Skip to content
Front Page: NCSC-FI
Front Page: NCSC-FI
Go to SearchSearch
English
Menu

The National Cyber Security Centre Finland’s weekly review – 11/2023

Information security now!

Published

This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 10–16 March 2023). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens.

TLP:CLEAR

Topics covered in this week’s review

  • Recovery from a cyber attack – case Keuda
  • Traficom Live featured discussion about cyber and information influence activities – watch the recording!
  • New requirements for the information security of smart devices to be discussed in Tampere – sign up!
  • Nearly two million euros already distributed as support for the development of information security
  • Update your Outlook immediately! – Critical vulnerability makes you susceptible to attacks

Recovery from a cyber attack – case Keuda

In November 2022, vocational education and training provider Keuda suffered a severe cyber attack that paralysed their IT environment for several weeks. The recently published final report of the incident includes accounts from people involved in the defence operation detailing how Keuda recovered from the attack.

Ransomware attacks are a dreadfully effective way of paralysing an organisation’s information systems for an extended period. A ransomware attack typically involves encrypting the victim’s data with a key known only to the attacker and then asking for ransom to decrypt the data. The authorities do not recommend paying the ransom, as there are no guarantees that the attacker will actually hand over the key, in addition to which funding criminal activities is prohibited.

The correct response is to put a stop to the criminal operation, prevent the attack from spreading within the network and start recovery measures in the breached information system. Luckily this is precisely what Keuda’s experts and the information security firm and IT company hired to assist them did. The victim should also file a police report and report the incident to the NCSC-FI.

The Lockbit ransomware attack on Keuda was successfully halted, but the re-installation of affected systems and related data recovery are still in progress. The Lockbit ransomware managed to compromise 60% of Keuda’s IT operating environment before being stopped.

The attack served as an effective reminder of the fact that the securing of an organisation’s key functions should be practiced in advance so that the deployment of backup systems and emergency response do not end up being practiced in a real situation. Thanks to an effective emergency response and recovery effort, Keuda’s operations were able to continue without any students having their graduation delayed as a result of the cyber attack.

We recommend everyone to read the report!

Cyber attack at Keuda – final report (in Finnish) (External link)

Traficom Live featured discussion about cyber and information influence activities – watch the recording!

Traficom organises monthly live streams that feature discussion about the agency’s topical matters.

The topic of Traficom Live this March was cyber and information influence activities. At the studio discussing the topic were Information Security Advisor Juha Tretjakov from the NCSC-FI and Senior Specialist Mari Aro from the Secretariat of the Security Committee.

What are cyber and information influence activities? How do you recognise information influence activities? How has Finland prepared for influencing attempts? These are just some of the questions that the recording of the event provides answers to.

Watch the recording (in Finnish) (External link)
Read more: Tips for identifying information influence activities – Be vigilant and act responsibly
Inkeri Parkkari haastattelee Juha Tretjakovia ja Mari Aroa
This month’s Traficom Live saw Inkeri Parkkari interview Juha Tretjakov and Mari Aro

New requirements for the information security of smart devices to be discussed in Tampere – sign up!

How can excellent information security be turned into a selling point? Why is ensuring information security part of corporate responsibility? These are just some of the themes that will be discussed at Finlayson in Tampere on 18 April 2023 from 14:00 to 16:00.

The event will feature discussion on security by design and corporate social responsibility by experts from Cinia Oy and the Tampere Region Safety and Security Cluster. In addition to this, Traficom experts will be talking about the regulation concerning the information security of smart devices that will enter into effect on 1 August 2024.

The event is intended for management in charge of corporate business operations and marketing.

Read more about the programme and sign up! (in Finnish) (External link)
Read more: Regulation makes smart devices more secure

Nearly two million euros already distributed as support for the development of information security

Applications for support for the development of information security have been received from a total of 666 companies so far, with 100 applications having been completely processed. The support recipients include companies of all sizes from various sectors.

So far, support for the development of information security has been granted to 88 companies, with the total amount of support granted being EUR 1,975,377. Of this amount, EUR 1,175,977 have consisted of support of up to EUR 15,000 and EUR 799,400 have consisted of support of up to EUR 100,000.

Support for the development of information security will continue to be granted until the EUR 6 million appropriation reserved for it has been spent. At present, Traficom is processing applications received in early December 2022.

Read more: Apply for support for the development of information security
Wide range of companies critical to society apply for support for the development of information security in different sectors

Update your Outlook immediately! – Critical vulnerability makes you susceptible to attacks

Microsoft releases update packages to its products on the second Tuesday of each month. To make sure that you are protected against threats caused by software vulnerabilities, you should install updates whenever Windows prompts you to do so.

This month’s update package includes a fix to a critical vulnerability in the Outlook email client, which allows criminals to hijack a victim’s device by simply sending them an email. The malicious email does not even need to be opened in order for the attack to be successful. As such, you should install the latest Windows update that fixes this Outlook vulnerability without delay.

The vulnerability is being actively exploited. Microsoft has also released a tool that organisations can use to check whether they have been targeted by actors attempting to use the vulnerability.

Read the vulnerability bulletin on the NCSC-FI’s website (in Finnish).

CVE: CVE-2023-23397

CVSS: 9.8

What: Sending a specific, tailored email allows an attacker to gain control of a Windows device without any action on the part of the victim

Product: Microsoft Outlook and Office software

Fix: Update to a newer version

For more general information about vulnerabilities and the terminology used, please see our Information Security Now! article ‘NCSC-FI vulnerability coordination in a nutshell’.

Subscribe to the NCSC-FI’s newsletters or RSS feeds to be notified as soon as new information is published.