The National Cyber Security Centre Finland’s weekly review – 23/2023

Topics covered in this week’s review

• Finnish phone numbers being spoofed once again
• Investigation of bank credential phishing case proceeds to consideration of charges
• Malicious add-ons for the online game Minecraft
• Crypto-agile encryption techniques being prepared to withstand quantum computing
• Zyxel firewall vulnerability exploited

Finnish phone numbers being spoofed once again

During the past week, the NCSC-FI has received numerous reports of phone number (caller ID) spoofing from both individual citizens and companies. The spoofed numbers have been used for both scam and harassment calls.

Going forward, phone number spoofing and scam calls will be tackled in Finland based on a revised Traficom regulation. Finnish Transport and Communications Agency Traficom’s regulation 28 imposes obligations on telecommunications operators to prevent caller ID spoofing and the transmission of scam calls to recipients. The obligations will enter into effect for mobile phone numbers on 2 October 2023.

Investigation of bank credential phishing case proceeds to consideration of charges

The National Bureau of Investigation and the Southwestern Finland Police Department have completed their preliminary investigation of a major online banking fraud case in which an approximately 20-year-old man is suspected of over 400 instances of aggravated means of payment fraud. The suspect has been remanded since December 2022, and the preliminary investigation has now been referred to a prosecutor for consideration of charges. The police suspect that there have also been other perpetrators involved in hiding the proceeds of the crime. They are suspected of money laundering.

The online banking fraud case has involved the phishing of bank credentials, cases of which are also reported to the NCSC-FI on a daily basis. Victims were sent text messages spoofed to look like they were sent by a bank, which contained a link to a convincing-looking fake login page. The victims thought they were logging in to their online bank, but were in fact entering their credentials on a fake site and thus disclosing them to the criminals, who then used them to log in to the real online bank service.

The secure way to log in to an online bank is to use the bank’s own mobile application or a bookmark saved on your browser. You should never log in to an online bank via a link included in a text message or email.

Malicious add-ons for the online game Minecraft

CurseForge and Bukkit, two services that provide mods and add-ons for popular online games such as Minecraft, have been found to be hosting malicious content. Mods and add-ons downloaded from the services may contain malware. As such, downloading mods and add-ons from the services is currently not recommended.

The mods, add-ons and plugins hosted on the services may have been infected with malicious content as early as mid-April. If you have downloaded mods, add-ons or plugins from the aforementioned services in the last few weeks, you should scan your device for malware. The malware in question is known to infect devices and steal account information and virtual currency. 

Based on current knowledge, the malware may have infected the Java version of Minecraft on Windows and Linux environments. The problem does not concern the console versions of Minecraft or versions that have no mods or add-ons installed.

Crypto-agile encryption techniques being prepared to withstand quantum computing

The proliferation of quantum computers and quantum computing is expected to challenge the algorithms used for data protection and encryption. The risk is that the vast increase in computing power offered by quantum computing will make calculations designed to be impossible possible. As a result, future quantum computers may be able to unlock many of today’s secrets.

Although viable quantum computers do not exist yet, standardisation authorities have already prepared for the future by issuing policies on the standardisation of new algorithms. The NCSA-FI serves as the national Crypto Approval Authority (CAA) of Finland.

Zyxel firewall vulnerability exploited for network attacks

Two weeks ago, we published a bulletin on a critical vulnerability in Zyxel firewall products, which attackers can exploit to put a network in a denial-of-service state. We also reported that the vulnerability has already been exploited in Finland.

Since then, more reports have come in from both Finland and the rest of the world of Zyxel firewalls being attacked and networks being subsequently put in a denial-of-service state. These recent denial-of-service attacks have been related to information influence operations and have primarily had only short-term impacts on the availability of external websites, for example. Attacks exploiting the vulnerabilities can, however, temporarily affect organisations’ data connections if no other protective measures are used.

Zyxel firewall products are very widely used by different organisations. Any organisations using them should check that they are using updated firmware, which includes a fix for the vulnerability.