Summary6 min read

Risky Bulletin: Router APIs Abused to Send SMS Spam

Podcast: Risky Bulletin by Risky.biz
Date: October 1, 2025
Host: Claire Airdrop (prepared by Catalin Cimpanu)

Episode Overview

This episode covers a wide array of recent cybersecurity news and incidents. The central story is a wave of cybercrime activity abusing a popular router brand to send SMS spam. Additional topics include governmental cybersecurity updates, major breaches, regulations against privacy-violating apps, ransomware attacks, and more. The episode is tightly packed, focusing on the key events and their implications for global cybersecurity.

Key Discussion Points & Insights

1. Router Abuse for SMS Spam

[00:18]

Main Story:
- Hackers are abusing Milesite industrial routers to send SMS spam.
- The routers’ SMS notification feature (intended for admin alerts) is being exploited for mass spam campaigns.
- Attackers are leveraging a 2023 vulnerability to extract logs and decrypt admin passwords.
- The campaign has specifically targeted Europe since February 2022.
- An estimated 19,000 Milesite routers remain exposed on the internet.
Quote:

"Hacked Milesite industrial routers are being abused to send SMS spam. The attacks are abusing a router feature intended to alert network admins via text message."
— Claire Airdrop [00:19]

2. CISA’s New Collaboration Model for Local Governments

[00:55]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is launching a new partnership model for local governments.
This replaces the Multi-State Information Sharing and Analysis Center (MS-ISAC), whose funding expired in March.
Key features:
- Local governments gain access to grant funding, free cybersecurity tools, and regional CISA experts.
Quote:

"The new approach allows local governments access to grant funding, free tools and CISA cybersecurity experts in regional centres."
— Claire Airdrop [01:02]

3. FEMA Breach via ‘Citrix Bleed 2’ Vulnerability

[01:13]

Hackers accessed data from the U.S. Federal Emergency Management Agency (FEMA) through an exploited Citrix vulnerability.
Employee data from both FEMA and Customs and Border Protection was stolen.
Incident resulted in the DHS head firing 24 FEMA IT staff, including the CIO and CISO, in August.

Quote:

“The attackers likely abused a vulnerability known as Citrix bleed 2. They stole employee data from both FEMA and Customs and Border Protection during the breach in June.”
— Claire Airdrop [01:17]

4. South Korea Raises Cyber Threat Level after Data Centre Fire

[01:34]

After a fire at a government data centre (triggered by a lithium battery), South Korea escalated its national cyber alert to the second-highest level (“caution”).
Concerns that adversarial actors might exploit the outage.
Authorities are transitioning operations to a new data centre.

Quote:

“Officials are concerned that threat actors could take advantage of the outage to launch cyber attacks.”
— Claire Airdrop [01:46]

5. FTC Sues Anonymous Messaging App Sendit

[01:55]

The FTC is suing Sendit for deceptive monetization practices and child data privacy violations.
Sendit allegedly lured users to pay to identify anonymous message senders, with many messages generated by the company.
Accused of collecting data from children under 13 without parental consent.

Quote:

“Sendit is also accused of failing to obtain parental consent before collecting data of children aged under 13.”
— Claire Airdrop [02:09]

6. Cyber Attack Hits Japan’s Largest Brewery (Asahi Group)

[02:17]

Cyberattack disrupted call centres, order processing, and shipping for Asahi’s domestic business.
International operations remain unaffected.
No ransomware group has claimed responsibility as of the report.

7. Malware Infection on Mockito Java Testing Framework Link

[02:29]

A download link for Mockito (a highly popular Java testing framework) was redirecting users to a malicious file.
The poisoned link was buried in the official project wiki for three years before discovery.

8. Domain Registrar Webnik and D2A Dog Threat Actor

[02:45]

Investigation into Webnik began after Infoblox complained about its refusal to remove known malicious domains.
The D2A Dog actor used Webnik to re-register malicious domains after sinkholing.
Webnik repeatedly declined to take action, allowing continued scam and malware campaigns.

9. Cleopatra Android Banking Trojan

[03:03]

A new banking trojan has compromised over 3,000 Android devices since late August, primarily in Italy and Spain.
The Cleopatra trojan appears to be from a Turkish-speaking group.

10. Phantom Tourist – Chinese Cyber Espionage

[03:13]

State-backed Chinese group “Phantom Tourist” has targeted African, Middle Eastern, and Asian government/telco email servers for over two years.
Attacks often align with geopolitical and military events.

11. VMware Zero-Day Exploited (Broadcom Patch)

[03:26]

Broadcom patched a VMware zero-day being actively exploited to escalate VM privileges.
Targeted by UNC5174, linked by Nvizo to Chinese contractors for “Ministry of State Security”.

12. Tile Trackers Expose User Locations

[03:40]

Research from Georgia Tech reveals Tile tracking devices transmit consistent, unencrypted MAC addresses and unique IDs.
Makes user location data easily collectible by anyone nearby, unlike competing trackers.
Tile’s parent, Life360, claims improvements but is vague on details.

Quote:

“Researchers reported the issues to Tile in November last year, but the company has since stopped responding... Tile's parent company, Life360, told the Register that improvements had been made, but did not provide further details.”
— Claire Airdrop [03:50]

13. Imgur Blocks UK Users over Age-Check Law

[04:02]

Image-sharing site Imgur restricted access from the UK to avoid non-compliance fines for failing to check user ages, following a privacy investigation.

14. Taliban Shuts Down Internet Across Afghanistan

[04:10]

Afghanistan’s 43 million people cut off as Taliban take nationwide internet offline, framed as a crackdown on “immoral activities”.
Plans for an “alternative system” for essential needs were mentioned by officials.

Selected Notable Quotes & Memorable Moments

On router abuse:

“Hacked Milesite industrial routers are being abused to send SMS spam.” — Claire Airdrop [00:19]
On CISA’s new model:

“The new approach allows local governments access to grant funding, free tools and CISA cybersecurity experts in regional centres.” — Claire Airdrop [01:02]
On Citrix leak:

“The attackers likely abused a vulnerability known as Citrix bleed 2. They stole employee data from both FEMA and Customs and Border Protection during the breach in June.” — Claire Airdrop [01:17]
On privacy failings by Tile:

“Researchers reported the issue to Tile in November last year, but the company has since stopped responding.” — Claire Airdrop [03:50]

Timestamps for Major Segments

00:18 – Router API abuse: SMS spam via Milesite routers
00:55 – CISA collaboration model for local governments
01:13 – FEMA breach via Citrix Bleed 2
01:34 – South Korea data centre fire and cyber alert
01:55 – FTC action against Sendit app
02:17 – Cyber attack on Asahi Group, Japan
02:29 – Malicious Mockito testing framework link
02:45 – Webnik, D2A Dog, and malicious domain management
03:03 – Cleopatra Android banking trojan
03:13 – Phantom Tourist espionage campaign
03:26 – VMware zero-day and Broadcom patch
03:40 – Tile tracker privacy exposure
04:02 – Imgur blocks UK access
04:10 – Taliban disconnects Afghanistan from the internet

Summary

This Risky Bulletin episode delivers brisk, concise coverage of major security events—the most pressing being the abuse of IoT routers for SMS spam campaigns. Other stories cover evolving government security strategies, notable breaches (public sector, private sector, and open source), legal actions regarding privacy and child protection, and new research on physical tracking device vulnerabilities. The tone remains factual and focused, emphasizing the severity and breadth of current cyber threats around the world.

Loading summary

Transcript1 lines

[00:04]
A
A cybercrime group abuses routers to send SMS spam CISA announces a new collaboration model for state governments South Korea raises its cyber threat level after a data centre fire and tile tracking devices expose their location. This is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire Airdrop. Today is the 1st of October and this podcast episode is brought to you by Authentic in today's top story Hacked Milesite industrial routers are being abused to send SMS spam. The attacks are abusing a router feature intended to alert network admins via text message. Security firm Sequoia says hackers are exploiting a 2023 vulnerability to extract router logs and decrypt admin passwords. The campaign has been targeting Europe since February 2022. There are currently 19,000 mile site routers connected to the Internet. In other news, CISA will launch a new collaboration model for local governments to replace Ms. Isac. The new approach allows local governments access to grant funding, free tools and CISA cybersecurity experts in regional centres. CISA's funding for Ms. ISAC expired in March. Hackers accessed the U.S. federal Emergency Management Agency's Citrix environment in a recent security breach. According to NextGov. The the attackers likely abused a vulnerability known as Citrix bleed 2. They stole employee data from both FEMA and Customs and Border Protection during the breach in June. In August, DHS head Kristi Noem fired 24 members of FEMA's IT department, including the CIO and CISO. South Korea has raised its national cyber alert level following a state data centre fire. It's now at caution, which is the second level in a four tier system, and officials are concerned that threat actors could take advantage of the outage to launch cyber attacks. The fire started in the lithium battery of a backup power system. The government is in the process of moving to a new data centre. The FTC has filed legal proceedings against the anonymous messaging app sendit. The agency claims the app tricked users into paying to identify the sender of anonymous messages. In many cases, those messages were generated by the company itself. Sendit is also accused of failing to obtain parental consent before collecting data of children aged under 13. A cyber attack has disrupted several services at Japan's largest brewery call centres, orders and shipment operations at the Asahi Group are down. The impacts are confined to the company's domestic operations. Its international business has not been affected. No ransomware group has taken credit for the attack yet a download link for the Mockito Java testing framework has been redirecting users to a malicious file. The link is in the project project's wiki and was modified more than three years ago. The Mockito project is a popular Java unit testing framework with more than 15,000 stars on GitHub. A recent ICANN investigation into domain registrar Webnik was triggered by a complaint from security firm infoblox. The firm accused Webnik of refusing to take down malicious domains. Earlier this year, the domains were being used by the threat actor D2A dog, and to redirect hijacked web traffic to malware and online scams, according to Infoblox. When security firms sinkholed the malicious domains, Detour Dog registered new ones with webnick. The company also refused to take those down. An Android banking trojan has infected more than 3,000 devices since launching in late August. Most victims are located in Italy and Spain, according to security firm Kleefi. The Cleopatra Trojan appears to be the work of a Turkish speaking group. A Chinese cyber espionage group has been targeting government organisations and telcos in Africa, the Middle east and Asia. The phantom tourist group has been targeting email servers for more than two years. The group's operations have often coincided with geopolitical events and military operations. Broadcom has patched an actively exploited VMware zero day low privileged attackers in a virtual machine can leverage VMware tools to elevate themselves to admin inside the VM. Security firm Nvizo has linked the attacks to UNC5174. Google previously identified the group as a contractor for China's Ministry of State Security, academics say. Tile location trackers expose user location data to people nearby, according to researchers from Georgia Tech. The devices transmit a consistent Mac address and unique id. Unlike its competitors, the information is unencrypted and can be collected with simple radio equipment. Researchers reported the issues to Tile in November last year, but the company has since stopped responding. Tile's parent company, Life360, told the Register that improvements had been made, but did not provide further details. Image sharing website Imgur has blocked access from the uk. The site was expected to be fined for failing to implement age checks for British users. The UK's privacy watchdog started investigating the company in March. And finally, the Taliban has shut off access to the Internet in Afghanistan. The country's population of 43 million people have been isolated by the government's crackdown on what it calls immoral activities, A government official said an alternative system will be established for essential needs, and that is all for this podcast edition. Today's show was brought to you by Authentic Find them@goauthentic IO thanks for your company.