Listen to this Post
2025-02-11
A New Era of Cyber Threats
A notorious cybercrime group, XE Group, previously focused on credit card skimming, has evolved into a more sophisticated operation, targeting supply chain organizations in the manufacturing and distribution sectors. This shift underscores the growing complexity of cyber threats, with attackers exploiting zero-day vulnerabilities in critical software systems.
Recent reports from cybersecurity firms Intezer and Solis reveal that XE Group has leveraged two zero-day vulnerabilities in VeraCore’s warehouse management platform to deploy Web shells, enabling them to execute a wide range of malicious activities. This transition from traditional financial theft to systemic infiltration of supply chains signals a broader strategy among cybercriminals, reflecting an acute awareness of systemic vulnerabilities within essential infrastructure.
Key Takeaways:
– XE
- Zero-Day Exploits: The group exploited two VeraCore vulnerabilities—CVE-2024-57968 (CVSS 9.9) and CVE-2025-25181 (CVSS 5.8)—to install Web shells and maintain prolonged system access.
- Persistent Threats: In at least one case, XE Group had access to a compromised environment since January 2020, demonstrating their ability to remain undetected for years.
- Software Supply Chain Attacks: The shift aligns with a growing trend of targeting software providers, similar to previous high-profile attacks such as SolarWinds, MOVEit, and Okta breaches.
- Advanced Tactics: Their recent methods include JavaScript injection, exploitation of common vulnerabilities, and custom ASPX Web shells, reflecting a higher level of sophistication.
This strategic shift highlights the necessity for organizations to enhance their cybersecurity posture, particularly in monitoring supply chain vulnerabilities and implementing proactive threat detection mechanisms.
What Undercode Says: XE Group and the Evolution of Cybercrime
From Financial Theft to Supply Chain Disruption
The transition of XE Group from simple credit card skimming to full-scale supply chain attacks reflects a broader evolution in cybercrime. Historically, cybercriminals sought quick financial gains through stolen credit card data. However, the shift towards persistent access within critical systems indicates a long-term strategy—one that can be monetized in more complex ways, such as data exfiltration, ransomware deployment, and even espionage.
Zero-Days: The New Cyber Weapon of Choice
The use of zero-day vulnerabilities in VeraCore’s software marks a significant step in XE Group’s capabilities. Exploiting unknown flaws before vendors can patch them allows attackers to infiltrate organizations with little resistance. The vulnerabilities (CVE-2024-57968 and CVE-2025-25181) highlight the risks of unpatched software and the importance of continuous security monitoring.
The Power of Persistence
One of the most alarming aspects of XE Group’s recent campaign is their ability to maintain long-term access to compromised environments. Evidence suggests they had access to at least one system since January 2020, remaining undetected for over four years. This persistence suggests they are not just after quick financial rewards but rather sustained control over critical infrastructure.
Why Supply Chains?
Attacks on the software supply chain are particularly devastating because they amplify the reach of a single breach. Instead of attacking individual targets, hackers infiltrate widely used software providers, infecting multiple organizations downstream. This approach is highly effective, as seen in past high-profile attacks:
- SolarWinds Breach (2020): Compromised software updates allowed attackers to infiltrate government agencies and enterprises.
- MOVEit Vulnerability (2023): A flaw in Progress Software’s file transfer tool exposed thousands of organizations.
- Okta Hack (2023-2024): A supply chain breach compromised authentication services, impacting all customers.
XE Group’s focus on VeraCore indicates that even smaller, industry-specific software providers are now prime targets for cybercriminals.
The Growing Role of Web Shells
The use of custom ASPX Web shells suggests a deeper level of cyber resilience within XE Group’s operations. Web shells provide remote access to compromised systems, allowing attackers to execute commands, modify data, and deploy additional payloads. Their presence within VeraCore systems for years highlights the weaknesses in intrusion detection and monitoring.
How Organizations Can Defend Themselves
Given the sophistication of XE Group’s tactics, organizations must prioritize proactive defense strategies:
- Patch Management: Regular updates and security patches must be applied to critical software like VeraCore.
- Network Segmentation: Limit the impact of a breach by restricting system access to essential users only.
- Threat Hunting: Active monitoring for indicators of compromise (IoCs), such as unusual file uploads or Web shell activity.
- Zero-Trust Security Models: Assume that threats exist within the network and enforce strict authentication controls.
- Supply Chain Risk Assessment: Regularly evaluate third-party software vendors for potential security gaps.
The Future of XE Group
With a history dating back to 2013, XE Group has continually adapted to new technologies and attack vectors. Their shift from credit card skimming to supply chain infiltration suggests they will likely continue evolving. If left unchecked, their future campaigns may include ransomware deployments, AI-powered attacks, or deepfake-based social engineering.
Final Thoughts
The rise of XE Group in supply chain attacks is a wake-up call for the cybersecurity community. As cybercriminals become more sophisticated, traditional reactive security measures are no longer enough. Organizations must embrace proactive, intelligence-driven cybersecurity strategies to combat the next wave of threats.
This case underscores a fundamental truth in cybersecurity: The attackers are always evolving—will your defenses keep up?
References:
Reported By: https://www.darkreading.com/cyber-risk/xe-group-shifts-card-skimming-supply-chain-attacks
https://www.reddit.com/r/AskReddit
Wikipedia: https://www.wikipedia.org
Undercode AI: https://ai.undercodetesting.com
Image Source:
OpenAI: https://craiyon.com
Undercode AI DI v2: https://ai.undercode.help




