This threat involves the exploitation of Milesight industrial cellular routers to facilitate smishing campaigns targeting European users. The attackers leverage an exposed SMS API on these routers, which allows sending and retrieving SMS messages without authentication in many cases. This vulnerability stems from a previously disclosed information disclosure flaw (CVE-2023-43261, CVSS 7.5) that has been patched but remains unmitigated on numerous devices. The exposed API enables attackers to send phishing SMS messages containing URLs that impersonate trusted entities such as government platforms (e.g., CSAM, eBox), banks, postal services, and telecom providers. These URLs often use typosquatting to deceive recipients. The phishing pages include JavaScript that detects mobile devices before delivering malicious content, urging victims to update banking information under false pretenses. Some domains used in the campaigns implement anti-analysis techniques like disabling right-click and debugging tools and log visitor connections to a Telegram bot operated by an actor known as "Gro_oza." The attackers appear to conduct an initial validation phase by sending test SMS to numbers under their control to confirm the router's ability to send messages. The campaign has been ongoing since at least February 2022, with no evidence of additional malware or backdoors installed on the routers, indicating a focused smishing operation. Approximately 18,000 such routers are publicly accessible, with 572 assessed as vulnerable, half located in Europe. The decentralized distribution of these routers across multiple countries complicates detection and mitigation efforts. The threat highlights the risks posed by industrial IoT devices with exposed management interfaces and insufficient authentication controls.

For European organizations, this threat poses a significant risk of credential theft, financial fraud, and reputational damage due to successful phishing attacks delivered via SMS. The use of industrial routers as a smishing vector enables attackers to bypass traditional email and web-based phishing defenses, increasing the likelihood of user compromise. Targeted sectors include government services, banking, postal, and telecom, which are critical infrastructure and services in Europe. Compromise of end users through these phishing messages can lead to unauthorized access to sensitive information, fraudulent transactions, and broader social engineering campaigns. The decentralized and cross-border nature of the exploited routers complicates incident response and takedown efforts, potentially prolonging exposure. Additionally, the lack of authentication on SMS APIs indicates systemic security weaknesses in industrial IoT deployments, which could be exploited for other malicious activities if left unaddressed. The campaign's persistence since 2022 underscores the ongoing threat to European digital ecosystems, particularly in Sweden, Italy, and Belgium, where vulnerable devices are concentrated.

European organizations and network operators should immediately audit their Milesight industrial cellular routers to identify any devices exposing SMS inbox/outbox APIs without authentication. Firmware should be updated to the latest versions that patch CVE-2023-43261 and related vulnerabilities. Network segmentation should be enforced to isolate industrial routers from public internet access unless strictly necessary, and access controls should be implemented to restrict API usage to authorized personnel and systems. Organizations should deploy monitoring solutions to detect anomalous SMS traffic patterns originating from these routers, including unexpected outbound SMS volumes or connections to suspicious domains. User awareness campaigns should educate employees and customers about smishing risks, emphasizing verification of SMS sources and caution with links. Collaboration with telecom providers to filter and block known malicious SMS URLs and typosquatted domains can reduce exposure. Incident response plans should include procedures for rapid identification and remediation of compromised routers. Finally, manufacturers should be engaged to improve security defaults, including mandatory authentication for SMS APIs and secure configuration guidelines.