Skip to content
Menu
menu

Illustration by iStock; Security Management

Supply Chain SaaS Exploited by Increasingly Complex Cybercriminal Organization

Cybersecurity firms Intezer and Solis Security released joint research into the evolving tactics of the cybercriminal organization called XE Group.

XE Group is believed to originate from Vietnam, though it is not suspected to be a state actor according to Menlo Security, though it may have links to state-sponsored cyberattack groups. Identified in 2013, XE Group was known for hacking into websites—or creating fake websites—in order to steal credit card information.

Intezer and Solis said XE Group has evolved to include exploiting zero-day vulnerabilities in VeraCore, a third-party logistics fulfillment application offered as software-as-a-service (SaaS) by Advantive. Zero day refers to previously undiscovered vulnerability.

One of the zero-day attacks on VeraCore exploited a file upload validation flaw used to bypass security filters and upload malicious files. For example, XE Group used it to upload files with the .png image extension that were actually executable files, enabling the actors to create webshells—applications that allows hackers to continue to access a compromised system.

The other zero-day vulnerability exploited a SQL processing vulnerability, which the group used to extract or manipulate data and move laterally within compromised systems.

The new attack vectors show XE Group “poses heightened risks to global supply chains, particularly in manufacturing and distribution sectors, but leveraging stealthier tactics and long-term system access,” CyberScoop reported.

In one case, XE Group compromised a company in 2020 and maintained undetected access for four years.

In their release, Intezer and Solis noted “These recent discoveries highlight that XE Group is not only active but evolving. The group’s ability to exploit unknown vulnerabilities and sustain prolonged access to targeted systems reflects a significant shift in their operational strategy.”

Wes Wright wrote about supply chain cyberattack vulnerabilities in the February 2023 issue of Security Technology: “Whether it’s to manage customer relationships, just-in-time inventory systems, Web development platforms, and everything else in between, more external vendors are regularly connecting to the network, often through privileged accounts. This has created a lucrative opportunity for cybercriminals, who are increasingly targeting Software as a Service (SaaS) vendors with the sole aim of accessing their customers’ networks.”

Wright advocates a zero-trust approach, which “which requires users to re-authenticate themselves as they move laterally through a network—not just at the boundary or initial log in.”

Attacks of this nature can be particularly pernicious, as Security Management Senior Editor Megan Gates detailed in explaining the infamous SolarWinds attack. The incident showed the extent to which connected systems can be compromised.

“By targeting supply chains in the manufacturing and distribution sectors, XE Group not only maximizes the impact of their operations but also demonstrates an acute understanding of systemic vulnerabilities,” the Intezer and Solis announcement summarized. Any organization using VeraCore should review the announcement for technical descriptions of how XE Group exploited the software’s vulnerabilities.

 

arrow_upward