The National Cyber Security Centre Finland’s weekly review – 14/2024

Topics covered in this week’s review

• Critical vulnerability detected in Linux software
• What are deepfakes? How can you recognise them? New information package on deepfakes published on our website
• The AiTM technique makes it possible to hijack user accounts despite multi-factor authentication 
• Recently reported scams
• Vulnerabilities

Critical vulnerability detected in Linux software

The Linux kernel is used almost everywhere, from phones, electric cars and gaming consoles to supercomputers and systems critical to security of supply. Most social media services, websites and cloud services also run on Linux-based servers.

On Friday 29 March 2024, a supply chain vulnerability was reported in XZ Utils. It was discovered that XZ Utils, a data compressor often used in Linux systems, had malicious code planted in versions 5.6.0 and 5.6.1 of the software, which were published in February. This kind of backdoor is a hidden feature in software that allows a malicious actor to access the system undetected and then proceed to monitor or manipulate it. The critical vulnerability in XZ Utils is a backdoor that would have enabled large-scale cyber attacks to be carried out on almost any Linux systems, had it been allowed to spread. The backdoor would have given attackers practically free rein to use affected systems to their own ends.

The Linux operating system is open source software, which means that anyone can participate in the project. This collaborative approach has made the development, maintenance and bug-fixing of Linux efficient and creative. The development of Linux is based on trust, which must be earned. There are also various protection mechanisms in place to ensure that malicious code is not incorporated into the system, for example.

The case of XZ Utils demonstrates that circumventing these protection mechanisms is a time-consuming, systematic and, in this particular case, very complex process. On the other hand, due to the open development approach, an individual, perceptive developer managed to detect the vulnerability based on a relatively small anomaly before it had a chance to spread widely through updates.

Once the vulnerability was discovered, users were urged to delete the compromised update as a first step. Potential cases of exploitation are currently being searched for, updates addressing the vulnerability are being released and the case is being comprehensively investigated. So far, no serious cases of the vulnerability being exploited have come to light. 

What are deepfakes? How can you recognise them? New information package on deepfakes published on our website

You have probably encountered the word “deepfake” a lot lately. But what exactly are deepfakes, and how do the technologies and techniques behind them work? For answers, look no further than the information package on deepfakes and how to recognise them that was recently published on the NCSC-FI’s website. Also included is a video that concretely illustrates what current deepfake technologies are capable of. The video also features an AI avatar copy of our Director-General Jarkko Saarimäki. The information package and video are definitely worth checking out.

The AiTM technique makes it possible to hijack user accounts despite multi-factor authentication 

During the spring, the NCSC-FI has received several reports of email accounts being hijacked despite having multi-factor authentication enabled. Adversary-in-the-middle (AiTM) is a technique that can be used to bypass multi-factor authentication. AiTM has already become common in Microsoft 365 phishing.

We have published new instructions in which we detail how the AiTM technique is used in M365 account hijacking and how to protect against it.

Read more (in Finnish): https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/ohjeet-ja-oppaat/m365-tietomurroissa-hyodynnetaan-yha-useammin-aitm (External link)

To whom does the NIS2 Directive apply and what kinds of requirements does it impose? Information about the new EU directive is available on the NCSC-FI’s website

The NIS2 Directive is coming; are you ready? We have compiled a wide range of information about the new directive, its national implementation, the parties affected by it and the requirements imposed by it, among other topics, on a section of our website dedicated to the NIS2 Directive. The pages will be updated as the national implementation of the directive progresses.

What is NIS2? The EU Network and Information Security Directive (NIS Directive) lays down regulations on information security obligations and incident reporting for many different sectors. The new Revised Directive on Security of Network and Information Systems (NIS2 Directive) replaces the previous Network and Information Security Directive. The aim of the NIS2 Directive is to boost both the overall level of cyber security in the EU and the level of the national cyber security of Member States for certain critical sectors.

The Directive imposes risk management obligations intended to boost cyber security and an obligation to report significant incidents on the critical sectors of society. The Directive also lists minimum measures that all operators must implement to manage the cyber security risks posed to their operations.

More information on the NIS2 Directive is available here (in Finnish): https://www.kyberturvallisuuskeskus.fi/fi/toimintamme/saantely-ja-valvonta/nis2-euroopan-unionin-kyberturvallisuusdirektiivi (External link)

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.

Vulnerabilities

CVE: CVE-2024-3094 
CVSS: 10
What: Versions 5.6.0 and 5.6.1 of the XZ Utils data compressor included in Linux distributions contain malicious code that provides unauthorised access, creating a backdoor to the affected system. The malicious code is used in several Linux distributions. 
Product: Linux distributions that use versions 5.6.0 and 5.6.1 of the XZ Utils data compressor
Fix: The manufacturer recommends deploying an older version (5.4.6) of the XZ Utils data compressor or removing it entirely, as a software update addressing the vulnerability has not been released yet.

We have published a vulnerability bulletin (10/2024) about the vulnerability (in Finnish) (External link)