top of page

Unmasking the identity of XE Group, a threat actor of Vietnamese origin

Earlier this year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning of attempts by a group of hackers known as XE Group to exploit a critical security flaw in Progress Telerik devices. Now, thanks to the efforts of cybersecurity researchers, we may know the identity of one of the individuals associated with this e-crime group. According to Menlo Security, which pieced together information from various online sources, the individual in question is Nguyen Huu Tai, who also goes by the names Joe Nguyen and Thanh Nguyen. While there is no definitive proof that Tai is behind the XE Group's cybercriminal activities, which date back to at least 2013, the evidence gathered by Menlo Security points to a strong likelihood that he is involved in some way. XE Group is known to target government agencies, construction organizations, and healthcare sectors, among others. The group typically compromises internet-exposed servers using known exploits, then monetizes the intrusions by installing code that allows them to steal passwords or skim credit card information from online services. In some cases, they have even been seen creating AutoIT scripts that automatically generate emails and rudimentary credit card validators for stolen credit cards. Earlier this year, CISA issued an advisory warning organizations to be on the lookout for attempts by the XE Group to exploit CVE-2019-18935, a three-year-old security flaw in Progress Telerik devices. This flaw, which has a CVSS score of 9.8, could be used to gain a foothold on a target's system. Thankfully, due to the efforts of cybersecurity researchers, we are one step closer to unmasking the individuals behind this e-crime group and bringing them to justice.


bottom of page