Unknown threat actors have abused the Milesight Industrial Cellular Router since at least February 2022 to send SMS messages as part of an SMS campaign targeting users in European countries.
French cybersecurity firm Sekoia said attackers are leveraging Cellular Router’s API to send malicious SMS messages containing phishing URLs, and campaigns that target mainly Sweden, Italy and Belgium target Typosted URLs that decorate government platforms such as CSAM and EBox, as well as government platforms such as banks and post offices.
Of the 18,000 routers of this type that can be accessed on the public Internet, over 572 have been rated potentially vulnerable as they expose their inbox/outbox APIs. Approximately half of the vulnerable routers identified are in Europe.
“In addition, the API allows for the retrieval of both incoming and outgoing SMS messages, indicating that the vulnerability has been actively exploited in malicious SMS campaigns since at least February 2022,” the company said. “There is no evidence of attempts to install backdoors or leverage other vulnerabilities on the device. This suggests a targeting approach specialized for attacker smishing operations.”
The attacker is believed to be exploiting the current flaws in disclosure affecting miles routers (CVE-2023-43261, CVSS score: 7.5). A few weeks later, Vulncheck revealed that the vulnerability could have been weaponized in the wild shortly after its release.
Further investigations revealed that some industrial routers expose SMS-related features without the need for authentication in any form, such as sending messages or displaying SMS history.
An attack could include an initial verification phase in which a threat actor attempts to verify whether a particular router can send SMS messages by targeting a phone number under his control. Sekoia further noted that since several routers are known to be running recent firmware versions that are less susceptible to CVE-2023-43261, the API could also be exposed due to false guiding.
Phishing URLs distributed using this method include JavaScript that checks whether the page is being accessed from a mobile device before serving malicious content.
Additionally, one of the domains used in the campaign between January and April 2025 – JNSI[.]XYZ – Make JavaScript code work that disables right-click actions and browser debugging tools to prevent analysis efforts. Some pages are also known to record visitor connections to a telegram bot named Groozabot, run by an actor named “gro_oza”, who appears to speak both Arabic and French.
“The vulnerable campaign appears to have been carried out through the use of vulnerable cell routers. This is a relatively unsleek but effective delivery vector,” Sequoia said. “These devices are particularly appealing to threat actors as they allow for decentralized SMS distribution across multiple countries and complicate both detection and takedown efforts.”
Source link
