The National Cyber Security Centre Finland’s weekly review – 24/2023

Topics covered in this week’s review

• Backups are an essential part of ransomware protection
• Do not forget about information security awareness during the holiday season
• Stormy Cyber Weather in May due to social media account hijacking
• Easier cyber exercises via email – new instructions for organising email exercises
• Vulnerabilities

Backups are an essential part of ransomware protection

Backups are an important information security measure and one of the most effective ways of preparing for human errors, hardware failure, data breaches and ransomware.

Ransomware can destroy or encrypt an infected organisation’s files and demand ransom for them, but even paying the ransom is no guarantee that the files will actually be restored. Because of this, it is crucial for organisations to have backups of their files and systems.

Sophisticated ransomware attacks target backups

Criminals are constantly developing more intricate ways of circumventing security measures, nowadays even utilising artificial intelligence and machine learning in their efforts. Criminals are also well aware of the fact that backups can deprive them of the leverage needed to extort their victims. As a result, nowadays ransomware attacks often also target backups and either decrypt or destroy them.

Seeking out and encrypting or destroying backups is an increasingly common feature in ransomware. A topical example is the Akira ransomware. Akira only encrypts certain types of files, such as virtual disk image files used by virtual machines, which can serve as backups.

Double extortion ransomware

With various backup practices becoming increasingly common, criminals are also developing their operating methods. In addition to encrypting data, ransomware attacks often involve extorting the victim by threatening to publish their data. Even after being paid a ransom, some attackers have proceeded to publish their victims’ data.

A double extortion ransomware attack proceeds in two stages. First, the attacker will demand a ransom to restore the encrypted data. If the victim pays up, the attacker will proceed to demand another ransom to not publish the data. Paying the ransom is never a guarantee that the attacker will actually restore the encrypted data or not publish it.

The ABC of backups

An effective backup strategy is a combination of many different factors. Here is a list of things that you should take into account when planning and implementing a backup strategy for your organisation.

The NCSC-FI’s instructions for preparing for ransomware attacks:

Do not forget about information security awareness during the holiday season

Various types of scams and phishing attacks usually increase at the start of holiday seasons. The fact that organisations operate with fewer resources during holiday seasons can can tempt criminals to try their luck at invoice fraud, for example.

During the spring and early summer, the NCSC-FI has received reports of various types of CEO fraud attempts, fake invoices, websites phishing for bank credentials and M365 account information and OmaVero-themed phishing sites, among others. All of these have the potential to cause significant damage to organisations. Luckily, they can also be avoided with the right practices and personnel training.

Tips for the holiday season:

• Provide training on good information security practices to summer employees as well.
• Holidays can affect the availability of resources, but do not let this be a reason for deviating from secure work practices.
• Stay even more vigilant than normal during the holiday season, as the numbers of various information security incidents can increase during the holidays.
• Remember to take care of the information security of network devices and keep them updated during the holidays as well. 

Last summer, we compiled a set of instructions concerning various invoicing scams. The start of the holiday season is the perfect time to refresh your memory and implement best practices:

Stormy Cyber Weather in May due to social media account hijacking

In May, we saw a massive increase in reports of social media account hijacking, with the number of reports increasing by approximately 300% compared to the average during the start of the year. There were also double scams going around, which involved scammers contacting a person multiple times via text message or phone to tell them that their funds were in danger and that they should transfer them to a secure account.

Easier cyber exercises via email – new instructions for organising email exercises

Organising a cyber exercise can be challenging due to scheduling and having to find a place that can accommodate all the participants. However, there is also an easier way to organise cyber exercises that is more flexible for everyone and does not require expensive arrangements and a physical exercise environment: via email.

New instructions published by Traficom detail how to organise email cyber exercises flexibly to get the best results for developing your organisation’s operations. Reserving sufficient space and time for an exercise also ensures that the results are more reflective of reality and that you get answers to the right questions. 

Vulnerabilities

CVE: CVE-2023-27997
CVSS: 9.2
What: Critical vulnerability in Fortinet’s FortiOS and FortiProxy software.
Product: FortiOS-6K7K, FortiProxy, FortiOS
Fix: Update the software to the latest version. For more detailed information, please see our vulnerability bulletin (in Finnish) (External link)

CVE: Several
CVSS: Highest 9.8
What: Microsoft’s Patch Tuesday
Product: Several Microsoft products
Fix: Install the latest updates. For more detailed information, please see Microsoft’s release notes  (External link)

CVE: CVE-2023-3214, CVE-2023-3215, CVE-2023-3216, CVE-2023-3217
CVSS: -
What: Critical update for Google Chrome browsers
Product: Google Chrome for Desktop (Mac, Linux, Windows)
Fix: For more detailed information, please see Google’s blog post  (External link)

Mikä: Microsoftin päivitystiistai
Tuote: Useat Microsoftin tuotteet
Korjaus: Asenna uusimmat päivitykset. Tarkemmat tiedot Microsoftin tiedotteessa (External link)

CVE: CVE-2023-3214, CVE-2023-3215, CVE-2023-3216, CVE-2023-3217
CVSS: -
Mikä: Kriittinen päivitys Google Chrome verkkoselaimiin
Tuote: Google Chrome for Desktop (Mac, Linux, Windows)
Korjaus: Tarkemmat tiedot Googlen tiedotteessa (External link)