A cybercrime group lengthy related to bank card theft has expanded into focused info stealing from provide chain organizations within the manufacturing and distribution sectors.
In a few of these new assaults the risk actor, whom a number of distributors observe because the XE Group and hyperlink to Vietnam, has exploited two zero-day vulnerabilities in VeraCore’s warehouse administration platform to put in Internet shells for executing a wide range of malicious actions.
Zero-Day Exploits in VeraCore
In a joint report this week, researchers from Intezer and Solis described the exercise they noticed lately as an indication of the heightened risk the group presents to organizations.
“XE Group’s evolution from bank card skimming operations to exploiting zero-day vulnerabilities underscores their adaptability and rising sophistication,” the researchers wrote. “By concentrating on provide chains within the manufacturing and distribution sectors, XE Group not solely maximizes the impression of their operations but additionally demonstrates an acute understanding of systemic vulnerabilities.”
XE Group is a probable Vietnamese risk actor that a number of distributors, together with Malwarebytes, Volexity, and Menlo safety have tracked for years. The group first surfaced in 2013, and thru a minimum of late 2024 was recognized primarily for leveraging Internet vulnerabilities to deploy malware for skimming bank card numbers and related knowledge from e-commerce websites.
In June 2023, the US Cybersecurity and Infrastructure Safety Company (CISA) recognized XE Group as one in every of a number of risk actors exploiting vulnerabilities in Progress Telerik software program working on authorities IIS servers and executing distant instructions on them. One of many vulnerabilities that CISA recognized in its report (CVE-2017-9248) was the identical one which Malwarebytes first noticed XE Group exploiting again in 2020 in card skimmer assaults concentrating on ASP.Web websites. That marketing campaign, as Intezer and Solis famous of their report, was notable for its deal with ASP.Web websites, which have been hardly ever focused on the time. In 2023, Menlo Safety reported seeing XE Group deploying a number of methods, together with provide chain assaults to deploy card skimmers on web sites, and likewise organising pretend websites for stealing private info and promoting it in underground boards.
What Solis and Intezer have noticed now could be a continued enlargement of the risk actor’s actions, exploitation strategies, and malware since then. The group’s newer assault ways embody injecting malicious JavaScript into webpages, exploiting vulnerabilities in extensively deployed merchandise, and utilizing customized ASPX Internet shells to take care of entry to compromised system.
XE Group’s Lengthy-Time period Cyberattack Goals
In a number of of the latest assaults, the risk actor has used the 2 VeraCore zero-days (CVE-2024-57968, an add validation vulnerability with a CVSS severity rating of 9.9; and CVE-2025-25181, a SQL injection flaw with a 5.8 severity rating) to deploy a number of Internet shells on compromised programs.
“In a minimum of one occasion, Solis and Intezer researchers found the risk actor had exploited one of many VeraCore vulnerabilities way back to January 2020 and had maintained persistent entry to the sufferer’s compromised atmosphere since then,” in keeping with the joint report. “In 2024, the group reactivated a webshell initially deployed [in January 2020], highlighting their skill to stay undetected and reengage targets. Their skill to take care of persistent entry to programs … years after preliminary deployment, highlights the group’s dedication to long-term aims.”
The XE Group’s latest shift in ways and concentrating on are in step with a broader focus amongst risk actors on the software program provide chain. Although SolarWinds stays maybe the perfect recognized instance, there have been a number of different vital assaults on extensively used software program services and products. Examples embody assaults on Progress Software program’s MOVEit file switch instrument, a breach at Okta that affected all of its prospects, and a breach at Accellion that allowed attackers to deploy ransomware on a few of the firm’s prospects.