Risky Bulletin: Router APIs Abused to Send SMS Spam

Podcast: Risky Bulletin by Risky.biz
Date: October 1, 2025
Host: Claire Airdrop (prepared by Catalin Cimpanu)

Episode Overview

This episode covers a wide array of recent cybersecurity news and incidents. The central story is a wave of cybercrime activity abusing a popular router brand to send SMS spam. Additional topics include governmental cybersecurity updates, major breaches, regulations against privacy-violating apps, ransomware attacks, and more. The episode is tightly packed, focusing on the key events and their implications for global cybersecurity.

Key Discussion Points & Insights

1. Router Abuse for SMS Spam

[00:18]

Main Story:
- Hackers are abusing Milesite industrial routers to send SMS spam.
- The routers’ SMS notification feature (intended for admin alerts) is being exploited for mass spam campaigns.
- Attackers are leveraging a 2023 vulnerability to extract logs and decrypt admin passwords.
- The campaign has specifically targeted Europe since February 2022.
- An estimated 19,000 Milesite routers remain exposed on the internet.
Quote:

"Hacked Milesite industrial routers are being abused to send SMS spam. The attacks are abusing a router feature intended to alert network admins via text message."
— Claire Airdrop [00:19]

2. CISA’s New Collaboration Model for Local Governments

[00:55]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is launching a new partnership model for local governments.
This replaces the Multi-State Information Sharing and Analysis Center (MS-ISAC), whose funding expired in March.
Key features:
- Local governments gain access to grant funding, free cybersecurity tools, and regional CISA experts.
Quote:

"The new approach allows local governments access to grant funding, free tools and CISA cybersecurity experts in regional centres."
— Claire Airdrop [01:02]

3. FEMA Breach via ‘Citrix Bleed 2’ Vulnerability

[01:13]

Hackers accessed data from the U.S. Federal Emergency Management Agency (FEMA) through an exploited Citrix vulnerability.
Employee data from both FEMA and Customs and Border Protection was stolen.
Incident resulted in the DHS head firing 24 FEMA IT staff, including the CIO and CISO, in August.

Quote:

“The attackers likely abused a vulnerability known as Citrix bleed 2. They stole employee data from both FEMA and Customs and Border Protection during the breach in June.”
— Claire Airdrop [01:17]

4. South Korea Raises Cyber Threat Level after Data Centre Fire

[01:34]

After a fire at a government data centre (triggered by a lithium battery), South Korea escalated its national cyber alert to the second-highest level (“caution”).
Concerns that adversarial actors might exploit the outage.
Authorities are transitioning operations to a new data centre.

Quote:

“Officials are concerned that threat actors could take advantage of the outage to launch cyber attacks.”
— Claire Airdrop [01:46]

5. FTC Sues Anonymous Messaging App Sendit

[01:55]

The FTC is suing Sendit for deceptive monetization practices and child data privacy violations.
Sendit allegedly lured users to pay to identify anonymous message senders, with many messages generated by the company.
Accused of collecting data from children under 13 without parental consent.

Quote:

“Sendit is also accused of failing to obtain parental consent before collecting data of children aged under 13.”
— Claire Airdrop [02:09]

6. Cyber Attack Hits Japan’s Largest Brewery (Asahi Group)

[02:17]

Cyberattack disrupted call centres, order processing, and shipping for Asahi’s domestic business.
International operations remain unaffected.
No ransomware group has claimed responsibility as of the report.

7. Malware Infection on Mockito Java Testing Framework Link

[02:29]

A download link for Mockito (a highly popular Java testing framework) was redirecting users to a malicious file.
The poisoned link was buried in the official project wiki for three years before discovery.

8. Domain Registrar Webnik and D2A Dog Threat Actor

[02:45]

Investigation into Webnik began after Infoblox complained about its refusal to remove known malicious domains.
The D2A Dog actor used Webnik to re-register malicious domains after sinkholing.
Webnik repeatedly declined to take action, allowing continued scam and malware campaigns.

9. Cleopatra Android Banking Trojan

[03:03]

A new banking trojan has compromised over 3,000 Android devices since late August, primarily in Italy and Spain.
The Cleopatra trojan appears to be from a Turkish-speaking group.

10. Phantom Tourist – Chinese Cyber Espionage

[03:13]

State-backed Chinese group “Phantom Tourist” has targeted African, Middle Eastern, and Asian government/telco email servers for over two years.
Attacks often align with geopolitical and military events.

11. VMware Zero-Day Exploited (Broadcom Patch)

[03:26]

Broadcom patched a VMware zero-day being actively exploited to escalate VM privileges.
Targeted by UNC5174, linked by Nvizo to Chinese contractors for “Ministry of State Security”.

12. Tile Trackers Expose User Locations

[03:40]

Research from Georgia Tech reveals Tile tracking devices transmit consistent, unencrypted MAC addresses and unique IDs.
Makes user location data easily collectible by anyone nearby, unlike competing trackers.
Tile’s parent, Life360, claims improvements but is vague on details.

Quote:

“Researchers reported the issues to Tile in November last year, but the company has since stopped responding... Tile's parent company, Life360, told the Register that improvements had been made, but did not provide further details.”
— Claire Airdrop [03:50]

13. Imgur Blocks UK Users over Age-Check Law

[04:02]

Image-sharing site Imgur restricted access from the UK to avoid non-compliance fines for failing to check user ages, following a privacy investigation.

14. Taliban Shuts Down Internet Across Afghanistan

[04:10]

Afghanistan’s 43 million people cut off as Taliban take nationwide internet offline, framed as a crackdown on “immoral activities”.
Plans for an “alternative system” for essential needs were mentioned by officials.

Selected Notable Quotes & Memorable Moments

On router abuse:

“Hacked Milesite industrial routers are being abused to send SMS spam.” — Claire Airdrop [00:19]
On CISA’s new model:

“The new approach allows local governments access to grant funding, free tools and CISA cybersecurity experts in regional centres.” — Claire Airdrop [01:02]
On Citrix leak:

“The attackers likely abused a vulnerability known as Citrix bleed 2. They stole employee data from both FEMA and Customs and Border Protection during the breach in June.” — Claire Airdrop [01:17]
On privacy failings by Tile:

“Researchers reported the issue to Tile in November last year, but the company has since stopped responding.” — Claire Airdrop [03:50]

Timestamps for Major Segments

00:18 – Router API abuse: SMS spam via Milesite routers
00:55 – CISA collaboration model for local governments
01:13 – FEMA breach via Citrix Bleed 2
01:34 – South Korea data centre fire and cyber alert
01:55 – FTC action against Sendit app
02:17 – Cyber attack on Asahi Group, Japan
02:29 – Malicious Mockito testing framework link
02:45 – Webnik, D2A Dog, and malicious domain management
03:03 – Cleopatra Android banking trojan
03:13 – Phantom Tourist espionage campaign
03:26 – VMware zero-day and Broadcom patch
03:40 – Tile tracker privacy exposure
04:02 – Imgur blocks UK access
04:10 – Taliban disconnects Afghanistan from the internet

Summary

This Risky Bulletin episode delivers brisk, concise coverage of major security events—the most pressing being the abuse of IoT routers for SMS spam campaigns. Other stories cover evolving government security strategies, notable breaches (public sector, private sector, and open source), legal actions regarding privacy and child protection, and new research on physical tracking device vulnerabilities. The tone remains factual and focused, emphasizing the severity and breadth of current cyber threats around the world.

Risky Bulletin: Router APIs Abused to Send SMS Spam

Podcast: Risky Bulletin by Risky.biz
Date: October 1, 2025
Host: Claire Airdrop (prepared by Catalin Cimpanu)

Episode Overview

Key Discussion Points & Insights

1. Router Abuse for SMS Spam

[00:18]

Main Story:
- Hackers are abusing Milesite industrial routers to send SMS spam.
- The routers’ SMS notification feature (intended for admin alerts) is being exploited for mass spam campaigns.
- Attackers are leveraging a 2023 vulnerability to extract logs and decrypt admin passwords.
- The campaign has specifically targeted Europe since February 2022.
- An estimated 19,000 Milesite routers remain exposed on the internet.
Quote:

"Hacked Milesite industrial routers are being abused to send SMS spam. The attacks are abusing a router feature intended to alert network admins via text message."
— Claire Airdrop [00:19]

2. CISA’s New Collaboration Model for Local Governments

[00:55]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is launching a new partnership model for local governments.
This replaces the Multi-State Information Sharing and Analysis Center (MS-ISAC), whose funding expired in March.
Key features:
- Local governments gain access to grant funding, free cybersecurity tools, and regional CISA experts.
Quote:

"The new approach allows local governments access to grant funding, free tools and CISA cybersecurity experts in regional centres."
— Claire Airdrop [01:02]

3. FEMA Breach via ‘Citrix Bleed 2’ Vulnerability

[01:13]

Hackers accessed data from the U.S. Federal Emergency Management Agency (FEMA) through an exploited Citrix vulnerability.
Employee data from both FEMA and Customs and Border Protection was stolen.
Incident resulted in the DHS head firing 24 FEMA IT staff, including the CIO and CISO, in August.

Quote:

“The attackers likely abused a vulnerability known as Citrix bleed 2. They stole employee data from both FEMA and Customs and Border Protection during the breach in June.”
— Claire Airdrop [01:17]

4. South Korea Raises Cyber Threat Level after Data Centre Fire

[01:34]

After a fire at a government data centre (triggered by a lithium battery), South Korea escalated its national cyber alert to the second-highest level (“caution”).
Concerns that adversarial actors might exploit the outage.
Authorities are transitioning operations to a new data centre.

Quote:

“Officials are concerned that threat actors could take advantage of the outage to launch cyber attacks.”
— Claire Airdrop [01:46]

5. FTC Sues Anonymous Messaging App Sendit

[01:55]

The FTC is suing Sendit for deceptive monetization practices and child data privacy violations.
Sendit allegedly lured users to pay to identify anonymous message senders, with many messages generated by the company.
Accused of collecting data from children under 13 without parental consent.

Quote:

“Sendit is also accused of failing to obtain parental consent before collecting data of children aged under 13.”
— Claire Airdrop [02:09]

6. Cyber Attack Hits Japan’s Largest Brewery (Asahi Group)

[02:17]

Cyberattack disrupted call centres, order processing, and shipping for Asahi’s domestic business.
International operations remain unaffected.
No ransomware group has claimed responsibility as of the report.

7. Malware Infection on Mockito Java Testing Framework Link

[02:29]

A download link for Mockito (a highly popular Java testing framework) was redirecting users to a malicious file.
The poisoned link was buried in the official project wiki for three years before discovery.

8. Domain Registrar Webnik and D2A Dog Threat Actor

[02:45]

Investigation into Webnik began after Infoblox complained about its refusal to remove known malicious domains.
The D2A Dog actor used Webnik to re-register malicious domains after sinkholing.
Webnik repeatedly declined to take action, allowing continued scam and malware campaigns.

9. Cleopatra Android Banking Trojan

[03:03]

A new banking trojan has compromised over 3,000 Android devices since late August, primarily in Italy and Spain.
The Cleopatra trojan appears to be from a Turkish-speaking group.

10. Phantom Tourist – Chinese Cyber Espionage

[03:13]

State-backed Chinese group “Phantom Tourist” has targeted African, Middle Eastern, and Asian government/telco email servers for over two years.
Attacks often align with geopolitical and military events.

11. VMware Zero-Day Exploited (Broadcom Patch)

[03:26]

Broadcom patched a VMware zero-day being actively exploited to escalate VM privileges.
Targeted by UNC5174, linked by Nvizo to Chinese contractors for “Ministry of State Security”.

12. Tile Trackers Expose User Locations

[03:40]

Research from Georgia Tech reveals Tile tracking devices transmit consistent, unencrypted MAC addresses and unique IDs.
Makes user location data easily collectible by anyone nearby, unlike competing trackers.
Tile’s parent, Life360, claims improvements but is vague on details.

Quote:

“Researchers reported the issues to Tile in November last year, but the company has since stopped responding... Tile's parent company, Life360, told the Register that improvements had been made, but did not provide further details.”
— Claire Airdrop [03:50]

13. Imgur Blocks UK Users over Age-Check Law

[04:02]

Image-sharing site Imgur restricted access from the UK to avoid non-compliance fines for failing to check user ages, following a privacy investigation.

14. Taliban Shuts Down Internet Across Afghanistan

[04:10]

Afghanistan’s 43 million people cut off as Taliban take nationwide internet offline, framed as a crackdown on “immoral activities”.
Plans for an “alternative system” for essential needs were mentioned by officials.

Selected Notable Quotes & Memorable Moments

On router abuse:

“Hacked Milesite industrial routers are being abused to send SMS spam.” — Claire Airdrop [00:19]
On CISA’s new model:

“The new approach allows local governments access to grant funding, free tools and CISA cybersecurity experts in regional centres.” — Claire Airdrop [01:02]
On Citrix leak:

“The attackers likely abused a vulnerability known as Citrix bleed 2. They stole employee data from both FEMA and Customs and Border Protection during the breach in June.” — Claire Airdrop [01:17]
On privacy failings by Tile:

“Researchers reported the issue to Tile in November last year, but the company has since stopped responding.” — Claire Airdrop [03:50]

Timestamps for Major Segments

00:18 – Router API abuse: SMS spam via Milesite routers
00:55 – CISA collaboration model for local governments
01:13 – FEMA breach via Citrix Bleed 2
01:34 – South Korea data centre fire and cyber alert
01:55 – FTC action against Sendit app
02:17 – Cyber attack on Asahi Group, Japan
02:29 – Malicious Mockito testing framework link
02:45 – Webnik, D2A Dog, and malicious domain management
03:03 – Cleopatra Android banking trojan
03:13 – Phantom Tourist espionage campaign
03:26 – VMware zero-day and Broadcom patch
03:40 – Tile tracker privacy exposure
04:02 – Imgur blocks UK access
04:10 – Taliban disconnects Afghanistan from the internet

Risky Bulletin: Router APIs abused to send SMS spam

Powered by Wave AI

Summary

Risky Bulletin: Router APIs Abused to Send SMS Spam

Episode Overview

Key Discussion Points & Insights

1. Router Abuse for SMS Spam

2. CISA’s New Collaboration Model for Local Governments

3. FEMA Breach via ‘Citrix Bleed 2’ Vulnerability

4. South Korea Raises Cyber Threat Level after Data Centre Fire

5. FTC Sues Anonymous Messaging App Sendit

6. Cyber Attack Hits Japan’s Largest Brewery (Asahi Group)

7. Malware Infection on Mockito Java Testing Framework Link

8. Domain Registrar Webnik and D2A Dog Threat Actor

9. Cleopatra Android Banking Trojan

10. Phantom Tourist – Chinese Cyber Espionage

11. VMware Zero-Day Exploited (Broadcom Patch)

12. Tile Trackers Expose User Locations

13. Imgur Blocks UK Users over Age-Check Law

14. Taliban Shuts Down Internet Across Afghanistan

Selected Notable Quotes & Memorable Moments

Timestamps for Major Segments

Summary

Summary

Risky Bulletin: Router APIs Abused to Send SMS Spam

Episode Overview

Key Discussion Points & Insights

1. Router Abuse for SMS Spam

2. CISA’s New Collaboration Model for Local Governments

3. FEMA Breach via ‘Citrix Bleed 2’ Vulnerability

4. South Korea Raises Cyber Threat Level after Data Centre Fire

5. FTC Sues Anonymous Messaging App Sendit

6. Cyber Attack Hits Japan’s Largest Brewery (Asahi Group)

7. Malware Infection on Mockito Java Testing Framework Link

8. Domain Registrar Webnik and D2A Dog Threat Actor

9. Cleopatra Android Banking Trojan

10. Phantom Tourist – Chinese Cyber Espionage

11. VMware Zero-Day Exploited (Broadcom Patch)

12. Tile Trackers Expose User Locations

13. Imgur Blocks UK Users over Age-Check Law

14. Taliban Shuts Down Internet Across Afghanistan

Selected Notable Quotes & Memorable Moments

Timestamps for Major Segments

Summary