Industrial cellular routers in Australia abused for smishing


A popular make of industrial cellular routers with nearly 10,000 devices connected to the Internet in Australia alone is being abused by attackers for short messaging service (SMS) text spam, or smishing.



French security vendor Sekoia discovered earlier this year that the application programming interface (API) of hundreds of Milesight cellular routers was being used to deliver phishing messages through texts.

The targets for the campaign were Belgian government service portals, and it turns out that Australian cellular routers were attacked as well, Sekoia cyber threat intelligence analyst Jérémy Scion told iTNews.

Sekoia used the Shodan scan engine and discovered over 18,000 Milesight routers that were accessible via the Internet.

The security vendor’s threat detection team tested 6643 and found that 572 routers were misconfigured to allow unauthenticated access to their inbox and outbox APIs, which were used to send malicious text messages.

Some of the routers that attackers attempted to abuse are located in Australia.

“According to Shodan, there are 9778 routers of this type in Australia, the highest concentration worldwide,” Scion said.

“We quickly tested a sample of about 3000 Australian IP addresses and found that 90 of them expose the SMS-send/receive API without any authentication,” he added.

Of the 90, at least six were involved in fraudulent smishing campaigns between June and September, again targeting phone numbers in Belgium in an attempt at stealing banking information.

The text messages weren’t sent successfully, Scion added, due to subscriber identity module (SIM) restrictions, lack of credit and other factors, but the attempts to transmit the SMS prove exploitation he said.

“Other routers appear to have been abused for different fraud schemes,” Scion said.

Scion said Sekoia detected the attacks through one of its honeypots.

The attacker presented a valid session cookie to authenticate with the router API, but how the credential was acquired remains undetermined.

Sekoia thinks the smishing campaign has been active since at least February 2022.

Apart from Belgium, SMS spam samples collected by Sekoia showed several other countries worldwide being targeted by the attackers.

Swedish numbers were sent over 42,000 messages, and more than 31,000 Italian devices were recipients of mass smishing campaigns.

Based on the Internet Protocol (IP) addressed in the messages, the attacker’s infrastructure appears to be on the network of a Lithuanian virtual private server (VPS) provider.

A bot on the Telegram communications app was used to log connections from visitors who clicked on phishing links, with Sekoia noting that the operator of the channel in quesiton appears to be speaking Arabic and French.

Scion said the vendor, Milesight, was not contacted by Sekoia.

“What we documented is not a software vulnerability per se but rather a misconfiguration of the device,” Scion said.

“Furthermore, the vast majority of affected routers are running outdated firmware versions.”

iTNews has approached Milesight for comment on the matter.



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.