New cloud hacktool Xeon Sender exploits APIs for spam SMS

Researchers at SentinelLabs, the threat intelligence arm of SentinelOne, have announced the identification of a new cloud hack tool named Xeon Sender. This tool exploits legitimate APIs to conduct bulk spam SMS attacks against service providers such as Amazon’s Simple Notification Service (SNS), Nexmo, Twilio, and others. The tool was first observed in 2022 and has since gained traction among threat actors, primarily distributed through Telegram and other underground forums.

Xeon Sender, or XeonV5 and SVG Sender, appears designed to execute SMS spam and phishing (smishing) campaigns. The tool utilises the valid credentials of service providers, which means that no inherent weaknesses are being exploited on these platforms. Instead, Xeon Sender takes advantage of legitimate APIs to send large volumes of unsolicited SMS messages.

SentinelLabs notes that the history of Xeon Sender dates back to at least 2022, with the earliest version attributed to a handle known as @darkworld47. Over time, multiple threat actors have adopted and rebranded the tool, a common occurrence in cloud hacking utilities. Despite these variations, the core functionality of the tool remains largely unchanged across different iterations.

The primary functionality of Xeon Sender revolves around enabling attackers to communicate with the backend services of bulk SMS providers through a command-line interface (CLI). To facilitate these bulk SMS spam attacks, the attacker must possess API keys for the targeted service. Given the rigorous federal regulations and procedures in enabling these SMS APIs, threat actors are more likely to seek out credentials that belong to accounts which have already navigated these processes.

Xeon Sender's reliance on provider-specific Python libraries for crafting API requests presents unique detection challenges. Each library operates distinctly, and the logs generated by each provider vary, making it difficult for security teams to detect and mitigate the abuse of these services. SentinelLabs advises organisations to monitor activities that evaluate or modify SMS sending permissions and anomalous changes in distribution lists, which might indicate a bulk upload of new recipient phone numbers.

For organisations using Amazon Web Services (AWS), monitoring calls to the GetSMSAttributes AWS API or tracking changes to existing permissions through SetSMSAttributes calls is recommended. Although Xeon Sender does not directly manage these tasks, actors utilising the tool often rely on other utilities or methodologies for preliminary reconnaissance and credential validation.

Key points highlighted by SentinelLabs include the following: Xeon Sender is a Python-based script capable of sending spam through nine different Software-as-a-Service (SaaS) providers. It was first observed in 2022 and has been rebranded by various threat actors since. SMS spam and smishing have become increasingly popular tactics facilitated through cloud services and SaaS platforms.

SentinelLabs concludes that Xeon Sender provides valuable insights into how attackers leverage cloud services to disseminate SMS spam, a trend observed in other tools and campaigns. Due to federal regulations and associated fees, threat actors are more inclined to target accounts that have already been through the required processes rather than create new accounts. The constant rebranding and redistribution of Xeon Sender by different actors complicate attribution efforts. While the tool has remained largely unchanged, potential improvements such as better status and error handling could enhance its capabilities.