Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Fraud & Identity Theft

XE Group Cybercrime Gang Moves from Credit Card Skimming to Zero-Day Exploits

Vietnamese cybercrime gang shifts from credit card-skimming to exploiting at least two zero-day vulnerabilities enterprise software product.

Malware hunters have caught a known Vietnamese cybercrime gang called XE Group shifting tactics beyond credit card-skimming to exploiting at least two zero-day vulnerabilities in a widely deployed enterprise software product.

A joint investigation by researchers from Intezer and Solis Security is warning that XE Group targeted VeraCore, a platform used by fulfillment companies, commercial printers, and e-retailers to manage orders and operations. The investigators found evidence the group exploited two previously unknown vulnerabilities — one in upload validation and another in SQL processing — to gain and maintain unauthorized access.

According to a research paper, XE Group exploited two zero-day vulnerabilities in the VeraCore application to bypass security controls and deploy webshells to exfiltrate configuration files and move laterally within infected networks.

In an interesting twist the researchers found that the same system had been compromised before — in January 2020, attackers exploited a similar vulnerability, gaining valid credentials that later facilitated the reactivation of webshells in 2024.

Threat hunters have flagged the XE Group as a Vietnamese-origin cybercriminal threat actor typically seen hacking into externally facing services via known exploits and monetization of these compromises through installation of password theft or credit card skimming code for web services related to these servers

While the ganga has historically focused on credit card skimming and password theft, the research work from Intezer and Solis Security underscores a significant shift toward targeted information theft and supply chain attacks, specifically aimed at manufacturing and distribution sectors.

In the latest attacks, XE Group was seen exfiltrating web application configuration files, attempting to access remote systems, and deploying a Remote Access Trojan (RAT) using obfuscated PowerShell commands. 

Intezer and Solis Security say they are currently working with affected vendors but note that there are no available CVE identifiers despite attempts at coordinated disclosure.

UPDATE (February 3; 4:00PM EST): The researchers have updated the bulletin with identifiers for the two VeraCore vulnerabilities: CVE-2024-57968 — Upload Validation Vulnerability and CVE-2025-25181 — SQL Injection.

Advertisement. Scroll to continue reading.

Related: Cybercriminals, APT Exploited Telerik Vulnerability in Attacks on US Government Agency

Related: Dozens of Exploited Vulnerabilities Missing From CISA ‘Must Patch’ List

Related: Intezer Documents Powerful ‘Lightning Framework’ Linux Malware

Related: CISA Warns of Two Mitel Vulnerabilities Exploited in Wild

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Software giant Atlassian has named David Cross as its new CISO.

Dan Pagel has been named the new CEO of risk management and remediation firm Brinqa.

The City of Phoenix has promoted Mitch Kohlbecker to the role of Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.