Increased Scanning Activity Targeting SMS Gateways and APIs: Risks and Mitigation

Recent reports highlight a surge in scanning activity targeting SMS gateways and APIs, with attackers seeking to exploit these systems for unauthorized messaging and access to non-blocklisted phone numbers. This trend follows earlier observations of scans against Teltonika Networks SMS gateways, as noted in a SANS ISC Diary entry.¹ The attackers’ goal is clear: to abuse these systems for free SMS messaging, often leading to financial losses and reputational damage for affected organizations.

Threat Landscape: SMS Gateway and API Exploitation

Attackers are actively scanning for vulnerable SMS gateways and APIs, including those from Teltonika, WordPress plugins, and services like Twilio. Common targets include configuration files such as /sms_config.json and API endpoints like /sms/api/ or /api/v1/livechat/sms-incoming/.¹ These scans often aim to locate exposed credentials or misconfigured systems that can be abused for mass messaging. Tools like SMS_Bomber.exe, available on GitHub, are frequently used in these campaigns.¹

Beyond SMS gateways, attackers are also exploiting known vulnerabilities in other systems, such as SonicWall SMA devices (CVE-2021-20016). Scans targeting paths like /_api__/v1/config/domains and /_api__/v1/logon have been observed, with IPs such as 45.227.255.93 and 141.98.80.125 linked to these activities.¹ This multi-pronged approach underscores the need for comprehensive monitoring and patching.

Mitigation Strategies for Organizations

To defend against these threats, organizations should implement several key measures. First, restrict access to sensitive configuration files (e.g., .env or sms_config.json) and ensure they are not exposed in web directories. Second, monitor for unusual scanning activity targeting SMS-related endpoints. Third, apply patches for known vulnerabilities, such as CVE-2021-20016 in SonicWall SMA devices.¹

For SMS gateway providers, enforcing strict API authentication and rate-limiting can prevent abuse. Services like CM.com and Revesoft recommend direct carrier connections and compliance tools (e.g., DND filters) to mitigate risks.^1,4,5 Additionally, organizations should audit third-party plugins (e.g., WordPress SMS integrations) for vulnerabilities and misconfigurations.

Relevance to Security Teams

This activity is particularly relevant for security teams monitoring network traffic for scanning patterns. Indicators such as requests to /wp-content/plugins/sms-alert/css/admin.css or /twilio/.config/bin/aws/lib/.env may signal reconnaissance for SMS gateway exploitation.¹ Blue teams should prioritize logging and alerting for these paths, while red teams can use this intelligence to simulate attacker behavior.

For threat intelligence researchers, tracking IPs like 141.98.80.146 and 45.227.255.89 can help identify broader campaigns.¹ System administrators should also review Apple AirPlay configurations, as unrelated but critical vulnerabilities (e.g., zero-click RCE via port 7000) were recently patched.³

Conclusion

The increase in SMS gateway and API scanning reflects attackers’ continued focus on low-cost, high-impact exploitation. Organizations must balance usability with security, particularly when deploying messaging systems. Proactive monitoring, patch management, and access controls are essential to mitigate these risks. As attackers refine their tactics, collaboration between vendors, researchers, and defenders will be critical to staying ahead of these threats.