https://blog.sekoia.io/silent-smishing-the-hidden-abuse-of-cellular-router-apis
A popular make of industrial cellular routers, with nearly 10,000 devices connected to the internet in Australia alone, is being exploited by cybercriminals for widespread SMS-based phishing (smishing) campaigns.
According to French security vendor Sekoia, the application programming interface (API) of hundreds of Milesight cellular routers was being misused to deliver fraudulent text messages targeting Belgian government service portals. Further investigation revealed that Australian cellular routers were also being abused as part of this global smishing operation.
Sekoia’s threat detection team discovered that over 18,000 Milesight routers were accessible via the internet, and 572 of them were misconfigured to allow unauthenticated access to their inbox and outbox APIs. These vulnerable APIs were then exploited by attackers to send malicious text messages, with some of the targeted routers located in Australia.
“According to Shodan, there are 9778 routers of this type in Australia, the highest concentration worldwide,” said Jérémy Scion, a cyber threat intelligence analyst at Sekoia. “We quickly tested a sample of about 3000 Australian IP addresses and found that 90 of them expose the SMS-send/receive API without any authentication.”
While the text messages were not successfully delivered due to various factors, the attempts to transmit the SMS prove the exploitation of these vulnerable industrial routers. Sekoia believes the smishing campaign has been active since at least February 2022, targeting phone numbers in multiple countries, including Belgium, Sweden, and Italy.