Hello and welcome to the Friday, April 25th, 2025 edition of the Sands Internet Storm Center's

Stormcast. My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Well, in Diaries today, some of our honeypots got scanned for what looks like attempts to use them as SMS gateways.

The URLs suggest that the attacker here is looking for SMS gateways made by Teltonica.

Teltonica makes a wide range of SMS gateways from IoT-centered devices to Enterprise enterprise gateways but the fundamental idea of all of

these devices is that you're connecting to them via an IP connection and then use them to send

SMS messages this of course happens via a relatively straightforward API and and well, as so often, there are some default

users and default passwords that are being used.

That's exactly what the attacker was looking for here.

Typically, according to the documentation I found, there is a user one that's always defined. Now, its password is usually

a user underscore pass, but looks like an addition to that one password. They're also looking

for a couple others, not sure if they're just common passwords being used or depending on the exact

device. They're looking for whether or not

there's a range of different default passwords being used. There's one that's a little bit

interesting, if anybody has any idea, this P8XR password, that's sort of just a random string.

Google search didn't return anything for this random string.

Now, in order to confirm whether or not the particular gateway they're connecting to is able to send SMS messages,

they're then sending a quick test to one of the attacker's phone numbers.

And there are two phone numbers that we have seen so far, one in Saudi Arabia and

one in Belgium.

Of course, they themselves could then be again some kind of SMS to email gateway or something

like this that would then be used to receive those messages.

...