Industrial cellular routers in Australia abused for smishing

By
Follow google news

Mass fraudulent text campaigns hit mobile users worldwide.

A popular make of industrial cellular routers with nearly 10,000 devices connected to the Internet in Australia alone is being abused by attackers for short messaging service (SMS) text spam, or smishing.

Industrial cellular routers in Australia abused for smishing

French security vendor Sekoia discovered earlier this year that the application programming interface (API) of hundreds of Milesight cellular routers was being used to deliver phishing messages through texts.

The targets for the campaign were Belgian government service portals, and it turns out that Australian cellular routers were attacked as well, Sekoia cyber threat intelligence analyst Jérémy Scion told iTNews.

Sekoia used the Shodan scan engine and discovered over 18,000 Milesight routers that were accessible via the Internet.

The security vendor's threat detection team tested 6643 and found that 572 routers were misconfigured to allow unauthenticated access to their inbox and outbox APIs, which were used to send malicious text messages.

Some of the routers that attackers attempted to abuse are located in Australia.

"According to Shodan, there are 9778 routers of this type in Australia, the highest concentration worldwide," Scion said.

"We quickly tested a sample of about 3000 Australian IP addresses and found that 90 of them expose the SMS-send/receive API without any authentication," he added.

Of the 90, at least six were involved in fraudulent smishing campaigns between June and September, again targeting phone numbers in Belgium in an attempt at stealing banking information.

The text messages weren't sent successfully, Scion added, due to subscriber identity module (SIM) restrictions, lack of credit and other factors, but the attempts to transmit the SMS prove exploitation he said.

"Other routers appear to have been abused for different fraud schemes," Scion said.

Scion said Sekoia detected the attacks through one of its honeypots.

The attacker presented a valid session cookie to authenticate with the router API, but how the credential was acquired remains undetermined.

Sekoia thinks the smishing campaign has been active since at least February 2022.

Apart from Belgium, SMS spam samples collected by Sekoia showed several other countries worldwide being targeted by the attackers.

Swedish numbers were sent over 42,000 messages, and more than 31,000 Italian devices were recipients of mass smishing campaigns.

Based on the Internet Protocol (IP) addressed in the messages, the attacker's infrastructure appears to be on the network of a Lithuanian virtual private server (VPS) provider.

A bot on the Telegram communications app was used to log connections from visitors who clicked on phishing links, with Sekoia noting that the operator of the channel in quesiton appears to be speaking Arabic and French.

Scion said the vendor, Milesight, was not contacted by Sekoia.

"What we documented is not a software vulnerability per se but rather a misconfiguration of the device," Scion said.

"Furthermore, the vast majority of affected routers are running outdated firmware versions."

iTNews has approached Milesight for comment on the matter.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
industrialmilesightroutersecurity

Sponsored Whitepapers

Optus Enterprise Mobility
Optus Enterprise Mobility
Life After VMware: Scale Securely with mCloud by Micron21
Life After VMware: Scale Securely with mCloud by Micron21
Cut Cloud Costs Without Compromise: Discover mCloud by Micron21
Cut Cloud Costs Without Compromise: Discover mCloud by Micron21
What 4 wholesale distribution challenges aren&#8217;t going away anytime soon?
What 4 wholesale distribution challenges aren’t going away anytime soon?
State of the SOC: Building Resilience in a Shifting Threat Landscape
State of the SOC: Building Resilience in a Shifting Threat Landscape

Events

Most Read Articles

US Secret Service seizes New York City SIM farm near UN

US Secret Service seizes New York City SIM farm near UN
First malicious MCP server for AI found

First malicious MCP server for AI found
Asahi Group production impacted by cyberattack

Asahi Group production impacted by cyberattack
Stealthy, persistent "BRICKSTORM" spying backdoor found in network infrastructure

Stealthy, persistent "BRICKSTORM" spying backdoor found in network infrastructure
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?