Listen to this Post
2025-02-10
A recent report has unveiled how cybercriminal groups are exploiting several security flaws to gain unauthorized access to systems and maintain long-term control. Notably, the XE Group, a cybercrime collective believed to originate from Vietnam, has been leveraging zero-day vulnerabilities in software products like Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore. These attacks aim to deploy reverse shells and web shells, facilitating sustained remote access to compromised networks. This marks a notable shift for XE Group, which has evolved from simple credit card skimming operations to more complex, supply chain-targeted cyberattacks. These developments highlight the increasing sophistication of cybercrime tactics and the need for enhanced cybersecurity vigilance.
The vulnerabilities being exploited include:
- CVE-2024-57968: A high-risk flaw allowing file uploads to unintended folders, discovered in VeraCore.
- CVE-2025-25181: An SQL injection vulnerability impacting VeraCore that enables remote attackers to execute arbitrary commands.
The use of web shells in these attacks provides unauthorized access to infected systems, enabling activities such as file enumeration, data exfiltration, and network scanning. This reflects an evolving trend of persistent, long-term attacks by advanced threat actors.
The Xe Groupās tactic of chaining multiple flawsāboth old and newāunderscores their refined skill in maintaining access to their targets, as demonstrated by the reactivation of web shells years after initial exploitation.
What Undercode Say:
The evolving tactics of XE Group provide a stark reminder of the growing sophistication in modern cyberattacks. Historically, threat actors such as this group have relied on known vulnerabilities, yet the move toward exploiting zero-day vulnerabilities signals a shift toward more advanced, resourceful strategies. This is especially true for groups like XE, who not only use these exploits for immediate financial gain but also maintain persistent access for long-term objectives.
By targeting the manufacturing and distribution sectors, XE Group demonstrates an acute understanding of high-value targets within the supply chain. These sectors are often interconnected, with multiple vulnerable touchpoints that provide cybercriminals access to not just individual companies, but the entire supply chain. This allows attackers to exploit systemic flaws, maximizing the impact of their operations.
The zero-day exploitations in VeraCore, a system used widely in manufacturing, further suggest a strategic shift from opportunistic attacks to more deliberate, targeted campaigns. XE Groupās ability to leverage such flaws years after their initial discovery shows that even old vulnerabilities can still be potent entry points if not patched adequately.
One particularly interesting aspect of these attacks is their persistence. The ability to deploy web shells and reactivate them after a prolonged period without detection suggests that XE Group has honed techniques for long-term access, perhaps as part of larger espionage or data theft objectives. These methods highlight a disturbing trend in cybersecurity: the growing difficulty of detecting and eradicating threats that silently operate in the background, even after years of being implanted.
This tactic of chaining multiple vulnerabilitiesāboth old and newāis another critical takeaway. It emphasizes the need for organizations to constantly reassess their security posture, updating patches and security protocols across their entire infrastructure, not just on the most obvious vulnerabilities. As attackers increasingly leverage multiple vectors, the defense against them must be just as multifaceted.
For organizations relying on outdated software or systems like Telerik UI for ASP.NET, this situation should serve as a wake-up call. Known vulnerabilities, such as CVE-2017-9248 and CVE-2019-18935, continue to be actively exploited, underlining the importance of maintaining a robust patching routine, especially for internet-facing applications.
Furthermore, the role of organizations like CISA in tracking and cataloging known exploited vulnerabilities is vital in combating these advanced threats. By compiling a catalog of such flaws, they provide a valuable resource for cybersecurity professionals, helping them prioritize patches and defenses. The inclusion of additional flaws in the CISA KEV catalog, like CVE-2025-0411 and CVE-2020-29574, is crucial for mitigating targeted attacks.
The increasing complexity of these cyberattacks also highlights the importance of threat intelligence sharing and collaboration among organizations. The success of XE Groupās operations depends heavily on the exploitation of systemic weaknesses, which could be mitigated by more proactive information exchange across industries. In the face of such advanced persistent threats (APT), no single organization can afford to operate in isolation when it comes to cybersecurity.
In conclusion, the XE Groupās recent activities illustrate a worrying trend in the cyber threat landscape: a shift towards long-term, highly sophisticated attacks targeting key industries. Their ability to exploit both known and zero-day vulnerabilities, while maintaining persistent access over time, requires organizations to rethink their approach to cybersecurityāemphasizing not only the patching of individual vulnerabilities but also the strategic strengthening of their overall defenses.
References:
Reported By: https://thehackernews.com/2025/02/xe-hacker-group-exploits-veracore-zero.html
https://stackoverflow.com
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help
