The National Cyber Security Centre Finland’s weekly review – 16/2024

Critical Palo Alto vulnerability has resulted in data breaches in Finland as well

On 18 April, we published an alert about a vulnerability in Palo Alto’s GlobalProtect devices that requires affected devices to be immediately updated and examined. The Palo Alto GlobalProtect Gateway and the GlobalProtect Portal used to administer it are products that organisations use for secure VPN remote working solutions, for example. The vulnerability is being actively exploited, and affected devices should be treated as being potentially compromised.

On Friday 12 April, we published a vulnerability bulletin on Palo Alto’s critical vulnerability CVE-2024-3400. At first, Palo Alto announced that the vulnerability could be mitigated with a small configuration change. However, this no longer holds true, and the vulnerability has been exploited in several data breaches in Finland as well. Because of this, organisations should update their vulnerable Palo Alto devices to the latest versions and investigate affected devices for potential data breaches. Compromised devices can be identified based on their logs or new files added to the devices, for example.

If your organisation has detected signs of the vulnerability being exploited, please submit a report to us. You can submit a report using the form available on our website or by sending an email to cert@traficom.fi.

Information security company Rapid7 has published extensive instructions (External link) on how to examine affected devices.

Scam messages in the name of the Positive credit register

The NCSC-FI has received several reports of scam messages sent out in the name of the Positive credit register opened at the beginning of April. The messages have consisted of a reminder telling the recipient that they have one day to confirm their positive credit records. The link included in the messages leads to a fake website phishing for bank credentials. Any bank credentials entered on the phishing website end up in the hands of criminals.

A short response time and appealing to urgency are typical elements of a scam, which is why you should exercise particular caution with any messages that include these elements. For more information on recently reported scams, please see the end of this weekly review.

Private individuals can check information stored in the Positive credit register through the register's own e-service, which you should only ever sign in to directly on the register’s website (External link). To avoid scam websites, you should enter the website address in your browser’s address bar directly instead of accessing the website via a search engine.

There are also other types of scams circulating in the name of the Positive credit register, which you can find more information about on the register’s website (External link).lla (External link).

Finnish organisations targeted by invoice fraud

The NCSC-FI has received several reports of invoice fraud attempts targeting Finnish organisations. These attempts have involved criminals impersonating management personnel demanding that the recipient make a payment on various grounds or as employees wanting to change their bank account information.

Invoice and CEO fraud are types of fraud that involve criminals attempting to convince an organisation’s HR department or party responsible for financial matters to make changes to invoice or wage payment information in order to get payments routed to an account managed by the criminals. In some cases, the criminals may also ask the victim to make a completely made-up payment.

Criminals attempting invoice and CEO fraud have often done extensive research to determine the names of the persons within the targeted organisation who they impersonate. Information available from public sources makes it possible for the criminals to determine the structure of the targeted organisation and direct messages to the HR department or party responsible for financial matters.

How to identify an invoice fraud attempt

• The sender field may display the name of a real person working for the organisation, but the email address does not follow the organisation’s email address format.
• The message contains typos.
• The message attempts to create a sense of urgency for the recipient.
• The sender wants to change their bank account number to that of a foreign account. In some cases, criminals have also used Finnish bank accounts.
• If a message related to payment matters includes any of the aforementioned elements, you should verify the authenticity of the message before making any payments. This can be done by contacting the sender by some other means besides replying to the message, such as by calling them.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.

Vulnerabilities

CVE: CVE-2024-30407
CVSS: 8.1
What: Several vulnerabilities in Juniper products
Product: Juniper Cloud Native Router and Containerized Routing Protocol Daemon
Fix: Update the products

CVE: CVE-2024-31497
CVSS: Not known
What: Severe vulnerability in the implementation of the ECDSA algorithm of PuTTY software
Product: PuTTY
Fix: Update to the latest version

CVE: CVE-2024-29204
CVSS: 9.8
What: Several vulnerabilities
Product: Ivanti: Avalanche 6.4.3 
Fix: Update to the latest version