Headline
Unmasking XE Group: Experts Reveal Identity of Suspected Cybercrime Kingpin
Cybersecurity researchers have unmasked the identity of one of the individuals who is believed to be associated with the e-crime actor known as XE Group. According to Menlo Security, which pieced together the information from different online sources, “Nguyen Huu Tai, who also goes by the names Joe Nguyen and Thanh Nguyen, has the strongest likelihood of being involved with the XE Group.” XE
Cybersecurity researchers have unmasked the identity of one of the individuals who is believed to be associated with the e-crime actor known as XE Group.
According to Menlo Security, which pieced together the information from different online sources, “Nguyen Huu Tai, who also goes by the names Joe Nguyen and Thanh Nguyen, has the strongest likelihood of being involved with the XE Group.”
XE Group (aka XeThanh), previously documented by Malwarebytes and Volexity, has a history of carrying out cyber criminal activities since at least 2013. It’s suspected to be a threat actor of Vietnamese origin.
Some of the entities targeted by the threat actor span government agencies, construction organizations, and healthcare sectors.
It’s known to compromise internet-exposed servers with known exploits and monetize the intrusions by installing password theft or credit card skimming code for online services.
“As far back as 2014, the threat actor was seen creating AutoIT scripts that automatically generated emails and a rudimentary credit card validator for stolen credit cards,” the cybersecurity company said.
Earlier this March, U.S. cybersecurity and intelligence authorities revealed XE Group’s attempts to exploit a critical three-year-old security flaw in Progress Telerik devices (CVE-2019-18935, CVSS score: 9.8) to obtain a foothold.
UPCOMING WEBINAR
🔐 Mastering API Security: Understanding Your True Attack Surface
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!
Join the Session
The adversary has also attempted to gain access to corporate networks in the past through phishing emails sent out using fraudulent domains mimicking legitimate companies such as PayPal and eBay.
Besides camouflaging .EXE files as .PNG files to avoid detection, select attacks have employed a web shell dubbed ASPXSpy to gain control of vulnerable systems.
“XE Group remains a continued threat to various sectors, including government agencies, construction organizations, and healthcare providers,” the researchers said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The China-linked threat actor known as Earth Lusca has been observed targeting government entities using a never-before-seen Linux backdoor called SprySOCKS. Earth Lusca was first documented by Trend Micro in January 2022, detailing the adversary's attacks against public and private sector entities across Asia, Australia, Europe, North America. Active since 2021, the group has relied on
Sitecore Experience Platform (XP) v9.3 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the component /Applications/Content%20Manager/Execute.aspx?cmd=convert&mode=HTML.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
By Deeba Ahmed According to a joint advisory from the US CISA (Cybersecurity and Infrastructure Security Agency), the FBI (Federal Bureau… This is a post from HackRead.com Read the original post: APT Actors Exploited Telerik Vulnerability in Govt IIS Server – CISA
Multiple threat actors, including a nation-state group, exploited a critical three-year-old security flaw in Progress Telerik to break into an unnamed federal entity in the U.S. The disclosure comes from a joint advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC).
An unpatched Microsoft Web server allowed multiple cybersecurity threat groups to steal data from a federal civilian executive branch.
The health, manufacturing, and energy sectors are the most vulnerable to ransomware.
Progress Telerik UI for ASP.NET AJAX through 2019.3.1023 contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution. (As of 2020.1.114, a default setting prevents the exploit. In 2019.3.1023, but not earlier versions, a non-default setting can prevent exploitation.)