The Good, the Bad and the Ugly in Cybersecurity – Week 32 

The Good

This week, a U.S. individual was found guilty of committing 14 federal crimes related to phishing, credential theft, unauthorized access to his employer’s computer network and fraudulent activity which netted him over $25 million.

Argishti Khudaverdyan, 44, of Burbank, was a former employee of T-Mobile, and over a period of five years fraudulently unlocked phones on multiple networks, including T-Mobile, Sprint, AT&T and others, allowing the phones to be sold on the black market.

Khudaverdyan obtained T-Mobile employees’ credentials through phishing emails and socially engineering the T-Mobile IT Help Desk. He also obtained T‑Mobile employee credentials from accomplices in overseas call centers. Khudaverdyan targeted high-level employees, using their personal identifying information in calls to the T-Mobile IT Help Desk requesting password resets. He used over 50 different employees’ accounts to gain unauthorized access to T-Mobile systems and unlock hundreds of thousands of cell phones.

Khudaverdyan and accomplices advertised their fraudulent unlocking services through brokers, email solicitations, and websites such as unlocks247[.]com, falsely claiming the unlocks were “official” T-Mobile unlocks. Khudaverdyan will face statutory maximum sentences of 20 years in federal prison when he is sentenced in October.

The Bad

A semiconductor manufacturer of power engineering components including those used in many wind power turbines has been hit by LV ransomware this week. In a statement, Semikron said it had been “the victim of a cyber attack by a professional hacker group. As part of this attack, the perpetrators have claimed to have exfiltrated data from our system.”

Semikron says it is working on restoring encrypted parts of its network. However, other sources have suggested the ransomware operators are extorting the company and threatening to leak the allegedly stolen data, a double-extortion tactic that is far more common and successful these days than just encrypting data and only demanding payment for a decryptor.

Such tactics increase the effort for criminals but offer richer rewards. Effectively targeting enterprise data that will be of value typically involves some form of human operated ransomware. A common modus operandi leverages some form of initial access such as credential theft through phishing or social engineering, or exploiting a common vulnerability. Actors then use implants such as Cobalt Strike to maintain a backdoor into the target environment, identify and exfiltrate valuable data.

There are suggestions that LV ransomware shares the same source code as the notorious REvil ransomware but is being operated by a different group. For now, Semikron has not made a public statement regarding any ransom demands or whether it is in negotiation with the attackers. The company says it is working with relevant authorities and will update customers and partners if any evidence of data theft is found.

The Ugly

Multiple vulnerabilities in some of Cisco’s most popular business routers have been found that could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.

A total of eight vulnerabilities have been identified; three in particular, CVE-2022-20827, CVE-2022-20841 and CVE-2022-20842, could be weaponized to execute code on the device with elevated privileges. Cisco says the vulnerabilities may be dependent on one another, with exploitation of one of the vulnerabilities required to exploit another.

CVE-2022-20827 could allow an attacker to submit crafted input to the router’s web filter database update feature. A successful exploit could allow the attacker to execute commands on the underlying operating system with root privileges. CVE-2022-20841 is a vulnerability in the Open Plug and Play (PnP) module of four different router models. An attacker could exploit the bug by sending malicious input to an affected device and gain the ability to execute arbitrary commands on the underlying Linux operating system. CVE-2022-20842 affects the web-based management interface of certain router models and could allow an unauthenticated, remote attacker to execute arbitrary code or cause a denial of service (DoS) condition.

Cisco says they have no evidence of these bugs being exploited in the wild at present, and that there are no workarounds other than applying the patches available. Inevitably, threat actors will actively seek out businesses that fail to patch, and all Cisco customers are urged to check the list of affected models and patch without delay.