Analysing XeGroup’s Arsenal Of Cyberattack Methods

In an era when cybercrime is becoming increasingly unpredictable, it is hard to truly say what is coming around the corner. However, at the end of last year, we did make several key predictions for 2023.

After continuing to see an uptick in Highly Evasive Adaptive Threat (HEAT) techniques, a new class of cyber threats that have emerged - these have been tailored to evade protective tools such as firewalls, secure web gateways, and malware analysis technologies, and we expect to see more of this in the future. 

At the same time, we anticipated that basic security failures would continue to plague companies, with simple and proven methods such as social engineering techniques often providing open doors to attackers. We also identified browser-based attacks as a key area of concern, with attackers exploiting both new and old vulnerabilities.

Ultimately, the truth of the matter is that threat actors are continuing to adapt and evolve their techniques. And as a result, we are seeing a combination of novel threats and proven attack methods that together are creating an increasingly volatile threat landscape.

Of course, some attack groups have developed a track record for primarily focusing their efforts on exploiting one vulnerability or using one technique. However, others have demonstrated an appetite for deploying a range of threat methods to target their victims.

With regards to the latter category, XeGroup stands as a prime example.

Believed to have been established and active since at least 2013, this threat group that is likely to be based in Vietnam has been responsible for a number of nefarious activities, including:

  • Supply chain attacks that inject credit card skimmers into web pages.
  • Creating fake websites to deceive users into revealing their personal information.
  • Selling stolen data on the dark web.

XeGroup’s Track Record

Security research group, Volexity detailed the specific tactics, techniques, and procedures (TTPs) used by XeGroup in a recent report, this suggesting that the group may be associated with both other cybercriminal organisations and state-sponsored hacking groups. 

The group was first identified in 2013 when it successfully exploited retail point-of-sale (PoS) systems globally through its malware called “Snipr”, which was created specifically for this purpose.

Indeed, it is estimated that the threat outfit has stolen more than $30 million from US-based corporations, as well as compromising several websites and mobile applications with malicious code designed to steal payment card data from unsuspecting customers.

Arguably, the most prevalent technique used by XeGroup is the injection of malicious JavaScript into web pages, previously used to successfully exploit vulnerabilities in Magento e-commerce platforms and Adobe ColdFusion server software. 

Further, in addition to stealing financial information directly, XeGroup has also demonstrated a track record for attempting to gain access to corporate networks through the deployment of phishing emails sent out using fake domains impersonating legitimate companies, such as PayPal and eBay.

Such activities continued for seven years until August 2020, when XeGroup was said to have been taken down after Volexity’s researchers reported their findings to law enforcement agencies, resulting in several key arrests across multiple countries. 

Adapted Attack Methods

Unfortunately, however, it seems that XeGroup has once again reappeared, and is now actively attempting to exploit the CVE-2019-18935 vulnerability.

If done so successfully, this can enable threat actors to execute arbitrary code remotely on a vulnerable server by exploiting a deserialisation vulnerability in the Telerik.Web.UI assembly. 

These efforts were flagged by the US Cybersecurity and Infrastructure Security Agency (CISA) in an advisory published back in 15 March 2023. Further research from the Menlo Labs threat intel team affirms that XeGroup actors are targeting government agencies, construction firms, and healthcare organisations across our customer base.

Further, XeGroup is also now associated with the use of ASPXSPY web shells – scripts that are intentionally designed to be malicious, allowing threat actors to gain unauthorised access to web servers and carry out further attacks.

Protecting Against Varied Threats

XeGroup’s diverse array of threat techniques highlight just how imperative it is for organisations to enhance their defences to combat today’s HEAT attacks and other security threats.

No longer can companies rely on outdated detect and remediate solutions. Today, they must also adopt preventative security measures to ensure any attempts from threat actors can be thwarted in the first instance.

One straightforward way to achieve this is through isolation technology. Designed to support organisations in achieving zero trust in the truest sense, it a solution that creates a ‘digital air gap’ that ensures all active code - be it malicious or not - is executed in isolated cloud containers, removing any risk from common web and email attack vectors. 

Brett Raybould is EMEA Solutions Architect at Menlo Security

You Might Also Read: 

Highly Evasive Adaptive Threats & Advanced Persistent Threats:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


 

 

« Year in Review: Biggest Application Security Breaches Of 2022
US Government Agencies Attacked By Russian Criminals »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA)

Cyber Conflict Studies Association (CCSA) is a non-profit organization dedicated to leading a diversified research agenda in the field of cyber conflict.

Computer Laboratory - University of Cambridge

Computer Laboratory - University of Cambridge

Computer security has been among the Laboratory’s research interests for many years, along with related topics such as cryptology

Paramount Computer Systems

Paramount Computer Systems

Paramount is a regional leader in the Middle East for cybersecurity solutions and consulting services.

Block Armour

Block Armour

Block Armour is a Mumbai and Singapore based venture focused on harnessing emerging technologies to counter growing Cybersecurity challenges in bold new ways.

United Nations Office on Drugs & Crime (UNODC)

United Nations Office on Drugs & Crime (UNODC)

UNODC promotes long-term and sustainable capacity building in the fight against cybercrime through supporting national structures and action.

Sysdig

Sysdig

With Sysdig teams find and prioritize software vulnerabilities, detect and respond to threats, and manage cloud configurations, permissions and compliance.

Deep Mirror Automotive Cybersecurity

Deep Mirror Automotive Cybersecurity

Deep Mirror Automotive Cybersecurity make Cars & Infrastructures Cybersecure.

Quantea

Quantea

Our multi-patented solutions - QP Series Network Analytics Accelerator appliance and PureInsight Analytics Software Suite allows you to capture, analyze, store, replay, network traffic data.

C5 Capital

C5 Capital

C5 Capital is a specialist investment firm that exclusively invests in the secure data ecosystem including cybersecurity, cloud infrastructure, data analytics and space.

Ukrainian Academy of Cyber Security (UACS)

Ukrainian Academy of Cyber Security (UACS)

UACS is a professional non-profit public organization established to promote the development of an extensive network and ecosystem of education and training in the field of cyber security.

Aligned Technology Solutions (ATS)

Aligned Technology Solutions (ATS)

ATS manage, monitor, and maintain everything from your network and servers to your workstations and mobile devices, and we do it proactively to eliminate downtime and keep hackers at bay.

Psybersafe

Psybersafe

Psybersafe is a hands-on, behaviour-changing training system that keeps your people and your business cyber safe.

Infiot

Infiot

Infiot is a pioneer in enabling secure, reliable access with zero trust security, network optimization, edge-intelligence and AI driven operations for all remote users, devices, sites and cloud.

Allstate Identity Protection

Allstate Identity Protection

Allstate make it easy to provide complete identity protection, so everyone can live more confidently online.

ClearSky Cyber Security

ClearSky Cyber Security

ClearSky cyber security provides cyber solutions, focused on threat intelligence services, mainly for the financial sector, critical infrastructure, public sector and the pharma sector.

EmberOT

EmberOT

EmberOT is at the forefront of operational technology (OT) security, offering cutting-edge solutions designed to protect critical infrastructure within energy, utilities, and manufacturing sectors.