Skip to content
Front Page: NCSC-FI
Front Page: NCSC-FI
Go to SearchSearch
English
Menu

The National Cyber Security Centre Finland’s weekly review – 40/2023

Information security now!

Published

This week, we take a look at the new Traficom regulation that recently entered into full effect, imposing new obligations on telecommunications operators to prevent caller ID spoofing. Other topics this week include QR code phishing, the progress of the national implementation of the NIS2 Directive and the successful Ketjutonttu campaign.

TLP:CLEAR

Topics covered in this week’s review

  • New Traficom regulation stops caller ID spoofing of Finnish numbers almost entirely
  • QR code phishing becoming increasingly common 
  • Opinions requested about the Government proposal draft for the national implementation of the NIS2 Directive
  • Campaign identified and corrected cyber risks related to supply chains

New Traficom regulation stops caller ID spoofing of Finnish numbers almost entirely

For several years now, people in Finland have been plagued by scam calls seemingly originating from Finnish phone numbers. In recent years, scammers have made millions of such calls. The new Traficom regulation designed to put a stop to these scam calls and the effective cooperation with telecommunications operators that its implementation requires have raised a great deal of interest in Traficom and the NCSC-FI in international circles as well.

The new Traficom regulation, which entered into effect at the beginning of October, obligates Finnish telecommunications operators to block calls from foreign phone numbers attempting to spoof Finnish numbers, including mobile ones. The filtering solution designed to accomplish this is now being used by all Finnish telecommunications operators that manage calls from abroad.

Despite the new regulation entering into effect, the work to prevent scams involving the exploitation of phone numbers continues. In fact, Traficom is currently preparing a regulation intended to help prevent SMS scams. Traficom’s work to prevent SMS scams is being carried out in close cooperation with the National Bureau of Investigation, as the proceeds of SMS scams have been growing recently. The drafting of the regulation is currently in the final stretch, and it is expected to enter into effect in October–November. The solution for preventing SMS scams based on the regulation is expected to be implemented in early 2024.

Read more (in Finnish): New Traficom regulation stops caller ID spoofing of Finnish numbers almost entirely (External link)

QR code phishing becoming increasingly common 

The NCSC-FI has noted an increase in phishing carried out with the help of QR codes this week. QR code phishing, or quishing, is a type of phishing attack in which the victim is lured into scanning a QR code on their smartphone or tablet. QR codes are easy to open using a smartphone or tablet due to their built-in cameras that are designed to recognise QR codes. 

The recent wave of QR code phishing has included messages warning recipients about things like expired passwords, two-factor authentication, login session expiration, the need to sign an NDA or overdue payments. As is often the case with phishing messages, the aim is to create a feeling of urgency for the recipient.

The links used in QR code phishing are able to bypass email filters because they are provided in the form of QR codes, which the filters cannot open. These codes are often scanned using personal devices, allowing the malicious websites that they open to bypass company safeguards as well. This often makes it difficult for companies to identify the persons who have fallen victim to a QR code phishing attack.

Here are some ways in which organisations can mitigate the risks of QR code phishing:

  1. Provide your employees with information about QR codes and their secure use.
  2. Provide a simple way of reporting suspicious emails to your IT support.
  3. Enable multi-factor authentication for email.
  4. Access company resources and software only on trusted and protected devices.
  5. Use only recommended QR code scanners that have built-in security features for detecting potentially malicious codes.
  6. Establish clear practices and instructions for scanning QR codes in your organisation.
  7. Design an identifiable brand for your QR codes so that employees can easily tell the organisation’s valid QR codes apart from malicious ones.
Read more: Information Security Now: QR codes are used more often in phishing (External link)

Opinions requested about the Government proposal draft for the national implementation of the NIS2 Directive

The Ministry of Transport and Communications is requesting opinions about the Government proposal draft for the national implementation of the EU’s Revised Directive on Security of Network and Information Systems (NIS2).

The aim of the NIS2 Directive is to boost both the overall level of cyber security in the EU and the level of the national cyber security of Member States for certain critical sectors. The revised Directive expands the scope of application of the EU cyber security rules to a broader range of entities in the energy and health care sectors, for example, and digital infrastructure providers.

The scope of application of the Directive has also been expanded to encompass new sectors and entities, such as public administration, the food industry and waste management. The Directive imposes risk management obligations intended to boost cyber security and an obligation to report cyber incidents on the critical sectors of society.

The Government proposal draft will improve the cyber security and cyber resilience of entities critical to the functioning of society and essential services and their ability to recover from cyber incidents and other disruptions affecting information systems and communications networks.

Campaign identified and corrected cyber risks related to supply chains

The NCSC-FI’s Ketjutonttu campaign improved the information security of Finnish companies by identifying and correcting risks in their supply chains. A total of 150 organisations and companies took part in the campaign, which was funded under the National Emergency Supply Agency’s Digital Security 2030 programme.

Ketjutonttu is the latest campaign in the NCSC-FI’s series of feasibility study campaigns, the purpose of which is to examine how the security of companies could be improved with light methods. The service was provided by the Finnish company Badrap Oy.

The final report of the Ketjutonttu campaign is available here (External link).

Campaign identified and corrected cyber risks related to supply chains (External link)

Vulnerabilities

CVE: CVE-2023-42114, CVE-2023-42115, CVE-2023-4211, CVE-2023-42117, CVE-2023-42118, CVE-2023-42219
CVSS: highest 9.8
What: Exim released fixes to several severe vulnerabilities
Product: Exim mail transfer agent (MTA) 
Fix: Software update
Bulletin (in Finnish). (External link)

CVE: CVE-2023-22515
CVSS: Unknown, estimated 9.0–10.0
What: Critical vulnerability in Atlassian Confluence products
Product: Atlassian Confluence Data Center and Server 
Fix: Software update
Bulletin (in Finnish). (External link)

For more general information about vulnerabilities and the terminology used, please see our Information Security Now! article ‘NCSC-FI vulnerability coordination in a nutshell’.

About the weekly review

This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 29 September–5 October 2023). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens. 

Previous weekly reviews are available here