August 19, 2024 at 06:45AM
The Xeon Sender tool is being used for large-scale SMS phishing and spam campaigns through abusing legitimate cloud services. It exploits APIs of services like Amazon SNS, Nexmo, and Twilio to send bulk SMS spam attacks without exploiting any weaknesses of the providers. Organizations should monitor for anomalous changes in SMS distribution permissions.
After reviewing the meeting notes, here are the key takeaways:
Malicious actors are using a cloud attack tool called Xeon Sender to conduct SMS phishing and spam campaigns on a large scale by leveraging legitimate services without exploiting inherent weaknesses in providers.
The tool utilizes various software-as-a-service (SaaS) providers including Amazon SNS, Nexmo, Twilio, and others to orchestrate bulk SMS spam attacks, and it also validates account credentials and generates phone numbers for different country codes.
Xeon Sender, also referred to as XeonV5 and SVG Sender, has been repurposed by various threat actors and offers a command-line interface to communicate with backend APIs and orchestrate attacks, presenting detection challenges due to its use of provider-specific Python libraries.
To defend against threats like Xeon Sender, organizations are advised to monitor activity related to modifying SMS sending permissions and watch for anomalous changes to distribution lists.
The information in the notes highlights the need for organizations to be vigilant in monitoring and securing their SMS services to defend against these types of threats.