XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells - Related to apple, ai, hacker, 'extremely, attacks

Apple fixes zero-day exploited in 'extremely sophisticated' attacks

Apple has released emergency security updates to patch a zero-day vulnerability that the corporation says was exploited in targeted and "extremely sophisticated" attacks.

"A physical attack may disable USB Restricted Mode on a locked device," the firm revealed in an advisory targeting iPhone and iPad customers.

"Apple is aware of a study that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals."

USB Restricted Mode is a security feature (introduced almost seven years ago in iOS [website] that blocks USB accessories from creating a data connection if the device has been locked for over an hour. This feature is designed to block forensic software like Graykey and Cellebrite (commonly used by law enforcement) from extracting data from locked iOS devices.

In November, Apple introduced another security feature (dubbed "inactivity reboot") that automatically restarts iPhones after long idle times to re-encrypt data and make it harder to extract by forensic software.

The zero-day vulnerability (tracked as CVE-2025-24200 and 's Bill Marczak) patched today by Apple is an authorization issue addressed in iOS [website] and iPadOS [website] with improved state management.

The list of devices this zero-day impacts includes:

iPad Pro 13-inch, iPad Pro [website] 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

Even though this vulnerability was only exploited in targeted attacks, it is highly advised to install today's security updates immediately to block potentially ongoing attack attempts.

While Apple has yet to provide more information about in-the-wild exploitation, Citizen Lab security researchers have often disclosed zero-days used in targeted spyware attacks against high-risk individuals, such as journalists, opposition politicians, and dissidents.

Last month, Apple fixed this year's first zero-day vulnerability (CVE-2025-24085) tagged as exploited in attacks against iPhone individuals.

In 2024, the corporation patched six actively exploited zero-days: the first in January, two in March, a fourth in May, and two more in November.

One year before, in 2023, Apple patched 20 zero-day flaws exploited in the wild, including:

Vergangene Weihnachten wurde ein Problem mit Windows 11 24H2-Installationen bekannt, dass diese keine weiteren Aktualisierungen installieren können, w......

Four distributors of the encrypted communications service Sky ECC, used extensively by criminals, were arrested in Spain and the Netherlands.

Das anonymisierende Linux Tails ist in aktualisierter Fassung erschienen. Darin schließen die Entwickler Sicherheitslücken, die Angreifern die Deanony......

XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells

Threat actors have been observed exploiting multiple security flaws in various software products, including Progress Telerik UI for [website] AJAX and Advantive VeraCore, to drop reverse shells and web shells, and maintain persistent remote access to compromised systems.

The zero-day exploitation of security flaws in VeraCore has been attributed to a threat actor known as XE Group, a cybercrime group likely of Vietnamese origin that's known to be active since at least 2010.

"XE Group transitioned from credit card skimming to targeted information theft, marking a significant shift in their operational priorities," cybersecurity firm Intezer noted in a investigation .

"Their attacks now target supply chains in the manufacturing and distribution sectors, leveraging new vulnerabilities and advanced tactics."

The vulnerabilities in question are listed below -.

CVE-2024-57968 (CVSS score: [website] - An unrestricted upload of files with a dangerous type vulnerability that allows remote authenticated individuals to upload files to unintended folders (Fixed in VeraCode version [website].

(CVSS score: [website] - An unrestricted upload of files with a dangerous type vulnerability that allows remote authenticated individuals to upload files to unintended folders (Fixed in VeraCode version [website] CVE-2025-25181 (CVSS score: [website] - An SQL injection vulnerability that allows remote attackers to execute arbitrary SQL commands (No patch available).

The latest findings from Intezer and Solis Security show that the shortcomings are being chained to deploy ASPXSpy web shells for unauthorized access to infected systems, in one instance leveraging CVE-2025-25181 as far back as early 2020. The exploitation activity was discovered in November 2024.

The web shells come fitted with capabilities to enumerate the file system, exfiltrate files, and compress them using tools like 7z. The access is also abused to drop a Meterpreter payload that attempts to connect to an actor-controlled server ("[website][.]94:7979") via a Windows socket.

The updated variant of the web shell also incorporates a variety of capabilities to facilitate network scanning, command execution, and running SQL queries to extract critical information or modify existing data.

While previous attacks mounted by XE Group have weaponized known vulnerabilities, namely flaws in Telerik UI for [website] (CVE-2017-9248 and CVE-2019-18935, CVSS scores: [website], the development marks the first time the hacking crew has been attributed to zero-day exploitation, indicating an increase in sophistication.

"Their ability to maintain persistent access to systems, as seen with the reactivation of a web shell years after initial deployment, highlights the group's commitment to long-term objectives," researchers Nicole Fishbein, Joakim Kennedy, and Justin Lentz stated.

"By targeting supply chains in the manufacturing and distribution sectors, XE Group not only maximizes the impact of their operations but also demonstrates an acute understanding of systemic vulnerabilities."

CVE-2019-18935, which was flagged by [website] and [website] government agencies in 2021 as one of the most exploited vulnerabilities, has also come under active exploitation as not long ago as last month to load a reverse shell and execute follow-up reconnaissance commands via [website].

"While the vulnerability in Progress Telerik UI for [website] AJAX is several years old, it continues to be a viable entry point for threat actors," eSentire noted. "This highlights the importance of patching systems, especially if they are going to be exposed to the internet."

The development comes as the [website] Cybersecurity and Infrastructure Security Agency (CISA) added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.

CVE-2025-0411 (CVSS score: [website] - 7-Zip Mark of the Web Bypass Vulnerability.

(CVSS score: [website] - 7-Zip Mark of the Web Bypass Vulnerability CVE-2022-23748 (CVSS score: [website] - Dante Discovery Process Control Vulnerability.

(CVSS score: [website] - Dante Discovery Process Control Vulnerability CVE-2024-21413 (CVSS score: [website] - Microsoft Outlook Improper Input Validation Vulnerability.

(CVSS score: [website] - Microsoft Outlook Improper Input Validation Vulnerability CVE-2020-29574 (CVSS score: [website] - CyberoamOS (CROS) SQL Injection Vulnerability.

(CVSS score: [website] - CyberoamOS (CROS) SQL Injection Vulnerability CVE-2020-15069 (CVSS score: [website] - Sophos XG Firewall Buffer Overflow Vulnerability.

Last week, Trend Micro revealed that Russian cybercrime outfits are exploiting CVE-2025-0411 to distribute the SmokeLoader malware as part of spear-phishing campaigns targeting Ukrainian entities.

The exploitation of CVE-2020-29574 and CVE-2020-15069, on the other hand, has been linked to a Chinese espionage campaign tracked by Sophos under the moniker Pacific Rim.

There are currently no reports on how CVE-2024-21413, also tracked as MonikerLink by Check Point, is being exploited in the wild. As for CVE-2022-23748, the cybersecurity business disclosed in late 2022 that it observed the ToddyCat threat actor leveraging a DLL side-loading vulnerability in Audinate Dante Discovery ("[website]").

Federal Civilian Executive Branch (FCEB) agencies are mandated to apply the necessary updates by February 27, 2025, under Binding Operational Directive (BOD) 22-01 to safeguard against active threats.

A global law enforcement operation targeting the Phobos ransomware gang has led to the arrest of four suspected hackers in Phuket, Thailand, and the s......

Mehr-Faktor-Authentifizierung (MFA) liefert besseren Schutz vor Phishing oder der direkten Nutzung von Zugangsdaten aus Datenlecks. Google hat im Nove......

Zimbra has released software updates to address critical security flaws in its Collaboration software that, if successfully exploited, could result in......

Microsoft raises rewards for Copilot AI bug bounty program

​Microsoft unveiled over the weekend that it has expanded its Microsoft Copilot (AI) bug bounty program and increased payouts for moderate severity vulnerabilities.

To further secure its Copilot consumer products against attacks, Redmond added a broader range of Copilot consumer products and services to the scope of the program, including Copilot for Telegram, Copilot for WhatsApp, [website], and [website].

The corporation is now also offering incentives of up to $5,000 for reporting moderate vulnerabilities, which can also significantly affect the security and reliability of its Copilot products.

"We are introducing new incentives for moderate severity Copilot cases. Researchers who identify and study moderate severity vulnerabilities will now be eligible for bounty rewards up to $5,000," Microsoft mentioned.

"This expansion provides researchers with more opportunities to contribute to the security of our Copilot ecosystem and helps us identify and mitigate potential vulnerabilities across a wider array of platforms."

The corporation's Microsoft Copilot bounty program also rewards qualified submissions for vulnerabilities found in Copilot (Pro) AI experiences in Microsoft Edge (Windows), Microsoft Copilot Application (iOS and Android), Windows OS, and Bing generative search hosted on [website] in Browser.

Bounty awards range from $250 for low-severity Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), Web Security Misconfiguration, Cross Origin Access, and Improper Input Validation bugs up to $30,000 for critical flaws allowing inference manipulation.

The Microsoft 365 Bounty Program was also expanded last month to include new Viva products for Critical and significant cases, including Feature Access Control, Glint, Learning, and Pulse, with awards up to $27,000.

During last year's Ignite annual conference in Chicago, Microsoft also expanded its bug bounty programs by launching the Zero Day Quest, a hacking event with $4 million in rewards focused on cloud and AI products and platforms.

The efforts to boost cybersecurity protection across all products are part of the Secure Future Initiative (SFI), a firm-wide cybersecurity engineering effort launched in November 2023 to get ahead of a scathing study issued by the Cyber Safety Review Board of the [website] Department of Homeland Security saying that Microsoft's "security culture was inadequate and requires an overhaul."

Zimbra has released software updates to address critical security flaws in its Collaboration software that, if successfully exploited, could result in......

Admins, die die Asset-Managementsoftware Trimble Cityworks verwalten, müssen ihre Systeme durch die Installation eines Sicherheitsupdates vor laufende......

Today, an Alabama man pleaded guilty to hijacking the [website] Securities and Exchange Commission (SEC) account on X in a January 2024 SIM swapping attack......