Threat actors take advantage of multiple security flaws in various software products, including ASP.NET Ajax and Veracore’s Progress Telerik UI with benefits, drop reverse and web shells, and can be persistent to compromised systems. It has been observed that maintain remote access.
The zero-day exploitation of Veracore’s security flaws stems from a threat actor known as the XE Group, a cybercriminal group of Vietnamese origin that is known to have been active since at least 2010.
“The XE Group has shifted from credit card skimming to targeted information theft, showing a significant shift in operational priorities,” cybersecurity company Intezer in a report published in collaboration with Solis Security I’ve said that.
“Their attacks now target the supply chains of the manufacturing and distribution sectors, leveraging new vulnerabilities and advanced tactics.”
The vulnerabilities in question are listed below –
CVE-2024-57968 (CVSS score: 9.9) – Unlimited uploading of files with dangerous types of vulnerabilities that allow remote authenticated users to upload files to unintended folders (Veracode version 2024.4.2.1) CVE-2025 -25181 (CVSS score: 5.8) – SQL injection vulnerability that allows remote attackers to execute arbitrary SQL commands (patches are not exploited)
The latest findings from Intezer and Solis security show that drawbacks are chained to deploy the ASPXSPY web shell for unauthorized access to infected systems. 2024.
The Web Shell is equipped with the ability to enumerate file systems, remove files, and compress them using tools such as 7Z. Access is also abused to drop payloads of meter preparers that attempt to connect to the Actor Control Server (“222.253.102[.]94:7979”) via a Windows socket.
The updated variants of the web shell also incorporate a variety of features to facilitate network scans, command execution, and SQL queries, extract important information and modify existing data. It’s there.
Previous attacks installed by XE Group weaponized known vulnerabilities, but ASP.NET’s Telerik UI flaws (CVE-2017-9248 and CVE-2019-18935, CVSS score: 9.8) was the first time a hacking crew had made the mark. It shows an increase in sophistication due to zero-day exploitation.
“The ability to maintain persistent access to the system, as seen in webshell revitalization years after the initial deployment, underscores the group’s commitment to long-term goals.”
“By targeting the supply chains of the manufacturing and distribution sector, XE Group not only maximizes operational impact, it also demonstrates a keen understanding of systemic vulnerability.”
Flagged as one of the most exploited vulnerabilities by UK and US government agencies in 2021, CVE-2019-18935 loads last month’s reverse shell and runs follow-up reconnaissance commands via CMD This has also poses the recent aggressive exploitation. . EXE.
“The ongoing vulnerabilities in ASP.NET Ajax are a few years old, but they continue to be a viable entry point for threat actors,” says Esentire. “This underscores the importance of patching your system, especially when exposed to the Internet.”
CISA adds 5 defects to the KEV catalog
This development is because the US Cybersecurity and Infrastructure Security Agency (CISA) added five security flaws to its known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.
CVE-2025-0411 (CVSS score: 7.0) – 7-zip mark vulnerability in web bypass CVE-2022-23748 (CVSS score: 7.8) – Dante Discovery Process Control Vulnerability CVE-2024-21413 (CVSS score: 9.8) – Microsoft Outlook Improper Input Verification Vulnerability CVE-2020-29574 (CVSS Score: 9.8) – Cybero Amos (CROS) SQL Injection Vulnerability CVE-2020-15069 (CVSS Score: 9.8) – Sophos XG Firewo L Buffer Overflow Vulnerability
Last week, Trend Micro revealed that Russian cybercrime costumes are leveraging CVE-2025-0411 to distribute smoker malware as part of a spear phishing campaign targeting Ukrainian entities .
Meanwhile, the exploitation of CVE-2020-29574 and CVE-2020-15069 is linked to the Chinese spy campaign that Sophos tracked under the Monica Pacific Rim.
Currently, there are no reports of CVE-2024-21413 being misused in the wild for CVE-2024-21413, which is currently being tracked as a moniker link per checkpoint. Regarding CVE-2022-23748, the cybersecurity company observed a Todisai threat actor in late 2022, taking advantage of the DLL sideload vulnerability in Audient Dante Discovery (“Mdnsresponder.exe”). has been revealed.
The Federal Private Enforcement Division (FCEB) agency is required to apply the necessary updates by February 27, 2025. This is based on Binding Operations Directive (BOD) 22-01 to prevent aggressive threats.
Source link
