Menace actors have been noticed exploiting a number of safety flaws in numerous software program merchandise, together with Progress Telerik UI for ASP.NET AJAX and Advantive VeraCore, to drop reverse shells and net shells, and preserve persistent distant entry to compromised methods.
The zero-day exploitation of safety flaws in VeraCore has been attributed to a menace actor often called XE Group, a cybercrime group seemingly of Vietnamese origin that is recognized to be energetic since a minimum of 2010.
“XE Group transitioned from bank card skimming to focused info theft, marking a big shift of their operational priorities,” cybersecurity agency Intezer said in a report revealed in collaboration with Solis Safety.
“Their assaults now goal provide chains within the manufacturing and distribution sectors, leveraging new vulnerabilities and superior techniques.”
The vulnerabilities in query are listed under –
- CVE-2024-57968 (CVSS rating: 9.9) – An unrestricted add of information with a harmful kind vulnerability that enables distant authenticated customers to add information to unintended folders (Fastened in VeraCode model 2024.4.2.1)
- CVE-2025-25181 (CVSS rating: 5.8) – An SQL injection vulnerability that enables distant attackers to execute arbitrary SQL instructions (No patch accessible)
The most recent findings from Intezer and Solis Safety present that the shortcomings are being chained to deploy ASPXSpy net shells for unauthorized entry to contaminated methods, in a single occasion leveraging CVE-2025-25181 way back to early 2020. The exploitation exercise was found in November 2024.
The net shells come fitted with capabilities to enumerate the file system, exfiltrate information, and compress them utilizing instruments like 7z. The entry can be abused to drop a Meterpreter payload that makes an attempt to hook up with an actor-controlled server (“222.253.102[.]94:7979”) by way of a Home windows socket.
The up to date variant of the net shell additionally incorporates quite a lot of options to facilitate community scanning, command execution, and operating SQL queries to extract crucial info or modify current knowledge.
Whereas earlier assaults mounted by XE Group have weaponized recognized vulnerabilities, specifically flaws in Telerik UI for ASP.NET (CVE-2017-9248 and CVE-2019-18935, CVSS scores: 9.8), the event marks the primary time the hacking crew has been attributed to zero-day exploitation, indicating a rise in sophistication.
“Their skill to keep up persistent entry to methods, as seen with the reactivation of an internet shell years after preliminary deployment, highlights the group’s dedication to long-term aims,” researchers Nicole Fishbein, Joakim Kennedy, and Justin Lentz stated.
“By focusing on provide chains within the manufacturing and distribution sectors, XE Group not solely maximizes the influence of their operations but in addition demonstrates an acute understanding of systemic vulnerabilities.”
CVE-2019-18935, which was flagged by U.Ok. and U.S. authorities businesses in 2021 as probably the most exploited vulnerabilities, has additionally come beneath energetic exploitation as just lately as final month to load a reverse shell and execute follow-up reconnaissance instructions by way of cmd.exe.
“Whereas the vulnerability in Progress Telerik UI for ASP.NET AJAX is a number of years previous, it continues to be a viable entry level for menace actors,” eSentire said. “This highlights the significance of patching methods, particularly if they’ll be uncovered to the web.”
CISA Provides 5 Flaws to KEV Catalog
The event comes because the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added 5 safety flaws to its Recognized Exploited Vulnerabilities (KEV) catalog, primarily based on proof of energetic exploitation.
- CVE-2025-0411 (CVSS rating: 7.0) – 7-Zip Mark of the Net Bypass Vulnerability
- CVE-2022-23748 (CVSS rating: 7.8) – Dante Discovery Course of Management Vulnerability
- CVE-2024-21413 (CVSS rating: 9.8) – Microsoft Outlook Improper Enter Validation Vulnerability
- CVE-2020-29574 (CVSS rating: 9.8) – CyberoamOS (CROS) SQL Injection Vulnerability
- CVE-2020-15069 (CVSS rating: 9.8) – Sophos XG Firewall Buffer Overflow Vulnerability
Final week, Pattern Micro revealed that Russian cybercrime outfits are exploiting CVE-2025-0411 to distribute the SmokeLoader malware as a part of spear-phishing campaigns focusing on Ukrainian entities.
The exploitation of CVE-2020-29574 and CVE-2020-15069, however, has been linked to a Chinese language espionage marketing campaign tracked by Sophos beneath the moniker Pacific Rim.
There are presently no reviews on how CVE-2024-21413, additionally tracked as MonikerLink by Verify Level, is being exploited within the wild. As for CVE-2022-23748, the cybersecurity firm disclosed in late 2022 that it noticed the ToddyCat menace actor leveraging a DLL side-loading vulnerability in Audinate Dante Discovery (“mDNSResponder.exe”).
Federal Civilian Govt Department (FCEB) businesses are mandated to use the required updates by February 27, 2025, beneath Binding Operational Directive (BOD) 22-01 to safeguard in opposition to energetic threats.
Source link