CyberWire Daily - Spamageddon: Xeon Sender’s cloudy SMS attack revealed! [Research Saturday]
Episode Date: September 14, 2024Alex Delamotte, Threat Researcher from SentinelOne Labs, joins to share their work on "Xeon Sender | SMS Spam Shipping Multi-Tool Targeting SaaS Credentials." SentinelOne’s Labs team has uncovered n...ew research on Xeon Sender, a cloud hacktool used to launch SMS spam attacks via legitimate APIs like Amazon SNS. First seen in 2022, this tool has been repurposed by multiple threat actors and distributed on underground forums, highlighting the ongoing trend of SMS spam through cloud services and SaaS. The research can be found here: Xeon Sender | SMS Spam Shipping Multi-Tool Targeting SaaS Credentials Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
I worked on a piece a few months ago called SMS Sender,
and that was a particularly interesting one because we believe it was used in a variety of USPS
SMS spam campaigns, which I don't know about you, but I've certainly seen a whole lot of those over
the past few months. That's Alex Delamate, threat researcher from SentinelOne Labs.
The research we're discussing today is titled Xeon Sender SMS Spam Shipping Multitool Targeting SAS Credentials.
So, they're quite a nuisance.
If I could just interrupt you, forgive me, but I have to say, reading through this research,
this was one of the first times in a long time that I have to say, reading through this research, this was one of the first times in
a long time that I can think of myself actually getting agitated as I was reading it because of
I think the disdain that we all share for these SMS spammers. Absolutely. Yeah, it's a nightmare.
I mean, there's such little filtering that we, the end user, can do compared to something like email.
So it really is a nuisance.
Yeah.
Well, continue taking us along the pathway here for how this got to be something that you took a closer look at.
Sure.
So I looked at some of the behaviors that the SNS sender tool was using, and I wanted to see if other tools were using that as well. Because,
you know, it seems unlikely that such a simple script like SNS sender would be the only tool in spam threat actors' toolboxes. And it turns out that it is not. And I stumbled on Xeon Sender,
which is another tool of a similar nature, although it targets far more service providers.
another tool of a similar nature, although it targets far more service providers.
Well, describe to us what exactly Xeon Sender entails here. What are its capabilities?
It is capable of using credentials from software-as-a-service providers that do SMS sending and sending bulk messages using those valid credentials. So it doesn't remove the barrier that actors face
where they would need to obtain valid credentials that have been authorized to send SMS messages,
which are actually subject to federal regulations in most places of the world,
including the United States and the European Union.
Yeah, that was a really interesting point as I was reading
through the research here, that there are some barriers to entry if you want to be in the
business of sending out SMS messages. Exactly. And I think that the easiest way to go for many
of these actors is most likely to find valid credentials from organizations or individuals who have already gone through the registration process.
So is my understanding then that suppose that I'm someone who wants to go about doing this, I want to send out some bulk SMS spam,
and I have gathered up some legitimate credentials for some of these legitimate services that do this.
Is Xeon Sender then a tool that just kind of fills in that middle part for me? It takes away some of
the technical barriers that I might be up against? Exactly. The author or the developer,
whoever made this tool originally, integrated several APIs to make it very easy and kind of uniform across the
different service providers. For example, all of them require the same basic material, which is an
API key, the secret key. In the case of AWS SNS, it requires the AWS region. And there are some
other proprietary fields for a couple of the SaaS providers targeted.
But overall, it's fairly uniform.
You put in the API credentials and then you add the message contents, the type of spam message that you want to send.
And then you have a list of recipients.
And then it blasts it away.
Take us through some of the history here. You did some digging on a bit
of the background. Yeah, so I looked into distribution
of this tool, and it was kind of interesting. As many cloud
attack tools and general hack tools are distributed, it was found on Telegram.
It's been credited to multiple authors who made absolutely
no changes to the code that are material.
They really just slapped their name in there.
No honor among thieves.
Exactly.
You know, a payday is a payday, I guess.
That's right.
Yeah, I guess they're building that brand.
But I also found it on some hacking forums.
There was one where the administrator had kind of lauded it and given it lots of praise,
saying it was a very useful tool.
So it's really,
it's been out there for a while.
So I think it's reasonable to believe
that it is an effective tool
and that people are using it.
And, you know, as we've mentioned before,
we certainly get enough of that SMS spam.
It's happening.
Has it evolved over time? Have they added any sophistication
or has it stayed pretty much the same? This is where it's very
unusual to me. It has stayed effectively the same. There's been no
updates to make it a better tool, even though just me as an amateur
dev reverse engineer looking at it, I could see some serious improvements.
They've made no effort
to do that. Interesting. And how do people pay for the use of this? Well, as far as I can tell,
they have all been open source. It's just a script, you know, you can just run it. I'm not
sure if anybody is actually profiting or licensing off of it. So it's an interesting case.
We'll be right back.
Do you know the status of your compliance controls right now? Like, right now? We know
that real-time visibility is critical for security, but when it comes to our GRC
programs, we rely on point-in-time checks.
But get this, more than 8,000 companies like Atlassian and Quora have continuous visibility
into their controls with Vanta.
Here's the gist. Vanta brings automation to evidence collection across 30
frameworks, like SOC 2 and ISO 27001. They also centralize key workflows like policies,
access reviews, and reporting, and helps you get security questionnaires done five times faster
with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Learn more at blackcloak.io.
I have to say the screen grabs of the interface that you posted here takes me back to the 90s, I guess.
It's about as bare bones and straightforward as you can get.
Yeah, I kind of like it.
It's a comforting old terminal kind of deal.
Lots of colors too.
Right.
So what are ways that people can detect this?
I mean, if I'm someone who has a legitimate SMS
generating account with one of these services
and somehow someone who's up to no good
gets my credentials,
is it going to start throwing red flags for me?
Hopefully it will. It really depends on the service provider that you're using.
And I don't exactly have visibility into every service provider's detection capabilities.
But what I would look for if I were a defender in this position is looking for
changes to sending quotas and looking for lots of activity sudden spikes. There should also,
in theory, be, I think it would be plausible that organizations would have lists of customer
contacts that they would use for legitimate bulk mailing campaigns.
And perhaps this would deviate from those norms by sending to numbers that were not listed in
your customer relationship management software. So again, this is kind of abstract thinking,
but if you're an organization like that, maybe you could set some alarms for
a whole bunch of activity to numbers that were not associated with existing customers.
Do we have any sense for who was initially behind this or perhaps even what part of the world this came from?
I don't for this specific tool, no.
But I can say that this type of activity aligns with a lot of the other kind of, I would say, lower skilled actors who build cloud hack tools.
And we've seen a lot of activity from those folks coming out of Africa, especially Nigeria and Northern Africa, as well as Southeast Asia.
So lots of developing world activity.
I've also, in the case of SNS Center, found activity suggesting that the developer was from India. So again, developing parts of the world with lots of access to technology.
noted, like the ability to check accounts and generate phone numbers and things like that. Can you take us through how that functionality fits into the usage of this sort of tool?
Sure. So there is an account checker tool that will just validate the credentials. For example,
maybe an actor finds a list of a whole bunch of Twilio credentials. They can then use that module
to validate whether they are good credentials
before trying to blast out a campaign
and possibly setting off alarms.
There's another tool that is a phone number generator,
which is effectively brute forcing phone numbers.
If I were an attacker,
that would not be my first choice.
But I suppose if you are
already exhausting all of your lists of legitimate phone numbers, that could be
a valid route to take. And then the last feature that I saw was a phone checker, which will check
apilayer.com. It's a very strange website name, but it apparently provides a service
where you can verify or validate
whether a telephone number is real.
Huh.
Because we want to make it easier for these folks.
Exactly.
It's all about automation and making things easier.
Right, right.
How do you rate the sophistication of these scripts? I mean, how bulletproof is this for an unsophisticated actor to use?
finished, and I'm surprised that nobody has picked up on that yet. But yeah, this is definitely a lower sophistication actor who put a lot of time and care into making a viable multi-tool. There's
definitely a lot of work they could do, though. Yeah. So what are your recommendations, then? I
mean, for folks who are tasked with protecting their organizations against this kind of thing,
do you have any suggestions?
I would suggest keeping an eye, again,
on the changes to account settings related to sending bulk SMS
and keep an eye on the amount of messages
that are being sent from your organization.
Just look for anomalies in that space
and you can use that to identify outliers
that could indicate a spamming campaign.
Our thanks to Alex Delamate from SentinelOne Labs for joining us. The research is titled Xeon Sender, SMS Spam Shipping Multitool Targeting SaaS Credentials.
We'll have a link in the show notes.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your
podcast app. Please also fill out the survey in the show notes or send an email to cyberwire at
n2k.com. We're privileged that N2K Cyber Wire is part of the daily routine of the most influential
leaders and operators in the public and private sector, from the Fortune 500 to many of the
world's preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at n2k.com. This episode was
produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer
is Jennifer Iben. Our executive editor is Brandon Karp.
Simone Petrella is our president. Peter Kilby is our publisher. And I'm Dave Bittner.
Thanks for listening. We'll see you back here next time. Thank you. With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role.
Data is hard. Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com