Malicious actors are leveraging a cloud-based tool named Xeon Sender to conduct large-scale SMS phishing and spam campaigns by exploiting legitimate services. This tool enables attackers to send messages through various software-as-a-service (SaaS) providers, such as Amazon SNS, Nexmo, and Twilio, using valid credentials. The attackers are not exploiting any vulnerabilities in these services but rather misusing legitimate APIs to carry out their attacks.
Xeon Sender, also referred to as XeonV5 and SVG Sender, has been around since at least 2022 and has been adapted by multiple threat actors for different malicious purposes. Distributed via Telegram and hacking forums, the tool has become more accessible over time, with newer versions even offering a graphical user interface (GUI) hosted on a web server. This makes it easier for less technically skilled individuals to use the tool without needing to run Python scripts or troubleshoot dependencies.
The tool provides a command-line interface that allows users to interact with the backend APIs of selected service providers. Attackers already in possession of the necessary API keys can use Xeon Sender to send bulk SMS messages. The tool supports additional features such as validating account credentials for services like Nexmo and Twilio, generating phone numbers for specific country and area codes, and verifying the validity of a given phone number.
SentinelOne, a cybersecurity firm, has pointed out that the source code of Xeon Sender is intentionally obfuscated with ambiguous variables, making it challenging to debug and detect. This obfuscation complicates efforts to identify and mitigate the misuse of the tool. Xeon Sender also presents unique detection challenges, as it relies on provider-specific Python libraries to craft API requests, making it difficult for security teams to track and prevent abuse across different service providers.
To protect against threats like Xeon Sender, organizations are advised to closely monitor any activities related to SMS sending permissions and distribution lists. Unusual changes, such as a large upload of new recipient phone numbers, should be investigated promptly to prevent potential abuse.