The National Cyber Security Centre Finland’s weekly review – 02/2024

Topics covered in this week’s review

• Two highly critical vulnerabilities in Ivanti products 
• Finnish organisations targeted by Akira ransomware attacks
• Still time to register for the ‘Kyberala murroksessa’ seminar!
• MyTax-themed phishing messages still prevalent
• December Cyber Weather darkened by ransomware
• Year in weekly reviews 2023 now available in video form as well

Two highly critical vulnerabilities in Ivanti products 

Ivanti products used by Finnish organisations include the VPN solution Connect Secure (formerly Pulse Secure). A VPN, or virtual private network, is a solution that enables secure remote working, for example. Based on the NCSC-FI’s analyses, there are hundreds of servers affected by the vulnerabilities located in Finland. Because of this, Finnish organisations should respond to the newly disclosed vulnerabilities immediately. The vulnerabilities affect organisations and service providers that use or administer the affected products; no action is required on the part of individual users. The vulnerabilities are known to have been exploited since early December 2023. However, the NCSC-FI has not received any reports of attempts to exploit the vulnerabilities or data breaches resulting from them in Finland.

For many organisations, the VPN solution used is one of the organisation’s most critical services, and thus of great interest to criminals as well. In recognition of this, organisations should regularly check that their VPN products are functioning as intended and being kept updated. It is also important for organisations to be capable of monitoring their devices and responding to detected security incidents.

As regards vulnerable Ivanti products, it is imperative that organisations implement the available mitigation and install the patches fixing the vulnerabilities as soon as they become available. It should be noted, however, that mitigation measures or even updating the products is of no use in a situation where criminals have already gained access to an organisation’s systems by exploiting the vulnerabilities. Any organisations using the affected products should assume that the vulnerabilities may have already been exploited and thus scan their systems for possible signs of data breaches. The manufacturer is also offering a tool (External link)for detecting data breaches.

Information Security Now! article published on Akira ransomware

Last year, we received 12 reports of Akira ransomware attacks from Finnish organisations. The majority of these reports were submitted in late 2023. Last Wednesday, we published an Information Security Now! article on Akira ransomware .

What is this about?

Akira is a ransomware family operating based on a Ransomware-as-a-Service (RaaS) model, in which professional cyber criminals offer ready-made ransomware and infrastructure for others to use in exchange for payment. This type of operating model allows even technically less capable attackers to utilise ransomware.

In the cases reported to us, Akira was found to exploit Cisco network device vulnerability CVE-2023-20269, which was disclosed last autumn, and poorly protected Cisco VPN solutions in particular. In addition to encrypting their victims’ data, the attackers attempted to seek out and destroy their backup copies.

Akira attacks also often involve data leaks. The attackers typically use the “double extortion” technique, which means that they will first steal their victim’s data and then threaten to publish the data unless the victim pays a ransom. Paying the ransom is not recommended.

How to protect against Akira

Ransomware attacks cause significant inconvenience and costs for organisations. To prevent attacks from being carried out successfully, it is essential to carry out the following measures:

• Keep your network devices updated.
• Enable multi-factor authentication.

In addition to these measures, it is important to prepare for the possibility that an attack is successful. When it comes to backup copies, it is a good idea to follow the 3-2-1 rule: to have at least three backup copies in two different locations and keep one of these copies completely outside the network. In the case of an Akira attack, it is especially important to have a backup outside the network.

If you become the victim of a ransomware attack, you should report it

If you have or suspect that you have become the victim of a ransomware attack, contact the NCSC-FI . In addition to this, you should also file a police report.

The reports submitted to us help us collect data on information security incidents, identify information security phenomena and provide information about them. By submitting a report, you can help improve cyber security and also strengthen the protection of other organisations. In addition to increasing general information security awareness, we provide assistance with the technical investigation of information security incidents.

Still time to register for the ‘Kyberala murroksessa’ seminar!

NIS2, CRA and RED are acronyms that pop up frequently in discussions about cyber security. But what are the regulations behind the acronyms actually about? What kinds of requirements and obligations will they impose on companies? How should you prepare for the new regulations?

These are just some of the questions that will be explored at the ‘Kyberala murroksessa’ seminar organised by the Finnish Transport and Communications Agency Traficom, the Finnish Information Security Cluster and Technology Industries of Finland. The free-of-charge seminar is aimed at executives in charge of companies’ business operations and product development and specialists.

Online participation is open for everyone interested in the event. 

Date and time: Tue 23 January 2024 at 12:00–16:30

Online registration will end on Friday 19 January 2024. The seminar will be recorded, and the recording will be published after the event.

Check the event programme and register your participation (External link) (in Finnish).

See you online!

MyTax-themed phishing messages still prevalent

The MyTax-themed scam messages that were so prevalent at the end of 2023 have shown no signs of abating in early 2024. The NCSC-FI has received numerous reports of such scam messages during the past week as well. 

The themes of the scam messages vary

The currently circulating scam messages have been centred around a few different themes, with potential victims being approached about ‘problems’ related to tax returns or the payment of taxes, for example. The links included in the messages have led to a phishing site similar in appearance to the Finnish Tax Administration website, on which the victim has been asked to sign in using their online banking credentials.

Pensioners targeted

Recently, there have also been scam messages themed around problems with the payment of pensions going around, claiming that the recipient’s pension is at risk.

Criminals typically try to influence their potential victims by utilising topical, money-related themes and emphasising the urgency of the matter in their scam messages. The “from” field of the messages has been set to appear as if the messages are coming from OmaVero (MyTax), which may cause the potential victim to believe that the message is from the real Finnish Tax Administration.

Patience and paying attention to small details are key

If you receive suspicious email or text messages, you should always exercise caution. Paying attention to a few small details can help you avoid losing your online banking credentials to criminals.

Instructions regarding scam messages:

• The Finnish Tax Administration and banks will never send you messages that include links to their websites. Instead, they will ask you to sign in to their online services on their official websites. As such, you should avoid opening links included in messages.
• If you end up opening a link, always check the address of the website from your browser’s address bar. The addresses of phishing sites may appear somewhat similar to those of real websites, but there are small details that give them away.
• If you receive a message that seems urgent, do not rush. Take your time to check whether there is anything suspicious about the message.
• If you are unsure as to whether a message is real or a scam, you can always call the sender’s customer service department for verification.
• If you have entered your online banking credentials on a phishing site, immediately contact your bank and submit a police report.

December Cyber Weather darkened by ransomware

As regards cyber security, 2023 ended in rain. There was even some lightning in the air, as the NCSC-FI received a total of six reports of Akira ransomware attacks. The number of data breaches with major consequences also increased in December. The last Cyber Weather report of the year also includes the quarterly statistics for the fourth quarter of 2023. Meanwhile, the long-term trends section of the report takes a look at regulation.

Year in weekly reviews 2023

What did 2023 look like from the perspective of our weekly reviews? We have compiled a video looking back at the past year and the various information security phenomena covered in our weekly reviews in 2023. You can watch the video here (in Finnish):

Vulnerabilities

CVE: CVE-2024-21887 

CVSS: 9.1

What: Two critical vulnerabilities disclosed by Ivanti

Product: Ivanti Connect Secure (formerly known as Pulse Secure) and Ivanti Policy Secure products

Fix: Ivanti has published mitigation measures on its website while the patch to fix the vulnerability is in development.

Further information: Vulnerability bulletin 2/2024 (in Finnish) Exploited critical vulnerabilities in Ivanti products