In a concerning development, cybercriminals have been exploiting vulnerabilities in Milesight industrial cellular routers to orchestrate smishing campaigns targeting European users since at least February 2022. These attacks have primarily affected individuals in Sweden, Italy, and Belgium, leveraging the routers’ SMS capabilities to disseminate phishing messages.
Understanding the Exploited Vulnerability
The root of these attacks lies in a critical information disclosure vulnerability identified as CVE-2023-43261. This flaw, present in Milesight router models UR5X, UR32L, UR32, UR35, and UR41 with firmware versions prior to 35.3.0.7, allows unauthorized access to sensitive router components. Specifically, attackers can exploit this vulnerability to access log files containing encrypted administrative credentials. Compounding the issue, the routers’ web interface includes hardcoded AES secret keys and initialization vectors, enabling attackers to decrypt these credentials and gain unauthorized control over the devices.
Mechanism of the Smishing Campaigns
By exploiting the aforementioned vulnerability, attackers have been able to access the routers’ SMS functionalities without authentication. This unauthorized access has been used to send phishing messages containing malicious URLs that impersonate legitimate entities such as government platforms (e.g., CSAM and eBox), banking institutions, postal services, and telecom providers. The phishing URLs often employ typosquatting techniques, where the malicious domain closely resembles the legitimate one, increasing the likelihood of deceiving recipients.
The phishing messages are crafted to appear as urgent communications, prompting recipients to click on the embedded links. Once clicked, these links lead to fraudulent websites designed to harvest sensitive information, such as login credentials and financial details. The attackers have also implemented JavaScript code within these phishing pages to detect if the user is accessing the site from a mobile device, ensuring the malicious content is appropriately displayed.
Scope and Impact of the Exploitation
Research indicates that out of approximately 18,000 Milesight routers accessible via the public internet, at least 572 are potentially vulnerable due to exposed inbox/outbox APIs. Notably, about half of these susceptible routers are located in Europe, aligning with the geographical focus of the smishing campaigns.
The exploitation of these routers for smishing purposes underscores a targeted approach by the attackers. There is no evidence suggesting attempts to install backdoors or exploit other vulnerabilities on the devices, indicating that the primary objective is the dissemination of phishing messages.
Mitigation and Preventive Measures
In response to the discovery of CVE-2023-43261, Milesight released firmware version 35.3.0.7 to address the vulnerability. Users are strongly advised to update their routers to this latest firmware version to mitigate the risk of exploitation.
Additionally, users should implement the following security practices:
– Change Default Credentials: Replace default usernames and passwords with strong, unique credentials to prevent unauthorized access.
– Disable Unnecessary Services: Turn off services and features that are not in use to reduce potential attack vectors.
– Implement Access Controls: Restrict access to the router’s management interface to trusted networks and users.
– Monitor Network Traffic: Regularly review network logs for unusual activity that may indicate unauthorized access or exploitation attempts.
– Educate Users: Inform users about the risks of phishing attacks and encourage vigilance when receiving unsolicited messages containing links or requests for sensitive information.
Conclusion
The exploitation of Milesight routers to facilitate smishing campaigns highlights the critical importance of timely vulnerability management and robust security practices. By addressing known vulnerabilities and implementing comprehensive security measures, organizations and individuals can significantly reduce the risk of such targeted cyberattacks.
