Alex Delamotte, Threat Researcher from SentinelOne Labs, joins to share their work on "Xeon Sender | SMS Spam Shipping Multi-Tool Targeting SaaS Credentials." SentinelOne’s Labs team has uncovered new research on Xeon Sender, a cloud hacktool used to launch SMS spam attacks via legitimate APIs like Amazon SNS.
First seen in 2022, this tool has been repurposed by multiple threat actors and distributed on underground forums, highlighting the ongoing trend of SMS spam through cloud services and SaaS.
The research can be found here:
Learn more about your ad choices. Visit megaphone.fm/adchoices
You're listening to the CyberWire network, powered by N2K. Defense contractors face immense pressure to comply with CMMC 2.0 security standards, needing a secure, user-friendly file-sharing solution. KiteWorks, a FedRAP moderate authorized solution, supports nearly 90% of CMMC 2.0 level 3 requirements, reducing compliance effort and cost. KiteWorks leverages a zero-trust framework for swift compliance and offers a secure platform for defense data protection needs with advanced security features and ease of use. It's intuitive UI, mobile apps and centralized policy management simplify administration. Accelerate your CMMC 2.0 compliance and address federal zero-trust requirements with KiteWorks universal secure file-sharing platform made for defense contractors. Visit kiteworks.com to get started. Hello everyone and welcome to the CyberWire's research Saturday. I'm Dave Bitner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. I worked on a piece a few months ago called SMS sender and that was a particularly interesting one because we believe it was used in a variety of USPS SMS spam campaigns which I don't know about you but I've certainly seen a whole lot of those over the past few months. That's Alex Delamate, threat researcher from Sentinel-1 Labs. The research we're discussing today is titled "Zion Sender SMS Spam Shipping Multitool Targeting SaaS Credentials." If I could interrupt you, forgive me that I have to say reading through this research. This was one of the first times in a long time that I can think of myself actually getting like agitated as I was reading it because of because of I think the disdain that we all share for these SMS spammers. Absolutely. Yeah, it's a nightmare. I mean, there's such little filtering that we, the end user, can do compared to something like email so it really is a nuisance. Yeah. Well, continue taking us along the pathway here for how this got to be something that you took a closer look at. Sure. So I looked at some of the behaviors that the SMS sender tool was using and I wanted to see if other tools were using that as well because it seems unlikely that such a simple script like SMS sender was would be the only tool in spam, threat actors, toolboxes. And it turns out that it is not. And I stumbled on Zion Sender, which is another tool of a similar nature, although it targets far more service providers. Well, describe to us what exactly Zion Sender entails here. What are its capabilities? It is capable of using credentials from software as a service providers that do SMS sending and sending bulk messages using those valid credentials. So it doesn't remove the barrier that actors face where they would need to obtain valid credentials that have been authorized to send SMS messages, which are actually subject to federal regulations in most places of the world, including the United States and the European Union. Yeah, that was a really interesting point as I was reading through the research here that there are some barriers to entry if you want to be in the business of sending out SMS messages. Exactly. And I think that the easiest way to go from many of these actors is most likely to find valid credentials from organizations or individuals who have already gone through the registration process. So is my understanding then that suppose that I'm someone who wants to go about doing this, I want to send out some bulk SMS spam, and I have gathered up some legitimate credentials for some of these legitimate services that do this, is Zion Sender then a tool that just kind of fills in that middle part for me, it takes away some of the technical barriers that it might be up against. Exactly. The author or the developer, whoever made this tool originally, integrated several APIs to make it very easy and kind of uniform across the different service providers. For example, all of them require the same basic material, which is an API key, the secret key. In the case of AWS SNS, it requires AWS region. And there are some other proprietary fields for a couple of the SAS providers targeted. But overall, it's fairly uniform. You put in the API credentials and then you add the message contents, the type of spam message that you want to send, and then you have a list of recipients, and then it blasts it away. Take us through some of the history here, you did some digging on a bit of the background. Yeah, so I looked into distribution of this tool, and it was kind of interesting. As many cloud attack tools and general hack tools are distributed, it was found on Telegram, it's been credited to multiple authors who made absolutely no changes to the code that are material. They really just slapped their name in there. No honor among thieves. Exactly. You know, a payday is a payday, I guess, but yeah, I guess they're building that brand. But I also found it on some hacking forums, there was one where the administrator had kind of lauded it and given it lots of praise, saying it was a very useful tool. So it's really, it's been out there for a while. So I think it's reasonable to believe that it is an effective tool and that people are using it. And you know, as we mentioned before, we certainly get enough of that SMS spam that's happening. Has it evolved over time, have they added any sophistication or has it stayed pretty much the same? This is where it's very unusual to me. It has stayed effectively the same. There's been no updates to make it a better tool, even though, you know, just me as an amateur dev for a reverse engineer looking at it, I could see some serious improvements. They've made no effort to do that. Interesting. And how do people pay for the use of this? Well, as far as I can tell, they have all been open source. It's just a script, you know, you can just run it. I'm not sure if anybody is actually profiting or licensing off of it. So it's an interesting case. We'll be right back. Hey, everybody. Dave here. Have you ever wondered where your personal information is lurking online? Like many of you, I was concerned about my data being sold by Databrokers. So I decided to try Delete Me. I have to say, Delete Me is a game changer. Within days of signing up, they started removing my personal information from hundreds of Databrokers. I finally have peace of mind knowing my data privacy is protected. Delete Me's team does all the work for you with detailed reports, so you know exactly what's been done. Take control of your data and keep your private life private by signing up for Delete Me. Now at a special discount for our listeners, today get 20% off your Delete Me plan when you go to joindeleteme.com/n2k and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com/n2k and enter code N2K at checkout. That's joindeleteme.com/n2k code N2K. When it comes to ensuring your company has top-notch security practices, things can get complicated fast. Vanta automates compliance for SOC 2, ISO 27001, HIPAA and more, saving you time and money. With Vanta, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing trust center. Over 7,000 global companies, like Atlassian, Flow Health and Quora, use Vanta to manage risk and prove security in real time. Our listeners can claim a special offer of $1,000 off Vanta at vanta.com/cyber. That's V-A-N-T-A.com/cyber for $1,000 off Vanta. I have to say, the screen grabs of the interface that you posted here, it takes me back to the '90s, I guess, it's about as bare bones as straightforward as you can get. Yeah, I kind of like it. It's a comforting, old, terminal kind of deal. Lots of colors, too. What are ways that people can detect this? If I'm someone who has a legitimate SMS-generating account with one of these services, and somehow, someone who's up to no good gets my credentials, is it going to start throwing red flags for me? Hopefully it will. It really depends on the service provider that you're using, and I don't exactly have visibility into every service provider's detection capabilities. What I would look for if I were a defender in this position is looking for changes to sending quotas, and looking for lots of activity sudden spikes, there should also, in theory, I think it would be plausible that organizations would have lists of customer contacts that they would use for legitimate bulk mailing campaigns, and perhaps this would deviate from those norms by sending to numbers that were not listed in your customer relationship management software. Again, this is kind of abstract thinking, but if you're an organization like that, maybe you could set some alarms for a whole bunch of activity to numbers that were not associated with existing customers. Do we have any sense for who was initially behind this, or perhaps even what part of the world this came from? I don't for this specific tool now, but I can say that this type of activity aligns with a lot of the other kind of, I would say, lower skilled actors who build cloud hack tools, and we've seen a lot of activity from those folks coming out of Africa, especially Nigeria, and Northern Africa, as well as Southeast Asia, so lots of developing world activity. I've also, in the case of S&S Center, found activity suggesting that the developer was from India, so again, developing parts of the world with lots of access to technology. Yeah, there were some additional functionality in here that you noted, like the ability to check accounts and generate phone numbers and things like that. Can you take us through how that functionality fits into the usage of this sort of tool? Sure, so there is an account checker tool that will just validate the credentials. For example, maybe an actor finds a list of a whole bunch of Twilio credentials. They can then use that module to validate whether they are good credentials before trying to blast out a campaign and possibly setting off alarms. There's another tool that is a phone number generator, which is effectively brute forcing phone numbers. If I were an attacker, that would not be my first choice, but I suppose if you are already exhausting all of your lists of legitimate phone numbers, that could be a valid route to take. And then the last feature that I saw was a phone checker, which will check apilayer.com. It's a very strange website name, but it apparently provides a service where you can verify or validate whether a telephone number is real. Huh, because we want to make it easier for these folks. Exactly. It's all about automation and making things easier. Right, right. How do you rate the sophistication of these scripts? I mean, are they how bulletproof is this for an unsophisticated actor to use? It's not highly sophisticated and not all of the code is actually functional too. There are parts that it looks like it was unfinished, and I'm surprised that nobody has picked up on that yet. But yeah, this is definitely a lower sophistication actor who put a lot of time and care into making a viable multi tool. There's definitely a lot of work they could do that. Yeah. So what are your recommendations then? I mean, for folks who are tasked with protecting the organizations against this kind of thing, do you have any suggestions? I would suggest keeping an eye again on the changes to account settings related to sending bulk SMS and keep an eye on the amount of messages that are being sent from your organization. Just look for anomalies in that space, and you can use that to identify outliers that could indicate a spamming campaign. Our thanks to Alex Delamate from Sentinel-1 Labs for joining us. The research is titled Zion Cender, SMS spam shipping multi tool targeting SAS credentials. We'll have a link in the show notes. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cyber security. If you like our show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. We're privileged that N2K Cyberwire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your team smarter. Learn how at N2K.com. This episode was produced by Liz Stokes, where mixed by Elliot Peltzmann and Trey Hester, our executive producer is Jennifer Ivan, our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilby is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. This September 18th and 19th in Denver, a tight community of leading experts is gathering to tackle the toughest cyber security challenges we face. It's happening at M.Y.'s, the unique conference built by practitioners for practitioners. Brought to you by Mandiant, now part of Google Cloud, M.Y.'s features one-to-one access with industry experts and fresh insights into the topics that matter most, right now to frontline practitioners. [MUSIC]
