Cybercriminals are using a cloud-based attack tool called Xeon Sender to conduct large-scale SMS phishing and spam campaigns by abusing legitimate services.
Xeon Sender: How it works
“Attackers can use Xeon to send messages across multiple software-as-a-service (SaaS) providers using valid service provider credentials“, has affirmed Alex Delamotte, security researcher at SentinelOne, in a report.
Examples of services used to facilitate mass distribution of SMS messages include Amazon Simple Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, Twilio.
It is important to note that this activity does not exploit any inherent vulnerabilities of these providers. Instead, the tool uses legitimate APIs to conduct bulk SMS spam attacks.
It joins tools like SNS Sender which have become an increasingly popular way to send smishing messages (SMS phishing) en masse and ultimately capture sensitive information from victims.
The Xeon Sender distribution
Distributed via Telegram and hacking forums, one of the older versions credits a Telegram channel dedicated to advertising cracked hacking tools; the latest version, available for download as a ZIP file, It is attributed to a Telegram channel called Orion Toolxhub (oriontoolxhub) which has 200 members.
Orion Toolxhub was created on February 1, 2023 and has also made other software available for free for brute force attacks, reverse IP address lookups, and others such as a WordPress site scanner, a PHP web shell, a Bitcoin clipper, and a program called YonixSMS that claims to offer unlimited SMS sending capabilities.
Xeon Sender is also known as XeonV5 and SVG Sender. The first versions of the Python-based program were detected as early as 2022; since then, It has been repurposed by several cyber criminals for their own purposes.
The strange website where a variant of this tool is hosted
“Another incarnation of the tool is hosted on a web server with a graphical interface“, Delamotte said. “This hosting method removes a potential barrier to entry, allowing less experienced hackers, who may not be comfortable using Python tools and troubleshooting their dependency issues, to access it..”
Xeon Sender, regardless of the variant used, offers its users a command line interface that can be used to communicate with the backend APIs of the chosen service provider and orchestrate mass SMS spam attacks.
This also means that cybercriminals already have the API keys needed to access the access points; the crafted API requests also include the sender ID, the content of the message and one of the phone numbers selected from a predefined list present in a text file.
Xeon Sender, in addition to its SMS sending methods, incorporates functions to validate Nexmo and Twilio account credentials, generate phone numbers for a given country code and area code, and check if a provided phone number is valid.
Despite the lack of sophistication associated with the tool, SentinelOne said that the source code is full of ambiguous variables such as single letters or a letter followed by a numbermaking debugging much more difficult.
“Xeon Sender largely uses vendor-specific Python libraries to create API requests, which presents interesting challenges for discovery“, Delamotte said. “Every library is unique, and so are the vendor logs. It can be difficult for teams to detect abuse of a particular service.“
Delamotte then concluded by saying that “To defend against threats like Xeon Sender, organizations should monitor activities related to the evaluation or modification of SMS sending permissions or anomalous changes to distribution lists, like a big upload of new recipient phone numbers.”
#Xeon #Sender #LargeScale #SMS #Phishing #Tool
