Silent Smishing: The Hidden Abuse of Cellular Router APIs

SUMMARY :

This report analyzes a smishing campaign exploiting vulnerabilities in Milesight Industrial Cellular Routers to send malicious SMS messages. The attackers targeted primarily Belgian users by impersonating government services like CSAM and eBox. Over 18,000 vulnerable routers were identified globally, with at least 572 potentially exploitable. The campaign has been active since February 2022, affecting multiple European countries. The attackers used NameSilo for domain registration and Podaon SIA for hosting. The phishing infrastructure was linked to a threat actor cluster known as 'GroozaV2'. The report highlights the ongoing threat of smishing and the need for increased vigilance against unsolicited messages.

OPENCTI LABELS :

api exploitation,smishing,belgium,vulnerability,phishing,cve-2023-43261,cellular routers,ebox,csam


AI COMMENTARY :

1. The blog post titled Silent Smishing: The Hidden Abuse of Cellular Router APIs delves into how threat actors have turned industrial cellular routers into tools for delivering malicious SMS messages. This campaign, active since February 2022, exploits vulnerabilities in Milesight Industrial Cellular Routers to impersonate legitimate Belgian government services such as CSAM and eBox. By targeting unsuspecting citizens with official-looking messages, attackers aim to harvest credentials or deliver harmful links, underscoring the evolving nature of smishing threats.

2. At the heart of this operation lies API exploitation of the cellular router management interface. The threat actors leveraged a vulnerability now tracked as CVE-2023-43261, allowing them to bypass authentication and send SMS messages through the router’s SMS gateway. Over 18,000 routers worldwide were discovered to be vulnerable, with at least 572 devices identified as easily exploitable. The stealthy misuse of these routers’ legitimate SMS capabilities enabled attackers to remain under the radar of traditional email or network-based detection systems.

3. The phishing infrastructure supporting this smishing campaign was meticulously assembled. Domain registrations were handled through NameSilo, and hosting services were provided by Podaon SIA. These services powered a network of deceptive websites replicating official eBox and CSAM portals in appearance and functionality. The domains and hosting setup were traced back to a threat actor cluster known as GroozaV2, which has been linked to similar API exploitation and phishing operations in the past.

4. Belgian users bore the brunt of this targeted attack, receiving messages purporting to require urgent action for tax filings or child protection cases. Yet the campaign was not strictly confined to Belgium; multiple European countries reported suspicious SMS activity, suggesting a wider reach. The choice of Belgian government services as the lure highlights how attackers tailor smishing efforts to local trust anchors. As victims click links or enter credentials, they risk financial loss, identity theft, and long-term exposure to further malicious campaigns.

5. The disclosure of CVE-2023-43261 prompted Milesight to release firmware updates and security advisories. Organizations and individuals operating these routers must apply patches immediately and enforce strong authentication on their device management interfaces. Network defenders should monitor outbound SMS traffic for anomalies and enable multi-factor authentication on portals that handle sensitive user data. Regular vulnerability assessments can help identify misconfigured routers before they become attack vectors.

6. The emergence of silent smishing via cellular router APIs teaches a crucial lesson: attackers continuously innovate by repurposing trusted technologies. Threat intelligence teams must expand their monitoring scope to include SMS-based channels and API interactions. Collaboration between device manufacturers, service providers, and cybersecurity researchers is essential to identify weaknesses early and share indicators of compromise. By remaining vigilant, applying timely patches, and educating end users about unsolicited messages, organizations can mitigate the risks posed by this insidious form of smishing.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Silent Smishing: The Hidden Abuse of Cellular Router APIs