The vulnerability used in the attack against the federal agency is well-known and among the top exploits in 2021. The “bread and butter” of XE Group is credit card skimming and noted that the gang is likely Vietnamese.
MARCH 15, 2023
Anation-state hacking group and a criminal gang best known for card skimming had access to a federal civilian agency from August to January 2023, according to a Wednesday joint alert released by the Cybersecurity and Infrastructure Security Agency, the FBI and the Multi-State Information Sharing and Analysis Center.
According to the alert, both the nation-backed hacking group and the criminal group dubbed XE Group exploited known vulnerabilities in Progress Telerik software located in the unnamed government agency’s Microsoft Internet Information Services (IIS) web server.
Google’s Threat Analysis Group, which was credited in the alert, notified CISA that the unnamed agency was targeted by Hafnium, the China-linked hacking group most recently known for the massive compromise in Microsoft’s Exchange Server, a spokesperson told CyberScoop. The March 2021 espionage campaign impacted tens of thousands of customers across the world including several state governments.
The criminal XE Group was attempting to infiltrate the agency since August 2021 using malicious DLL files masquerading as PNGs, according to the advisory. Cybersecurity firm Volexity said in a report from December 2021 that the “bread and butter” of XE Group is credit card skimming and noted that the gang is likely Vietnamese.
The vulnerability is well known and while the bug did not make it to the 15 top vulnerabilities exploited in 2021, it did get an honorable mention as a “routinely exploited” vulnerability. The bug was on the list of known-exploited vulnerabilities that CISA mandated federal agencies patch. Officials said the nation-state group has been exploiting the bug, which allows for remote code execution, as early as August 2022.
CISA declined to comment further.
Updated March 16, 2023: This article has been updated to include attribution from Google’s Threat Analysis Center.