XE Group, a cybercriminal organization with over ten years of activity, has significantly altered its operational methods. Transitioning from credit-card skimming, they now exploit previously unknown software vulnerabilities, heightening risks across global supply chains. This strategic shift underscores the evolving nature of cyber threats targeting critical sectors such as manufacturing and distribution.
Earlier investigations identified XE Group in 2013 as a threat to e-commerce platforms through credit-card fraud. Their persistent activity over the years reveals a pattern of adapting to new vulnerabilities, such as those in widely used tools like Telerik UI for ASP.NET, and expanding their attack vectors, reflecting their ability to stay ahead of cybersecurity measures.
What are XE Group’s Current Tactics?
XE Group now leverages zero-day vulnerabilities in VeraCore, a supply chain management tool, allowing them to infiltrate systems and steal sensitive information. Their use of sophisticated malware like Meterpreter and PowerShell-based payloads enables long-term system access and covert communication channels.
“These recent discoveries highlight that XE Group is not only active but evolving,” the blog reads. “The group’s ability to exploit unknown vulnerabilities and sustain prolonged access to targeted systems reflects a significant shift in their operational strategy.”
How has XE Group’s Targeting Evolved?
Initially targeting e-commerce platforms with credit-card skimmers, the group has redirected its focus towards industries reliant on supply chain management software. This broader targeting increases their potential impact on global supply chains, particularly within manufacturing and distribution sectors.
Which Vulnerabilities is XE Group Exploiting?
The organization exploited an upload validation flaw and a SQL injection flaw in VeraCore, granting unauthorized system access and enabling data exfiltration. While a temporary fix for the upload validation flaw has been implemented by VeraCore’s parent company, Adavantive, the SQL flaw remains unpatched.
An Intezer representative stated that CVEs for the vulnerabilities will be released shortly after final validation from MITRE.
Research indicates that XE Group’s infrastructure comprises domains for command-and-control and hosting skimming tools, including customized variants of open-source webshells like ASPXSpy. The group’s ability to maintain access to compromised systems over extended periods, exemplified by the reactivation of a webshell planted in 2020, demonstrates their commitment to long-term system infiltration and intelligence gathering.
XE Group’s historical association with Vietnam, suggested by linked email addresses and pseudonyms like “XeThanh,” indicates a well-resourced operation with minimal efforts to obscure its identity. This lack of secrecy implies that XE Group is unlikely to be state-aligned, as state-sponsored groups typically employ stricter operational security measures.
XE Group’s evolution in tactics presents significant challenges for cybersecurity professionals, emphasizing the need for proactive vulnerability management and continuous monitoring of supply chain management systems. Organizations should prioritize patching known vulnerabilities and adopt advanced threat detection mechanisms to mitigate the risks posed by such persistent and resourceful cybercriminal entities.
