In a notable evolution of tactics, the notorious Vietnamese cybercrime group known as XE Group has transitioned from its traditional credit card skimming operations to exploiting zero-day vulnerabilities in widely used enterprise software. This alarming development has emerged from a joint investigation by cybersecurity researchers from Intezer and Solis Security.
Targeting VeraCore
Recently, the XE Group targeted VeraCore, a platform that helps fulfillment companies, commercial printers, and e-retailers manage their orders and operations. Researchers discovered that the group exploited two previously undisclosed vulnerabilities—one related to upload validation and another concerning SQL processing. As a result, these exploits allowed the group to bypass security measures, gain unauthorized access, and deploy webshells to exfiltrate sensitive configuration files while moving laterally within compromised networks.
A History of Breaches
Interestingly, attackers had compromised the same system before. In January 2020, they exploited a similar vulnerability, which led to the acquisition of valid credentials. Consequently, this breach allowed the reactivation of webshells in 2024, indicating a persistent threat landscape.
Shift in Tactics
Historically, XE Group has focused on attacks against externally facing services through known exploits. However, their monetization strategies typically involved installing password theft and credit card skimming code on compromised web services. Recently, findings from Intezer and Solis Security suggest a significant pivot toward targeted information theft and supply chain attacks, particularly within the manufacturing and distribution sectors.
Recent Attack Patterns
In the latest wave of attacks, XE Group exfiltrated web application configuration files, attempted to access remote systems, and deployed a Remote Access Trojan (RAT) using obfuscated PowerShell commands. This shift in focus not only highlights the evolving nature of cyber threats but also underscores the increasing sophistication of cybercriminal tactics.
Ongoing Collaboration
Currently, Intezer and Solis Security are working with affected vendors to address these vulnerabilities. Nevertheless, they note that no Common Vulnerabilities and Exposures (CVE) identifiers are available at this time, despite ongoing efforts for coordinated disclosure.
