All products
Uncovering the Source of Smishing Operations: A Look into Compromised Routers
The researchers at Sekoia have shed light on a significant smishing campaign that has been making waves in the cybersecurity world. Smishing, a type of phishing attack that uses SMS messages to deceive victims, has been a persistent threat to individuals and organizations alike. The recent discovery of compromised routers has provided valuable insights into the infrastructure behind these operations.
The researchers added: “This campaign is notable in that it demonstrates how impactful smishing operations can be executed using simple, accessible infrastructure. Given the strategic utility of such equipment, it is highly likely that similar devices are already being exploited in ongoing or future smishing campaigns.” This highlights the importance of securing these devices to prevent further exploitation.
Vulnerabilities and Exploitation
Sekoia’s investigation revealed that the compromised routers were likely exploited through a vulnerability known as CVE-2023-43261. This vulnerability, which was fixed in 2023 with the release of version 35.3.0.7 of the device firmware, allowed attackers to access files in the router’s storage through a web interface. According to a post published by Bipin Jitiya, the researcher who discovered the vulnerability, the files contained cryptographically protected passwords for accounts, including the device administrator.
However, the researchers noted that this theory was contradicted by some of the facts uncovered in their investigation. For instance, an authentication cookie found on one of the hacked routers used in the campaign “could not be decrypted using the key and IV described in the article.” Furthermore, some of the routers abused in the campaigns ran firmware versions that weren’t susceptible to CVE-2023-43261, suggesting that other vulnerabilities or exploitation methods may have been used.
Phishing Websites and Tactics
The phishing websites used in the campaign ran JavaScript that prevented pages from delivering malicious content unless it was accessed from a mobile device. This tactic is likely intended to evade detection and analysis. Additionally, some of the sites ran JavaScript to disable right-click actions and browser debugging tools, further hindering reverse engineering efforts. Sekoia also found that some of the sites logged visitor interactions through a Telegram bot known as GroozaBot, which is operated by an actor named “Gro_oza.”
The investigation highlights the importance of securing industrial routers and other devices that can be used to facilitate smishing operations. As Sekoia notes, the resources used in these campaigns often come from small, overlooked devices tucked away in industrial settings. Given the prevalence and massive volume of smishing messages, it is essential to stay vigilant and take steps to prevent these types of attacks.
For more information on this smishing campaign and the compromised routers, visit Here
Image Credit: arstechnica.com