A Vietnamese-linked cybercriminal group known as XE Group has escalated its operations by exploiting two critical zero-day vulnerabilities in VeraCore’s warehouse management software. This move signals a dangerous shift from their previous focus on credit card skimming to large-scale supply chain attacks. Researchers from Intezer and Solis have reported that this evolution allows the group to gain deep, persistent access into manufacturing and distribution networks, putting entire business ecosystems at risk.
From Credit Card Skimming to Supply Chain Attacks
XE Group has a long history, first appearing around 2013 with a focus on skimming credit card details from e-commerce websites. They operated by injecting malicious scripts into online payment systems to steal financial information.
Over the years, security firms like Malwarebytes and Volexity have tracked their activities. By 2023, the group had expanded its methods to include creating fake phishing websites to harvest personal data, which was then sold on underground forums. This latest attack on VeraCore represents a significant leap in their capabilities and ambition. Instead of targeting individual consumers, they are now compromising the core software that businesses rely on, amplifying their impact dramatically.
VeraCore’s Zero-Day Flaws Under Siege
The recent attacks were made possible by two previously unknown vulnerabilities in VeraCore’s software platform. These flaws provided the XE Group with the access needed to infiltrate systems and establish a long-term presence. Security researchers have identified the specific vulnerabilities exploited by the threat actor.
The two main security holes are:
- CVE-2024-57968: A critical flaw in upload validation with a CVSS score of 9.9. This vulnerability allows attackers to upload malicious files and execute them on the server, effectively giving them control.
- CVE-2025-25181: A medium-severity SQL injection vulnerability with a CVSS score of 5.8. This allows attackers to manipulate the software’s database to steal or alter sensitive information.
By chaining these exploits, XE Group was able to install custom ASPX Web shells. These backdoors provide them with continuous remote access to the compromised networks. This technique allows them to operate stealthily for extended periods.
A Pattern of Persistent, Long-Term Attacks
Unlike many cybercriminal groups focused on quick profits, such as ransomware gangs, XE Group has shown a preference for long-term infiltration. In one instance, investigators found evidence that the group had maintained access to a compromised system since January 2020. They reactivated an old Web shell four years later, demonstrating a patient and methodical approach.
This strategy suggests their goal is not just immediate financial gain but potentially long-term espionage or large-scale data theft over time. By remaining undetected, they can quietly gather information, monitor operations, and wait for the perfect moment to strike or expand their access across the network.
The Broader Threat to Global Supply Chains
XE Group’s attack on VeraCore is part of a disturbing trend of cybercriminals targeting the software supply chain. This method is highly effective because compromising one software provider can lead to a domino effect, impacting thousands of their customers. This tactic has been used in some of the most significant cyberattacks in recent history.
| Attack Target | Method Used | Impact |
|---|---|---|
| SolarWinds (2020) | Compromised software update | Affected 18,000 organizations, including US government agencies |
| Progress MOVEit (2023) | Exploited file transfer vulnerability | Exposed sensitive data from multiple businesses |
| Okta (2023) | Breached customer support system | Affected all Okta customers |
By targeting business infrastructure software like VeraCore, XE Group has placed itself among these high-impact threat actors. The incident serves as a stark reminder that software vulnerabilities are a major business risk for organizations in manufacturing, distribution, and logistics.
