XE Group Expands from Card Skimming to Supply Chain Cyber Attacks

Article Highlights
Off On

Cybercrime has taken a new turn as XE Group, historically known for stealing credit card information, has now ventured into supply chain attacks. The transformation of cyber threats witnessed with XE Group underlines their adaptive capabilities and serves as a stark reminder of the need for fortified cybersecurity in an increasingly interconnected digital landscape.

From E-commerce Exploits to Supply Chain Sabotage

Initial Card Skimming Tactics

Traditionally, the XE Group has honed its expertise in exploiting web vulnerabilities, particularly targeting e-commerce platforms. These tactics allowed them to skim credit card data, causing widespread financial losses for both consumers and businesses alike. The group’s proficiency in identifying and exploiting web vulnerabilities meant that they often went unnoticed, a factor that significantly added to their dangerous reputation. As online shopping grew rapidly, this threat evolved correspondingly, with cybercriminals becoming increasingly sophisticated.

This focus on credit card skimming was emblematic of a broader trend within cybercrime towards attacking financial resources directly. By embedding malicious code in unsuspecting e-commerce sites, XE Group managed to siphon off valuable data from innumerable transactions. These stolen data troves were then monetized, impacting countless users. However, the evolution of cybersecurity defenses meant that solely relying on these tactics would not suffice. The group recognized the need to innovate, pushing their operations into more diverse and high-stakes arenas.

Transition to Supply Chain Attacks

Recognizing the limitations of card skimming, XE Group has shifted its focus towards supply chain attacks, specifically targeting the manufacturing and distribution sectors. This marks a significant escalation in their operations, as it involves leveraging complex zero-day vulnerabilities in widely-used software. The supply chain sector, with its myriad of interconnected systems and third-party services, presents abundant opportunities for cyberattacks. Such attacks often have far-reaching consequences, affecting numerous stakeholders and leading to systemic disruptions.

A case in point is their recent exploitation of vulnerabilities within VeraCore’s warehouse management platform. Two zero-day flaws were identified and exploited: an upload validation vulnerability (CVE-2024-57968) with a high CVSS severity score of 9.9, and a SQL injection flaw (CVE-2025-25181) with a moderate severity score of 5.8. These flaws were ingeniously used to deploy malicious web shells, granting XE Group sustained access to compromised systems. This shift not only underscores their technical prowess but also highlights the broader trend of cybercriminals targeting software supply chains to maximize impact.

Persistent Exploitation Efforts

Long-term Cyberattack Campaigns

Researchers at Intezer and Solis have noted XE Group’s methodical and long-term commitment to their cyberattack strategies. Originating from Vietnam, the group has demonstrated a remarkable ability to maintain persistence and evade detection over extended periods. This persistence is a critical factor that differentiates them from many other cybercriminal entities. Their ability to reestablish control over compromised systems even after long dormancy periods is particularly concerning for cybersecurity professionals.

One notable example of this persistence involves their exploitation of a VeraCore warehouse management software vulnerability starting from January 2020. XE Group managed to keep this exploitation under wraps for several years, only reactivating their web shell in 2024. This long game approach implies careful planning and an in-depth understanding of targeted systems. Such extended campaigns make it harder for victims to cleanse their systems thoroughly, as the dormant malware can be reactivated, circumventing temporary security measures and posing ongoing risks.

Implications for Cybersecurity

The transition of XE Group from e-commerce-specific attacks to broader supply chain cyberassaults signifies a need for reevaluated security strategies. It is evident that traditional methodologies are no longer sufficient. This shift aligns with a larger trend in the cybersecurity space, with heightened focus on protecting software supply chains. High-profile incidents such as the SolarWinds breach and the Progress Software MOVEit file transfer tool attack underscore the critical vulnerabilities present in interconnected systems.

Security experts have raised alarms, emphasizing the urgency for adopting comprehensive and resilient cybersecurity frameworks. The XE Group’s ability to adapt and innovate reflects a sophisticated understanding of systemic weaknesses within industry practices. Their strategies indicate more than just opportunistic breaches but point towards calculated efforts to exploit vulnerabilities for maximum disruption. This demands more vigilant and proactive defense mechanisms, ranging from stricter software audits to enhanced real-time monitoring of third-party integrations.

Industry-Wide Threat Awareness

Broader Cybercriminal Trends

XE Group’s new tactics are part of a broader trend among cybercriminals targeting software supply chains to create widespread disruptions. This approach exploits the interconnected nature of modern business operations where the compromise of a single component can cascade throughout an entire network. Examples of other notorious supply chain attacks include breaches involving Okta and Accellion, which not only impacted direct users but also extended to their clients and partners, multiplying the overall damage.

The supply chain attacks demonstrate the vulnerabilities inherent within widely-adopted software systems. By compromising these critical links, cybercriminals can efficiently propagate their attacks, causing extensive harm. Awareness among industry stakeholders regarding these sophisticated methods is crucial for mitigating future risks. Enhancing collaborative defenses and sharing intelligence about such threats can go a long way in strengthening the overall cybersecurity posture against similar incidents.

Need for Vigilance and Proactive Measures

Cybercrime has evolved significantly, and a clear example is the notorious XE Group. Historically infamous for pilfering credit card information, this cybercriminal organization has now expanded its scope to include supply chain attacks. This shift in their modus operandi highlights their ability to adapt and underscores a growing threat landscape. The evolution of cyber threats, as evidenced by XE Group’s changing strategies, serves as a stark reminder of the ever-present need for enhanced cybersecurity measures. In our increasingly connected digital world, organizations must remain vigilant and proactive in defending against such adaptive and persistent threats. This transformation within XE Group emphasizes the critical importance of maintaining robust cybersecurity frameworks to protect invaluable data and systems. With cybercriminals continuously refining their tactics, the demand for fortified defenses and innovative cybersecurity protocols becomes more crucial than ever. The ongoing battle against such advanced cyber threats calls for a vigilant and adaptive approach to safeguarding our digital environments.

Explore more