Summary:
Malicious actors are increasingly using a cloud-based attack tool called Xeon Sender to conduct widespread smishing and spam campaigns by abusing legitimate software-as-a-service (SaaS) platforms. The tool, as noted by SentinelOne security researcher Alex Delamotte, allows attackers to send bulk SMS messages through multiple SaaS providers by using valid credentials for those services. Importantly, Xeon Sender doesn't exploit any inherent vulnerabilities in these providers but instead uses their legitimate APIs to carry out large-scale SMS spam attacks. Xeon Sender facilitates the mass distribution of SMS messages through various platforms. These services are commonly used for legitimate messaging, but threat actors are repurposing them for malicious campaigns.


The tool has been evolving since early versions, first detected as early as 2022, and is distributed via Telegram and hacking forums. The latest versions credit a Telegram channel named Orion Toolxhub, which was created on February 1, 2023, and has around 200 members. This channel also distributes other hacking tools, including software for brute-force attacks, reverse IP lookups, and even programs like a Bitcoin clipper and a PHP web shell. Xeon Sender, also referred to as XeonV5 or SVG Sender, offers a command-line interface that allows users to interact with the backend APIs of various service providers. This CLI supports bulk SMS spam campaigns by crafting API requests that include the sender ID, message content, and phone numbers selected from a predefined list stored in a text file. The tool's functionality is broad, enabling the validation of Nexmo and Twilio account credentials, generating phone numbers for specific country codes and area codes, and checking the validity of provided phone numbers.


Security Officer Comments:


One of the newer iterations of the tool is hosted on a web server with a graphical user interface, lowering the entry barrier for less skilled attackers who might struggle with running Python-based tools and troubleshooting their dependencies. This method of hosting makes Xeon Sender more accessible, increasing its potential for widespread abuse. The source code of Xeon Sender is deliberately obfuscated with ambiguous variables, such as single letters or a combination of letters and numbers, making it difficult to debug and complicating efforts to detect and mitigate its use. The tool relies on provider-specific Python libraries to craft API requests, which introduces unique detection challenges because each provider's logs and API structures are different.


Suggested Corrections:
To defend against threats posed by tools like Xeon Sender, organizations are advised to closely monitor any activities that involve evaluating or modifying SMS sending permissions or any unusual changes to distribution lists. This includes being vigilant about large uploads of new recipient phone numbers, which could indicate preparation for a bulk SMS attack.


Link(s):
https://thehackernews.com/2024/08/xeon-sender-tool-exploits-cloud-apis.html