XE Gang Moves from Credit Card Skimming to Zero-Day Exploits

The notorious Vietnamese cybercrime gang known as XE Group has shifted its malicious activities from credit card skimming to the exploitation of at least two zero-day vulnerabilities in widely deployed enterprise software products. This alarming transformation marks a significant evolution in their tactics, signaling a broader threat to enterprise security worldwide.

A Strategic Shift in Cybercrime Tactics

Traditionally known for targeting web-based payment systems through credit card skimming and password theft, XE Group’s transition into zero-day exploitations highlights their adaptability and growing sophistication. This shift indicates not just a change in targets but also an escalation in the complexity of their operations.

A joint investigation conducted by cybersecurity researchers from Intezer and Solis Security has revealed that XE Group has been exploiting previously unknown vulnerabilities in VeraCore, a platform widely used by fulfillment companies, commercial printers, and e-retailers to manage orders and operations. These zero-day vulnerabilities allowed XE Group to bypass existing security measures and gain unauthorized access to sensitive systems.

The Vulnerabilities Exploited

The investigation identified two critical vulnerabilities within the VeraCore application:

Upload Validation Flaw: This vulnerability enabled attackers to bypass security filters designed to validate file uploads. By exploiting this flaw, XE Group could upload malicious files, including webshells, directly onto the targeted servers.

SQL Processing Weakness: The second zero-day involved a flaw in SQL processing, allowing attackers to execute arbitrary SQL commands. This capability facilitated unauthorized data extraction and manipulation, enabling the attackers to move laterally within compromised networks.

These vulnerabilities were exploited to deploy webshells, which XE Group used to exfiltrate configuration files, steal credentials, and maintain persistent access within infected networks. The attackers demonstrated advanced techniques, including the use of obfuscated PowerShell commands to deploy Remote Access Trojans (RATs).

A History of Compromise

Interestingly, the compromised systems had a history of previous breaches. In January 2020, attackers exploited a similar vulnerability in the same VeraCore application, gaining valid credentials that remained effective even after initial mitigation efforts. These credentials were later used to reactivate dormant webshells in 2024, underscoring the importance of thorough incident response and remediation.

This continuity suggests that XE Group may have maintained long-term access to certain networks, leveraging old credentials and exploiting newly discovered vulnerabilities to expand their foothold.

Expanding the Scope of Attacks

While XE Group initially focused on financially motivated crimes like credit card skimming, their recent activities indicate a shift towards more targeted information theft and supply chain attacks. This evolution reflects a broader trend in the cybercrime landscape, where threat actors increasingly target enterprise environments to maximize impact and profits.

The targeted exfiltration of web application configuration files and attempts to access remote systems highlight the group’s interest in gathering sensitive operational data. This data can be used for various malicious purposes, including espionage, competitive intelligence, and further exploitation within supply chains.

The Role of Zero-Day Exploits

Zero-day vulnerabilities represent a particularly dangerous threat because they are unknown to the software vendor and, therefore, unpatched. Attackers who discover and exploit these flaws can operate undetected for extended periods, causing significant damage before detection.

In the case of XE Group, the exploitation of zero-day vulnerabilities allowed them to:

Bypass Traditional Security Measures: Standard security tools often fail to detect zero-day exploits, giving attackers an advantage.

Maintain Persistence: By deploying webshells and RATs, XE Group ensured long-term access to compromised systems.

Expand Lateral Movement: The ability to move laterally within networks increased the scope of their attacks, affecting more systems and data.

Lack of CVE Identifiers and Coordinated Disclosure

Despite efforts to coordinate disclosure, the vulnerabilities exploited by XE Group have not yet received Common Vulnerabilities and Exposures (CVE) identifiers. This lack of formal recognition complicates mitigation efforts, as affected organizations may be unaware of the specific risks they face.

Intezer and Solis Security are actively working with affected vendors to address these issues. However, the absence of CVE identifiers highlights challenges in the vulnerability disclosure process, particularly when dealing with complex, multi-staged attacks.

Mitigation and Defense Strategies

Organizations using VeraCore or similar enterprise software products should take immediate action to mitigate the risks associated with these zero-day vulnerabilities. Recommended steps include:

Conduct Comprehensive Security Audits: Regularly review system logs, user accounts, and network traffic for signs of suspicious activity.

Apply Patches and Updates: Stay informed about security updates from software vendors and apply patches promptly.

Enhance Authentication Measures: Implement multi-factor authentication (MFA) and review access controls to limit unauthorized access.

Monitor for Indicators of Compromise (IOCs): Use threat intelligence feeds to identify known IOCs associated with XE Group and similar threat actors.

Develop an Incident Response Plan: Prepare for potential breaches with a robust incident response strategy, including clear protocols for containment and recovery.

The Broader Implications

The shift in XE Group’s tactics reflects broader trends in the cybercrime ecosystem. As traditional methods like credit card skimming become less effective due to improved security measures, cybercriminals are turning to more sophisticated techniques, including zero-day exploits and supply chain attacks.

This evolution underscores the need for continuous vigilance, proactive security measures, and a strong emphasis on threat intelligence sharing within the cybersecurity community. Organizations must adapt to the changing threat landscape, investing in advanced detection and response capabilities to counter increasingly sophisticated adversaries.

Conclusion

The XE Group’s transition from credit card skimming to exploiting zero-day vulnerabilities marks a significant development in the cybercrime landscape. By targeting enterprise software products like VeraCore, they have demonstrated the ability to adapt and evolve, posing a serious threat to businesses worldwide.

As cybersecurity professionals work to mitigate these threats, the importance of collaboration, timely vulnerability disclosure, and proactive defense strategies cannot be overstated. Organizations must remain vigilant, continuously updating their security practices to stay ahead of emerging threats and protect their critical assets from sophisticated cyber adversaries.