There is a cloud attack tool known as Xeon Sender being used by malicious actors to carry out large-scale SMS phishing and spam campaigns by exploiting legitimate services.
According to SentinelOne security researcher Alex Delamotte, who shared a report with The Hacker News, “Attackers can utilize Xeon to send messages through multiple software-as-a-service (SaaS) providers using valid credentials for the service providers.”
Some of the services used for sending mass SMS messages include Amazon Simple Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, and Twilio.
It’s important to clarify that these attacks do not exploit vulnerabilities in the service providers themselves. Instead, the tool leverages legitimate APIs to carry out bulk SMS spam attacks.
Similar tools like SNS Sender have become increasingly popular for sending mass smishing messages and gathering sensitive information from targets.
Distributed through Telegram and hacking forums, Xeon Sender has been used by threat actors for various malicious purposes. It offers features like brute-force attacks, reverse IP address lookups, a WordPress site scanner, and unlimited SMS sending capabilities through a program called YonixSMS.
Although originally detected as early as 2022, Xeon Sender has undergone multiple iterations and is now known as XeonV5 and SVG Sender. The tool provides a command-line interface to communicate with service providers’ APIs and orchestrate SMS spam attacks.
In addition to SMS sending capabilities, Xeon Sender can validate account credentials, generate phone numbers based on country and area codes, and check the validity of provided phone numbers.
SentinelOne noted that despite its lack of sophistication, Xeon Sender’s source code intentionally complicates debugging by using ambiguous variables. This makes it challenging for security teams to detect abuse of the service providers’ APIs.
To protect against threats like Xeon Sender, organizations should monitor activities related to SMS sending permissions and distribution list changes, particularly large uploads of new recipient phone numbers.
