Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Xeon Sender - SMS spam shipping multi-tool targeting SaaS credentials

August 2024 by SentinelLabs

Xeon Sender is a cloud attack tool that can be used to send SMS messages en masse to conduct spam and phishing (aka smishing) campaigns. Attackers can use Xeon to send messages through multiple software-as-a-service (SaaS) providers using valid credentials for the service providers. There are no weaknesses on the service provider side that are leveraged for these attacks; rather, the tool uses legitimate APIs to enable bulk SMS spam attacks.

The service providers this tool uses include: Amazon Simple Notification Service (SNS), Nexmo, Plivo, Proovl, Send99, Telesign, Telnyx, TextBelt, and Twilio.

SentinelLabs found Xeon Sender being distributed through Telegram – the standard cloud hacktool distribution platform – as well as various smaller hacking forums and sites. There is no apparent relationship between Xeon Sender and the family of Intel processors with the same name.

History & Distribution

The earliest known version of Xeon Sender dates back to at least 2022 in a version that credits handle @darkworld47. Like many other cloud hacktools, Xeon Sender became a victim of its own success, with different actors regularly adding their own handle to the tool credits. Aside from the tool’s purported author and occasionally the tool name, there are no significant differences across any samples that were identified.

Features

Xeon Sender is a tool that lets attackers conduct SMS spam attacks via one of nine bulk SMS providers. The tool provides a simple CLI for the attacker to communicate with the targeted service provider backend using APIs, enabling bulk SMS spam attacks with minimal effort. For the tool to work, the actor must have API keys for the targeted service. Enabling these service providers’ SMS APIs is an arduous task guided by federal regulations in the United States. This means actors are likely to seek credentials belonging to accounts that have already undergone the process.

Detection Opportunities

Xeon Sender largely uses provider-specific Python libraries to craft API requests, which presents interesting detection challenges. Each library is unique, as are the provider’s logs. It may be difficult for teams to detect abuse of a given service.

To defend against threats like Xeon Sender, organisations should monitor activity related to evaluating or modifying SMS sending permissions or anomalous changes to distribution lists, such as a large upload of new recipient phone numbers.

For organisations using AWS, this includes calls to the GetSMSAttributes AWS API or changes to existing permissions using calls to SetSMSAttributes. Xeon Sender does not directly handle this, so actors who use Xeon likely use other tools or sources for preliminary reconnaissance and credential validation.

Key points:

Xeon Sender is a Python script that sends spam through nine different SaaS providers.
First seen in 2022, Xeon Sender has been repurposed by multiple threat actors branding the tool as their own, a common occurrence in the cloud hacktool scene.
Xeon Sender is another tool that enables SMS spam and smishing, which are increasingly popular TTP to execute via cloud and SaaS.

Conclusion

Xeon Sender is another tool that gives defenders insight into how actors attack cloud services to send SMS spam, an ongoing trend highlighted in research on tools like SNS Sender and through similar smishing campaigns. Due to federal regulations and related fees imposed by bulk SMS providers, threat actors are more likely to target accounts belonging to organisations that have already gone through this process than to make accounts independently, not to mention costs for message delivery as a separate financial burden.

Attribution remains open to interpretation in the context of script-based cloud attack tools where one actor can easily put their name inside a tool to replace the previous author. Despite many actors claiming this tool as their own, SentinelLabs has observed no significant deviations between known versions. There are clear improvements that could be made, such as improved status and error handling. Other tools like AlienFox have evolved over time as different actors adapt the tools, often bringing improvements. Actors may ultimately improve on Xeon Sender, or roll features into a multi-tool that covers more attack categories.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts