Xeon Sender Application Takes Advantage of Cloud APIs for Massive-Scale SMS Deceptive Operations
Unscrupulous entities are leveraging a cloud exploit application called Xeon Sender to execute SMS deceptive and junk email initiatives on a grand scale by misusing valid services.
“Perpetrators are able to utilize Xeon to dispatch messages through numerous software-as-a-service (SaaS) providers using legitimate access for the service providers,” detailed SentinelOne security investigator Alex Delamotte mentioned in a report transmitted to The Hacker News.
Illustrations of the services exploited to ease the large-scale delivery of SMS messages entail Amazon Simple Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, Twilio.
It is significant to emphasize here that the operation does not abuse any inherent vulnerabilities in these providers. Rather, the tool utilizes legitimate APIs to carry out mass SMS spam operations.
It joins tools like SNS Sender that have increasingly become a method to send bulk smishing messages and eventually obtain sensitive details from targets.
Distributed through Telegram and hacking forums, with one of the earlier versions crediting a Telegram channel dedicated to advertising cracked hacktools. The most recent version, available for download as a ZIP archive, attributes itself to a Telegram channel called Orion Toolxhub (oriontoolxhub) possessing 200 members.
Orion Toolxhub was established on February 1, 2023. It has likewise openly provided other software for brute-force assaults, reverse IP address queries, and others such as a WordPress site scanner, a PHP web shell, a Bitcoin clipper, and a software named YonixSMS that claims to provide limitless SMS sending capabilities.
Xeon Sender is also known as XeonV5 and SVG Sender. Initial versions of the Python-based application have been noticed as early as 2022. It has subsequently been repurposed by various harmful actors for their own intentions.
“An additional version of the application is accommodated on a web server with a graphical user interface,” Delamotte stated. “This accommodation method eliminates a possible hurdle to access, empowering less skilled actors who may not feel at ease with operating Python tools and diagnosing their prerequisites.”
Xeon Sender, irrespective of the version employed, furnishes its users with a command-line user interface that can be deployed to correspond with the backend APIs of the chosen service provider and organize mass SMS spam operations.
This additionally denotes that the malicious actors are currently in ownership of the essential API keys required to approach the endpoints. The structured API requests also include the sender ID, the message contents, and one of the phone numbers selected from a predefined list present in a text file.
Xeon Sender, besides its SMS dispatching techniques, integrates functionalities to authenticate Nexmo and Twilio account access, generate phone numbers for a specified country code and area code, and check if a provided phone number is legitimate.
Despite a lack of sophistication tied to the application, SentinelOne remarked the source code is rife with ambiguous variables like individual letters or a letter coupled with a number to make debugging significantly more challenging.
“Xeon Sender mainly utilizes provider-specific Python libraries to design API requests, which poses intriguing detection challenges,” Delamotte remarked. “Each library is distinct, as are the provider’s logs. It might be tough for teams to detect misuse of a given service.”
“To shield against threats like Xeon Sender, organizations ought to surveil activity associated with assessing or adjusting SMS dispatch permissions or anomalous modifications to distribution lists, such as a substantial upload of new recipient phone numbers.”
About Author
