Industrial cellular routers in Australia exploited for smishing attacks
A popular make of industrial cellular routers, with nearly 10,000 devices connected to the Internet in Australia alone, is being exploited by attackers for short messaging service (SMS) text spam, commonly known as smishing. French security vendor Sekoia discovered earlier this year that the application programming interface (API) of hundreds of Milesight cellular routers was being used to send phishing messages via text. The primary targets of this campaign were Belgian government service portals, but it was revealed that Australian cellular routers were also under attack, as noted by Sekoia cyber threat intelligence analyst Jérémy Scion. Using the Shodan scan engine, Sekoia identified over 18,000 Milesight routers accessible online. Their threat detection team tested 6,643 routers and found that 572 were misconfigured, allowing unauthenticated access to their inbox and outbox APIs, which facilitated the sending of malicious text messages.
According to Shodan, Australia has the highest concentration of these routers, with 9,778 identified. Sekoia quickly tested a sample of about 3,000 Australian IP addresses and discovered that 90 exposed the SMS-send/receive API without any authentication. Among these, at least six routers were involved in fraudulent smishing campaigns targeting Belgian phone numbers between June and September, aiming to steal banking information. Although the text messages were not successfully sent due to subscriber identity module (SIM) restrictions and other factors, the attempts indicated exploitation. Sekoia detected these attacks through one of its honeypots, where the attacker presented a valid session cookie to authenticate with the router API. The origins of this credential remain unclear.
Sekoia suspects that the smishing campaign has been active since at least February 2022, with other countries, including Sweden and Italy, also targeted. The attacker’s infrastructure appears to be linked to a Lithuanian virtual private server (VPS) provider, and a bot on the Telegram app was used to log connections from users who clicked on phishing links. Scion stated that the vendor, Milesight, had not been contacted by Sekoia, emphasising that the issue documented was not a software vulnerability but rather a misconfiguration of the device.
