Investigation Uncovers Vulnerable Routers Used in Smishing Campaigns
Recent investigations reveal a coordinated smishing operation leveraging unsecured router infrastructure, highlighting a concerning vulnerability within the landscape of cybersecurity. According to researchers from Sekoia, this campaign exemplifies how easily accessible technology can facilitate impactful phishing scams, raising alarms about the potential for ongoing exploitation of similar devices.
The findings suggest that several compromised devices may have been affected by a specific vulnerability known as CVE-2023-43261. This flaw was identified in routers, resulting from a misconfiguration that allowed unauthorized access to sensitive files via a web interface. The issue was addressed in 2023 with a firmware update (version 35.3.0.7), yet many of the 572 routers identified as unsecured were still operating on outdated versions (32 or earlier).
The original researcher who identified CVE-2023-43261, Bipin Jitiya, noted that some accessible files contained cryptographically protected passwords for critical accounts, including the device administrator. Although these passwords were encrypted, the presence of the encryption key and initialization vector (IV) in the unsecured files could permit attackers to decrypt the data, granting full administrative access. However, researchers have since uncovered discrepancies in this theory based on the evidence collected during their investigation.
For instance, an authentication cookie found on a hacked router could not be decrypted with the key and IV highlighted by Jitiya. Further complicating the situation, some of the compromised routers were running firmware versions that were not vulnerable to CVE-2023-43261, indicating that multiple exploitation techniques may have been at play.
In terms of the operational methodology, the smishing websites employed JavaScript to prevent the display of malicious content unless accessed via mobile devices, while also disabling right-click functionalities and browser debugging tools. These tactics appear to be strategies aimed at obfuscating the campaign’s activities from analysts and cybersecurity experts. Additionally, some phishing sites were found to log visitor interactions through a Telegram bot operated by a known actor, signaling a calculated approach to information gathering.
Despite the large volume of smishing messages circulating monthly, it’s often puzzling how these scams continue to evade detection and shutdown efforts. The investigation suggests that these operations may be facilitated by overlooked technological resources, potentially located in less monitored environments, such as industrial settings.
The implications of such tactics resonate with the MITRE ATT&CK framework, pointing to potential adversary actions including initial access through exploitation of public-facing applications, persistence via the establishment of accounts on compromised devices, and privilege escalation through manipulation of router configuration files.
As smishing tactics evolve, it remains essential for businesses to maintain a vigilant stance on cybersecurity, particularly with regard to the devices in their environments. Understanding the cyber threat landscape, as illuminated by these recent findings, is crucial for safeguarding sensitive information and defending against future attacks.
