Researchers at Sekoia.io have found that cybercriminals are exploiting Milesight cellular routers on a large scale to spread phishing messages via SMS. This is known as smishing.
These devices are typically used in industrial environments, for example, to connect traffic lights, energy meters, and other IoT systems via 3G, 4G, or 5G. The routers are equipped with SIM cards and can be controlled via SMS, Python scripts, and web interfaces.
According to Sekoia, the campaigns have been active since 2022. They mainly target European countries. Belgium stands out as the primary target, with messages posing as official communications from CSAM and eBox. Large-scale attacks have also been detected in France, Italy, and Sweden. Worldwide, more than 18,000 of these routers are accessible on the internet, hundreds of which lack any form of security. Many devices also run highly outdated firmware with known vulnerabilities.
Multiple attack techniques
A major weakness is CVE-2023-43261. This is a configuration error that made log files publicly accessible. These contained encrypted passwords, along with the keys and initialization vectors to decrypt them. This allowed attackers to gain full access to the routers. However, not every incident can be traced back to this vulnerability. Some compromised devices were running firmware that was not vulnerable to this, and in other cases, the authentication cookies found did not match the known decryption method. This suggests that other attack techniques are also being employed.
The phishing websites to which victims are directed contain mechanisms that make analysis difficult. For example, they check whether a visitor is using a mobile device and only display the fraudulent page in that case. Other pages disable browser functions, such as right-clicking or using debug tools, to frustrate investigation by security specialists.
Sekoia emphasizes that this method of smishing is relatively simple but very effective. By exploiting routers with SIM cards, attackers can send text messages from multiple countries simultaneously, making detection and blocking more challenging. The picture that emerges is that inconspicuous IoT devices, often hidden within industrial installations, can play a crucial role in large-scale phishing operations. The researchers anticipate that this type of equipment will continue to be a target in the future and urge organizations and users to be vigilant for suspicious messages containing links.