The National Cyber Security Centre Finland’s weekly review – 19/2023

Topics covered in this week’s review

• Secure email phishing messages have resulted in cases of email account compromise
• Email phishing and scam calls made for unstable Cyber Weather in April
• New requirements for strong electronic identification will make digital public services more secure
• United States authorities and partner countries published a joint report on the Snake malware implant
• 700 companies have already applied for support for the development of information security
• Numerous vulnerabilities fixed on Patch Tuesday

Secure email phishing messages have resulted in cases of email account compromise

According to our records, over 10 Finnish organisations saw their email accounts compromised during May, with the municipal sector, NGOs and public administration particularly highly represented in the statistics. The compromised accounts are used to send out thousands of new account phishing messages and for invoice fraud attempts, for example.

Lately, most cases of email account compromise have occurred as a result of secure email phishing. Some of the cases have also involved DocuSign-themed phishing.

According to statistics, nearly every weekday some Finnish organisation sees their email account compromised. There are thousands of phishing messages circulating in Finland every week as a result of compromised email accounts alone.

Email account compromise is often prevented by multi-factor authentication, but users may still end up entering their information on malicious websites. Because of this, organisations should provide information about phishing campaigns as part of their internal communications as well.

We recommend using multi-factor authentication and restricting the creation of email forwarding rules. Users should also use different usernames and passwords in each service.

If you entered your username and password on a phishing site and use the same username and password in other services, you should immediately change your password. Users should also report any such incidents to the party in charge of information security at their organisation. It is also a good idea to report various information security incidents to the NCSC-FI, even if they do not result in email account compromise, for example. The NCSC-FI uses such reports to generate situational awareness and share information about current phenomena.

We previously reported on this phenomenon in our 16/2023 Weekly Review . The importance of openness cannot be overstated – if an email account is compromised, this should be immediately communicated to the rest of the organisation and to the contacts of the compromised account. If necessary, the incident can also be reported on the organisation’s website.

Email phishing and scam calls made for unstable Cyber Weather in April

The Cyber Weather in April was characterised by glimpses of the spring sun and rains alike. Overall, the Cyber Weather remained unstable due to email phishing and scam calls. In terms of malware, April was brighter than the previous month, with the number of malware reports being slightly lower than in March. The Cyber Weather report for April also includes the top 5 cyber threats, which are updated four times a year.

New requirements for strong electronic identification will make digital public services more secure

The new requirements for strong electronic identification that are entering into effect in summer 2023 will make digital public services more secure. The aim of the new requirements is to make it easier for users to check which service they are signing in to.

Going forward, digital public services and brokering services will need to agree on names for services that unambiguously tell the user which service they are accepting an identification request for. For example, if the user accesses the webshop of “Verkkokauppa Verho” on their browser, they should see the same name in the different steps of the identification process: “You are identifying yourself to the service: Verkkokauppa Verho”.

Another new development visible to the end user is already used with some identification means: the session ID is e.g. a character string that should be the same in the browser and the identification means capable of displaying it.

The aim of both of these improvements is to reduce the threats associated with electronic identification. The full-scale utilisation of the improvements requires using either a mobile certificate or an authenticator app.

It should be noted, however, that it is impossible to eliminate all threats and misuse. Because of this, users should always exercise due caution when using digital public services, as strong electronic identification serves as your personal ID in the online world.

Read more (in Finnish): New requirements for strong electronic identification will make digital public services more secure

Read more (in Finnish): Strong electronic identification being renewed – information for public services

United States authorities and partner countries published a joint report on the Snake malware implant

United States authorities and their partner countries have published a joint report on the “Snake” malware implant used by cyber threat actor Turla.

The authorities’ joint technical report on the Snake malware implant describes the architecture and functioning of the malware in detail. In addition to this, the report provides instructions on how to detect Snake on infected systems.

Based on a decision issued by the United States Department of Justice, the FBI carried out a local operation in the United States to remove Snake from systems infected by the malware. The FBI also announced that it will be providing information globally to international authorities in whose operating areas systems infected with Snake have been detected.

700 companies have already applied for support for the development of information security

Support for developing information security is direct government support paid to companies in sectors critical to the functioning of society for measures aimed at improving information security.

Approximately 700 companies have already applied for a total of EUR 16 million of the support. The applications of 150 companies have so far been completely processed, with 27 having been cancelled or rejected.

A total of approximately EUR 3 million of support has so far been granted to 123 companies. Of this amount, EUR 1.5 million have consisted of support of up to EUR 15,000 and EUR 1.4 million have consisted of support of up to EUR 100,000.

The appropriation for support for the development of information security is EUR 6 million in total, two million of which can be granted as support vouchers of up to EUR 100,000 each.

Numerous vulnerabilities fixed on Patch Tuesday

Since 2003, the second Tuesday of every month has been known as ‘Patch Tuesday’ on account of being the day on which Microsoft releases security updates for Windows, Office and other associated products. This regular update schedule facilitates forecasting and the planning of operations as companies can expect to receive updates on a specific day.

The same update schedule has also been adopted by several other operators, such as Adobe and SAP. The most recent Patch Tuesday on 9 May 2023 brought with it fixes to two zero-day vulnerabilities that have already been exploited and one for which there is no evidence of exploitation yet.

A zero-day vulnerability means a vulnerability that the software provider or developer has only just become aware of. As such, the software provider or developer has ‘zero days’ to fix the vulnerability because it has already been made public.

The most recent Patch Tuesday saw the release of almost 40 fixes by Microsoft alone, in addition to numerous fixes by SAP, Adobe and Siemens, among others. We recommend going over the released fixes for any software that you use and installing the relevant updates.