Sekoia.io observed attackers exploiting Milesight industrial cellular routers’ exposed APIs to send large-scale smishing campaigns, with a heavy focus on Belgian recipients impersonating CSAM and eBox services. The infrastructure and domains used trace to NameSilo-registered domains and hosting with Podaon SIA, and evidence shows unauthenticated SMS inbox/outbox APIs and campaigns active since at least February 2022. #Milesight #CSAM #eBox #PodaonSIA
Keypoints
- Attackers exploited Milesight industrial cellular routers’ API (POST /cgi) to send phishing SMS messages (smishing) and to retrieve SMS inbox/outbox data from exposed devices.
- Honeypot logs traced the attacker’s activity to IP 212.162.155[.]38 (AS Podaon SIA) and identified over 18,000 accessible routers with at least 572 allowing unauthenticated SMS API access.
- Campaigns primarily targeted European users, especially Belgium, with SMS lures impersonating CSAM and eBox; French and multi-country campaigns were also observed.
- Phishing infrastructure used NameSilo-registered domains and hosting tied to Podaon/PODAON-PL-1, with multiple domains and IPs mapped to phishing kits and pages employing device checks (is_mobile) to target mobile users.
- Smishing activity dates back to at least February 2022 and includes mass campaigns (e.g., tens of thousands of Swedish and Italian numbers) and repeated targeting of Belgian numbers across distinct campaigns.
- Phishing pages used obfuscated JavaScript (e.g., maghat_lebssouch.js) and references to GroozaV2 tooling, with Telegram-based logging (GroozaBot) suggesting operator links and language artefacts (Arabic, French).
- Vulnerable routers often run outdated firmware (notably 32.2.x.x and 32.3.x.x); exploitation appears focused on SMS features rather than installing backdoors, indicating a targeted smishing use-case and potential mixture of misconfiguration and known CVE exploitation.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers sent POST requests to the router /cgi API to trigger SMS sending and retrieve SMS history, exploiting exposed API endpoints: “…access to the list of sent SMS messages is performed via a POST request to the /cgi endpoint…”
- [T1566.001] Phishing: Spearphishing Link – SMS messages contained phishing URLs impersonating CSAM/eBox and other services to capture banking/credentials: “…phishing URLs typosquat well-known Belgian government platforms, namely CSAM and eBox.”
- [T1598] Phishing for Information – Phishing pages impersonated government and service portals to exfiltrate credentials and banking information: “…The displayed page impersonates the Belgian CSAM service. It states ‘Update your information for the reimbursement of public services’. Its aim is to steal the target’s banking information.”
- [T1078] Valid Accounts – Requests observed included an authentication cookie suggesting use of valid credentials to interact with the API: “…the attacker uses an authentication cookie, suggesting they have valid credentials.”
- [T1204.002] User Execution: Malicious Link – Use of SMS-distributed shortened URLs and mobile-only checks to entice recipients to click on mobile-targeted phishing pages: “…the script primarily checks whether the page is being accessed from a mobile device… Since the URLs are distributed via SMS, it is clear that the attacker is targeting mobile devices.”
- [T1588.001] Acquire Infrastructure: Domain Registration – Attacker registered multiple domains (NameSilo) and hosted phishing infrastructure with Podaon SIA to support campaigns: “…attacker consistently relies on NameSilo for domain registration and hosts their infrastructure with Podaon, SIA.”
- [T1203] Exploitation for Client Execution – Phishing pages delivered obfuscated JavaScript that disabled debugging and right-click to hinder analysis and force client-side execution: “…obfuscated script is designed to hinder analysis… disable right-click actions and browser debugging tools…”
Indicators of Compromise
- [IP Address] attacker hosting / exploit origin – 212.162.155[.]38 (observed in honeypot logs), 82.147.84[.]79 (jnsi[.]xyz infrastructure)
- [Domains] CSAM/eBox phishing domains – csam.ebox-login[.]xyz, ebox.csam-trust[.]xyz (and multiple ebox/csam variants listed; see report for full list)
- [Domains] Multi-region/payment phishing domains – jnsi[.]xyz, estrk[.]xyz, disney[.]plus-billing[.]sbs (used across payment/refund campaigns targeting multiple countries)
- [File/JS names] obfuscated JavaScript and detector scripts – maghat_lebssouch.js (phishing obfuscation), /static/detect_device.js (mobile detection used by phishing pages)
- [Autonomous Systems] hosting/registration context – Podaon SIA / AS210895 and AS211860 (associated with observed IPs used by attacker)
Read more: https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis/