Malicious actors are utilizing a cloud assault instrument named Xeon Sender to conduct SMS phishing and spam campaigns on a big scale by abusing official companies.
“Attackers can use Xeon to send messages through multiple software-as-a-service (SaaS) providers using valid credentials for the service providers,” SentinelOne safety researcher Alex Delamotte stated in a report shared with The Hacker Information.
Examples of the companies used to facilitate the en masse distribution of SMS messages embody Amazon Easy Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, Twilio.
It is essential to notice right here that the exercise doesn’t exploit any inherent weaknesses in these suppliers. Slightly, the instrument makes use of official APIs to conduct bulk SMS spam assaults.
It joins instruments like SNS Sender which have more and more turn out to be a method to ship bulk smishing messages and in the end seize delicate data from targets.
Distributed by way of Telegram and hacking boards, with one of many older variations crediting a Telegram channel dedicated to promoting cracked hacktools. The latest model, out there for obtain as a ZIP file, attributes itself to a Telegram channel named Orion Toolxhub (oriontoolxhub) that has 200 members.
Orion Toolxhub was created on February 1, 2023. It has additionally freely made out there different software program for brute-force assaults, reverse IP deal with lookups, and others resembling a WordPress website scanner, a PHP internet shell, a Bitcoin clipper, and a program referred to as YonixSMS that purports to supply limitless SMS sending capabilities.
Xeon Sender can also be known as XeonV5 and SVG Sender. Early variations of the Python-based program have been detected as early as 2022. It has since been repurposed by a number of risk actors for their very own functions.
“Another incarnation of the tool is hosted on a web server with a GUI,” Delamotte stated. “This hosting method removes a potential barrier to access, enabling lower skilled actors who may not be comfortable with running Python tools and troubleshooting their dependencies.”
Xeon Sender, whatever the variant used, affords its customers a command-line interface that can be utilized to speak with the backend APIs of the chosen service supplier and orchestrate bulk SMS spam assaults.
This additionally signifies that the risk actors are already in possession of the required API keys required to entry the endpoints. The crafted API requests additionally embody the sender ID, the message contents, and one of many cellphone numbers chosen from a predefined listing current in a textual content file.
Xeon Sender, moreover its SMS sending strategies, incorporates options to validate Nexmo and Twilio account credentials, generate cellphone numbers for a given nation code and space code, and examine if a supplied cellphone quantity is legitimate.
Regardless of an absence of finesse related to the instrument, SentinelOne stated the supply code is replete with ambiguous variables like single letters or a letter plus a quantity to make debugging much more difficult.
“Xeon Sender largely uses provider-specific Python libraries to craft API requests, which presents interesting detection challenges,” Delamotte stated. “Each library is unique, as are the provider’s logs. It may be difficult for teams to detect abuse of a given service.”
“To defend against threats like Xeon Sender, organizations should monitor activity related to evaluating or modifying SMS sending permissions or anomalous changes to distribution lists, such as a large upload of new recipient phone numbers.”
