Cybercriminals have been using a cloud-based tool called Xeon Sender to carry out large-scale SMS spam and phishing campaigns.

Description

Xeon Sender utilizes legitimate software-as-a-service providers like Amazon SNS [2], Twilio [1] [2] [3] [5] [6] [7], Plivo [2] [3] [6], and Nexmo to send bulk SMS messages [2]. Distributed through platforms such as Telegram and various hacking forums, Xeon Sender simplifies the process for attackers to launch these attacks. Despite claims of ownership, minimal changes have been made to Xeon Sender since its discovery in 2022. With the ability to send bulk messages using APIs from nine different SMS providers [2], attackers typically obtain necessary credentials from compromised accounts [2]. While lacking robust error handling [2], Xeon Sender remains a significant threat due to its simplicity and the availability of credentials. Organizations are advised to monitor changes in SMS sending permissions and unusual uploads of phone numbers to mitigate risks associated with this tool [2]. Xeon Sender has evolved over time and is now distributed through Telegram channels [5], offering features like account credential validation and phone number generation [5]. Detecting and mitigating Xeon Sender attacks can be challenging due to obfuscated source code and provider-specific Python libraries [5]. To defend against threats like Xeon Sender [1] [3] [5], organizations should monitor activity related to SMS sending permissions and distribution lists [1] [3]. Xeon Sender is a cloud attack tool used for SMS spam and phishing campaigns [1], also known as smishing [1]. Attackers can send messages through multiple software-as-a-service providers using valid credentials [1] [3] [4]. The tool uses legitimate APIs to enable bulk SMS spam attacks [1], with service providers including Amazon SNS [1], Nexmo [1] [3] [5] [6], Twilio [1] [2] [3] [5] [6] [7], and others. Actors likely seek credentials from accounts that have already undergone the necessary processes [1]. Xeon Sender gives insight into how actors attack cloud services to send SMS spam [1], with threat actors targeting accounts that have already met federal regulations and related fees for message delivery [1].

Conclusion

The impact of Xeon Sender on organizations is significant, requiring constant monitoring of SMS sending permissions and distribution lists to mitigate risks. As Xeon Sender continues to evolve and be distributed through various channels, organizations must stay vigilant and adapt their security measures accordingly to defend against future attacks.

References

[1] https://businessmondays.co.uk/xeon-sender-sms-spam-shipping-multi-tool-targeting-saas-credentials/
[2] https://www.infosecurity-magazine.com/news/xeon-sender-enables-sms-spam/
[3] https://thehackernews.com/2024/08/xeon-sender-tool-exploits-cloud-apis.html
[4] https://cyber.vumetric.com/security-news/2024/08/19/xeon-sender-tool-exploits-cloud-apis-for-large-scale-sms-phishing-attacks/
[5] https://www.techtimes.com/articles/307193/20240819/attackers-use-xeon-sender-tool-launch-sms-phishing-spam-campaigns.htm
[6] https://cybermaterial.com/xeon-sender-exploits-cloud-apis-for-phishing/
[7] https://pledgetimes.com/xeon-sender-new-large-scale-sms-phishing-tool/