Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
How legitimate services suddenly became accomplices of professional phishers.
In recent months, cybersecurity experts have discovered the active use of a new tool for attacks in cloud services called Xeon Sender. This tool is used by cybercriminals to conduct phishing and spam campaigns via SMS, exploiting legitimate services.
According to SentinelOne researcher Alex Delamotte, Xeon Sender allows messages to be sent through a variety of software-as-a-service (SaaS) services using valid credentials. Among these services are Amazon SNS, Nexmo, Plivo, Twilio, and others.
An important aspect is that Xeon Sender does not exploit the vulnerabilities of the providers themselves. Instead, attackers use legitimate APIs to send spam messages in bulk. Such tools have recently become increasingly popular among cybercriminals for sending phishing messages in order to steal confidential information.
Xeon Sender is distributed through Telegram and various forums dedicated to software hacking. The latest version of the tool, available for download as a ZIP archive, links to the "Orion Toolxhub" Telegram channel created in February 2023. This channel is actively spreading other malware as well, such as brute-force attack and website scanning tools.
Xeon Sender, also known as XeonV5 and SVG Sender, was first spotted in 2022. Since then, its functionality has been constantly expanded and used by various groups of cybercriminals. Notably, one of the versions of this tool is hosted on a web server with a graphical interface, making it accessible even to users with minimal technical skills.
In the database, the tool provides a command line for interacting with the API of selected services, which allows you to organize mass SMS attacks. This assumes that the attackers already possess the necessary API keys to access the services. Requests include the sender ID, message content, and phone numbers from a pre-defined list.
In addition, Xeon Sender includes functions for verifying the credentials of Nexmo and Twilio services, generating phone numbers for specified country and region codes, as well as checking the validity of specified numbers. Despite the fact that the program code contains many ambiguous variables that make debugging difficult, the researchers note that the use of specific libraries to create queries creates additional difficulties for their detection.
To protect against such threats, experts recommend that organizations monitor activity related to changes in SMS sending settings and anomalous changes in recipient lists, such as bulk uploading of new numbers.
Source
In recent months, cybersecurity experts have discovered the active use of a new tool for attacks in cloud services called Xeon Sender. This tool is used by cybercriminals to conduct phishing and spam campaigns via SMS, exploiting legitimate services.
According to SentinelOne researcher Alex Delamotte, Xeon Sender allows messages to be sent through a variety of software-as-a-service (SaaS) services using valid credentials. Among these services are Amazon SNS, Nexmo, Plivo, Twilio, and others.
An important aspect is that Xeon Sender does not exploit the vulnerabilities of the providers themselves. Instead, attackers use legitimate APIs to send spam messages in bulk. Such tools have recently become increasingly popular among cybercriminals for sending phishing messages in order to steal confidential information.
Xeon Sender is distributed through Telegram and various forums dedicated to software hacking. The latest version of the tool, available for download as a ZIP archive, links to the "Orion Toolxhub" Telegram channel created in February 2023. This channel is actively spreading other malware as well, such as brute-force attack and website scanning tools.
Xeon Sender, also known as XeonV5 and SVG Sender, was first spotted in 2022. Since then, its functionality has been constantly expanded and used by various groups of cybercriminals. Notably, one of the versions of this tool is hosted on a web server with a graphical interface, making it accessible even to users with minimal technical skills.
In the database, the tool provides a command line for interacting with the API of selected services, which allows you to organize mass SMS attacks. This assumes that the attackers already possess the necessary API keys to access the services. Requests include the sender ID, message content, and phone numbers from a pre-defined list.
In addition, Xeon Sender includes functions for verifying the credentials of Nexmo and Twilio services, generating phone numbers for specified country and region codes, as well as checking the validity of specified numbers. Despite the fact that the program code contains many ambiguous variables that make debugging difficult, the researchers note that the use of specific libraries to create queries creates additional difficulties for their detection.
To protect against such threats, experts recommend that organizations monitor activity related to changes in SMS sending settings and anomalous changes in recipient lists, such as bulk uploading of new numbers.
Source
