The XE Group, a notorious Vietnamese cybercrime outfit, has recently escalated its operations from credit card skimming to more sophisticated cyber-attacks. By exploiting security flaws in well-known software, they have managed to infiltrate systems, install persistent web shells, and maintain unauthorized access. This article delves into the tactics and strategies employed by XE Group, highlighting the critical vulnerabilities they have targeted and the implications for the manufacturing and distribution sectors.
Evolution of XE Group’s Cyber Tactics
XE Group’s transition from superficial credit card skimming to deep infiltration marks a significant evolution in their approach to cybercrime. Previously known for targeting financial data, the group now focuses on exploiting zero-day vulnerabilities to gain long-term access to systems. This shift demonstrates a methodical and strategic approach, leveraging newfound vulnerabilities in software like Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore.
The group’s recent activities have centered around two critical vulnerabilities: CVE-2024-57968 and CVE-2025-25181. These vulnerabilities have allowed XE Group to deploy ASPXSpy web shells, facilitating unauthorized access and persistent surveillance of infected systems. The sophistication of these attacks underscores the group’s comprehensive understanding of systemic vulnerabilities, particularly within supply chains in the manufacturing and distribution sectors. XE Group’s activities mark a significant shift from earlier operations, highlighting their increasing capability and ambition in the cybercrime arena.
Critical Vulnerabilities Exploited
CVE-2024-57968, with a CVSS score of 9.9, allows remote, authenticated users to upload files to unintended folders. This vulnerability has been patched in VeraCore version 2024.4.2.1, but its high potential for exploitation and severe consequences make it a significant threat. Conversely, CVE-2025-25181, with a CVSS score of 5.8, represents an SQL injection vulnerability that enables remote attackers to execute arbitrary SQL commands. Currently, there is no available patch for this vulnerability, making it a prime target for cybercriminals.
Exploiting these vulnerabilities has enabled XE Group to deploy sophisticated web shells, such as ASPXSpy, which allow malicious actors to enumerate file systems, exfiltrate files, and compress them using tools like 7z. The group also utilizes a Meterpreter payload, facilitating a connection to a control server via Windows sockets. This complex and resourceful approach highlights the group’s enhanced capabilities and their focus on maintaining persistent access to compromised systems. The strategic targeting and exploitation of these vulnerabilities have given XE Group unprecedented control over infected systems.
Advanced Web Shell Capabilities
The sophisticated variant of the ASPXSpy web shell installed by XE Group incorporates features enabling network scanning, command execution, and the ability to run SQL queries to extract or modify critical information. This development represents an enhanced capability from previous attacks that mostly took advantage of known and older vulnerabilities in software like Telerik UI for ASP.NET. XE Group’s shift towards more advanced tactics demonstrates not only their growing expertise but also their ability to adapt to evolving cybersecurity landscapes.
Older vulnerabilities, such as CVE-2017-9248 and CVE-2019-18935, both with high-threat scores of 9.8, remain viable entry points for threat actors. The perpetuity of threat from these older vulnerabilities highlights the importance of systematic patching and updating of systems, especially those exposed to the internet. XE Group’s ability to reactivate web shells years after initial deployment underscores their persistence and strategic targeting of systemic weaknesses. This continued exploitation of older vulnerabilities adds another layer of complexity to the already sophisticated threat landscape.
Broader Implications and Response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken active measures by adding five critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation. Among these listed are CVE-2025-0411, CVE-2022-23748, CVE-2024-21413, CVE-2020-29574, and CVE-2020-15069. Each of these vulnerabilities presents varying degrees of threat across different software systems, posing significant security challenges.
CVE-2025-0411 involves a Mark of the Web Bypass vulnerability in 7-Zip, exploited by Russian cybercrime groups to distribute SmokeLoader malware. CVE-2022-23748 involves a vulnerability in the Dante Discovery Process, noted for exploitation by the ToddyCat threat actor. CVE-2024-21413 describes an improper input validation vulnerability in Microsoft Outlook, while CVE-2020-29574 and CVE-2020-15069 are linked to Chinese espionage activities. The urgency of these threats is underpinned by the mandate for Federal Civilian Executive Branch (FCEB) agencies to apply necessary updates by February 27, 2025, as directed under Binding Operational Directive (BOD) 22-01. This directive demonstrates the critical need for timely patches and updating protocols to safeguard against active threats from sophisticated actors like the XE Group.
Importance of Timely Patching and Updates
The XE Group, a well-known Vietnamese cybercrime organization, has recently ramped up its illegal activities. Initially notorious for credit card skimming, the group has now shifted focus to more advanced cyber-attacks. By taking advantage of security loopholes in popular software, XE Group has successfully penetrated various systems, installing persistent web shells to maintain unauthorized entry. This article closely examines the tactics and strategies implemented by XE Group, shedding light on the significant vulnerabilities they exploit. Furthermore, it discusses the consequences for the manufacturing and distribution industries as they become prime targets of these sophisticated attacks. With essential systems being compromised, businesses face substantial threats to their operations and data security. As XE Group continues to evolve and refine its methods, only a concerted effort from companies and cybersecurity experts can mitigate these risks and safeguard vital information and infrastructures.