Xeon Sender is a cloud-based tool that has cybersecurity experts increasingly concerned, due to its use by attackers to conduct large-scale SMS spam and phishing campaigns by exploiting legitimate software-as-a-service (SaaS) providers. The tool has developed with minimal changes since its identification in 2022 but continues to be a threat due to its simplicity and effectiveness. Xeon Sender has gained attention within the cybersecurity community for its ability to send mass SMS messages using the APIs of several prominent SaaS providers. Despite several threat actors claiming authorship of the tool, the functionality has remained consistent, allowing it to linger in cybercriminal circles.
A Tool Born from the Cloud Hacktool Scene
First seen in 2022, Xeon Sender, also known as XeonV5 and SVG Sender, is a Python-based script designed to send SMS messages en masse, facilitating phishing (smishing) and spam campaigns. Unlike many other tools that exploit vulnerabilities in software, Xeon Sender utilises APIs provided by SaaS companies to carry out its attacks. These APIs are used for lawful purposes, such as sending notifications or alerts, but Xeon Sender repurposes them to distribute spam. Xeon Sender follows a pattern common in the cloud hacktool scene: it is shared on Telegram channels, hacking forums, and smaller websites dedicated to cybercrime. Each version of the tool is rebranded by different threat actors, adding their own handles or slight modifications, but the process remains mostly unchanged.
Availability and Access
One of the reasons Xeon Sender has become so pervasive is its availability and ease of use. The tool is distributed in a ready-to-use format, complete with a command-line interface (CLI) that allows attackers to interact directly with the chosen SaaS provider’s backend. This interface simplifies the process of sending bulk SMS messages, making it accessible to less technically skilled cybercriminals. Xeon Sender is occasionally hosted on a web server with a graphical user interface (GUI), further lowering the barrier to entry. This method of distribution allows individuals who may not be comfortable with running Python scripts to use the tool effectively.
Exploiting SaaS APIs for Spam
Xeon Sender’s main function is to send bulk SMS messages using the APIs of nine different SaaS providers, including Amazon Simple Notification Service (SNS), Twilio, Nexmo, and Plivo. To use the tool, attackers need to obtain API keys and other credentials for these services, which they routinely acquire through compromised accounts. These credentials are then used to craft API requests that include the sender ID, message content, and recipient phone numbers. The tool is designed to loop through a list of phone numbers stored in a text file, sending the engineered message to each number in succession. This process is automated, with the script taking short pauses between each message to avoid detection by the service provider. Further to its SMS sending capabilities, Xeon Sender includes auxiliary tools that improve its functionality. These include:
- An account checker used to validate the credentials of Nexmo and Twilio accounts, ascertaining they are still live and can transmit messages.
- A phone number generator that creates phone numbers based on a given country code and area code, which can then be used in spam campaigns.
- A phone checker that verifies whether a phone number is valid using online databases, helping attackers in narrowing down their target lists.
Xeon Sender has its inherent flaws, with the tool lacking a strong error handling system when interacting with certain APIs. When working with larger providers like AWS SNS and Twilio, the tool commonly reports a generic “Success” message regardless of the outcome, making it difficult for attackers to troubleshoot issues.
Mitigation Strategies
Handling the threats posed by Xeon Sender is not easy for cybersecurity teams. As the tool relies on provider-specific Python libraries to make API requests, each of which has its own characteristics, identifying misuse can be difficult. The legitimate nature of the APIs makes detection even harder, as the activity may not immediately appear suspicious. To defend against such threats, organizations must implement monitoring of their SaaS accounts. This includes tracking changes to SMS sending permissions and watching for irregular patterns in distribution list uploads, such as the abrupt addition of a large number of phone numbers. Stricter controls on API usage, including rate limiting and more granular permissions can also help reduce risk.
Xeon Sender is indicative of the growing use of cloud-based tools to carry out large-scale cyberattacks. Attackers now find it easier to conduct widespread SMS phishing and spam campaigns. While the tool itself lacks sophistication, its accessibility and ready availability make it an unrelenting threat.
Photo credits: Backcountry Media, AdobeStock.com
