exercise they noticed not too long ago as an indication of the heightened risk the group presents to organizations.
“XE Group’s evolution from bank card skimming operations to exploiting zero-day vulnerabilities underscores their adaptability and rising sophistication,” the researchers wrote. “By concentrating on provide chains within the manufacturing and distribution sectors, XE Group not solely maximizes the impression of their operations but in addition demonstrates an acute understanding of systemic vulnerabilities.”
XE Group is a probable Vietnamese risk actor that a number of distributors, together with Malwarebytes, Volexity, and Menlo safety have tracked for years. The group first surfaced in 2013, and thru no less than late 2024 was identified primarily for leveraging Internet vulnerabilities to deploy malware for skimming bank card numbers and related information from e-commerce websites.
In June 2023, the US Cybersecurity and Infrastructure Safety Company (CISA) recognized XE Group as one in every of a number of risk actors exploiting vulnerabilities in Progress Telerik software program working on authorities IIS servers and executing distant instructions on them. One of many vulnerabilities that CISA recognized in its report (CVE-2017-9248) was the identical one which Malwarebytes first noticed XE Group exploiting again in 2020 in card skimmer assaults concentrating on ASP.Internet websites. That marketing campaign, as Intezer and Solis famous of their report, was notable for its give attention to ASP.Internet websites, which have been hardly ever focused on the time. In 2023, Menlo Safety reported seeing XE Group deploying a number of methods, together with provide chain assaults to deploy card skimmers on web sites, and in addition organising pretend websites for stealing private info and promoting it in underground boards.
What Solis and Intezer have noticed now could be a continued enlargement of the risk actor’s actions, exploitation methods, and malware since then. The group’s newer assault techniques embody injecting malicious JavaScript into webpages, exploiting vulnerabilities in extensively deployed merchandise, and utilizing customized ASPX Internet shells to take care of entry to compromised system.
XE Group’s Lengthy-Time period Cyberattack Targets
In a number of of the current assaults, the risk actor has used the 2 VeraCore zero-days (CVE-2024-57968, an add validation vulnerability with a CVSS severity rating of 9.9; and CVE-2025-25181, a SQL injection flaw with a 5.8 severity rating) to deploy a number of Internet shells on compromised programs.
“In no less than one occasion, Solis and Intezer researchers found the risk actor had exploited one of many VeraCore vulnerabilities way back to January 2020 and had maintained persistent entry to the sufferer’s compromised atmosphere since then,” in keeping with the joint report. “In 2024, the group reactivated a webshell initially deployed [in January 2020], highlighting their capability to stay undetected and reengage targets. Their capability to take care of persistent entry to programs … years after preliminary deployment, highlights the group’s dedication to long-term targets.”
The XE Group’s current shift in techniques and concentrating on are according to a broader focus amongst risk actors on the software program provide chain. Although SolarWinds stays maybe the perfect identified instance, there have been a number of different vital assaults on extensively used software program services and products. Examples embody assaults on Progress Software program’s MOVEit file switch software, a breach at Okta that affected all of its prospects, and a breach at Accellion that allowed attackers to deploy ransomware on among the firm’s prospects.
