A group of cybercriminals known for their involvement in credit card theft has expanded their operations to target information theft specifically from supply chain organizations within the manufacturing and distribution sectors. This shift in focus has raised concerns among security experts who have been monitoring the group’s activities closely.
Recent attacks by this threat actor, identified by various security vendors as the XE Group with ties to Vietnam, have exploited two zero-day vulnerabilities in VeraCore’s warehouse management platform. By taking advantage of these vulnerabilities, the cybercriminals were able to deploy web shells that allowed them to carry out various malicious activities within the compromised systems.
In a joint report released earlier this week, researchers from Intezer and Solis highlighted the evolving tactics of the XE Group as a significant threat to organizations operating in the supply chain sector. The group’s transition from credit card skimming to zero-day exploitation demonstrates their adaptability and increasing sophistication in carrying out targeted attacks.
Multiple security vendors, including Malwarebytes, Volexity, and Menlo Security, have been tracking the XE Group since its emergence in 2013. Initially known for exploiting web vulnerabilities to steal credit card data from e-commerce sites, the group has since expanded its operations to include supply chain attacks targeting a wider range of organizations.
In June 2023, the US Cybersecurity and Infrastructure Security Agency (CISA) identified the XE Group as one of the threat actors exploiting vulnerabilities in Progress Telerik software used on government IIS servers. This revelation confirmed the group’s involvement in executing remote commands on compromised systems using known vulnerabilities.
The recent activities observed by Solis and Intezer indicate a continued growth in the XE Group’s capabilities, with new attack tactics such as injecting malicious scripts into webpages and exploiting vulnerabilities in popular products. These advancements have allowed the threat actor to maintain persistent access to compromised systems through the use of custom ASPX web shells.
In several recent attacks, the XE Group leveraged two zero-day vulnerabilities in VeraCore’s software to deploy multiple web shells on compromised systems. Researchers discovered that the threat actor had exploited one of these vulnerabilities as far back as January 2020, highlighting their ability to remain undetected and maintain access to compromised environments for extended periods.
The XE Group’s shift towards targeting the software supply chain aligns with a broader trend among cyber attackers to exploit vulnerabilities in widely used products and services. Recent incidents such as the SolarWinds attack and breaches at companies like Progress Software, Okta, and Accellion underscore the growing risks associated with supply chain attacks in the cybersecurity landscape.
Overall, the escalating threat posed by the XE Group and their evolving tactics underscore the need for organizations to enhance their security measures and remain vigilant against sophisticated cyber threats targeting their supply chain operations. By staying informed and adopting proactive security measures, businesses can better protect themselves against the growing menace of cybercrime in today’s interconnected digital environment.