This week we take another look at the recent wave of Microsoft 365 account breaches and report on another wave of data breaches carried out on vulnerable Cisco network devices. We also remind our readers that the recordings and materials of the Tietoturva 2023 information security seminar and the results seminar of the Ketjutonttu campaign are now available on our website.
The recent large wave of phishing attacks targeting Finnish organisations has resulted in hundreds of victims. The NCSC-FI issued a severe alert on the phishing campaign on 20 October 2023.
The phishing campaign has resulted in organisations’ email accounts being hijacked and used to send out more phishing messages to their lists of contacts, including other organisations. The phishing messages have been based on actual email messages stolen from hijacked accounts, making them more believable. The edited messages have included a link to a phishing site or a file transfer service, with the link to the phishing site being contained in the file downloaded from the service. The criminals have also tried to make their phishing messages more believable by making them look like secure email messages or using actual secure email services used by organisations.
The NCSC-FI has received numerous reports concerning the phishing campaign. Based on observations, the NCSC-FI has been in contact with dozens of organisations to map the progress of the data breaches. Thank you to all those who have submitted reports! The reports provide valuable information contributing to a situational picture that can help identify and prevent malicious data traffic.
One of the reasons why the phishing campaign has resulted in such a large number of victims is that the phishing sites used in the campaign phish not only victims’ passwords but their two-factor authentication codes as well.
All organisations that have detected phishing traffic are urged to check whether they have recently had any new forwarding rules added to their email accounts. Not all of the breaches are necessarily detected right away, so in addition to checking email accounts that are confirmed to have been compromised, organisations should also check all of their other accounts, close any open user sessions, change their passwords and check whether any new MFA devices have been added to their accounts.
When you move to the YouTube website, please note that YouTube has its own cookie and privacy policies.
The Tietoturva 2023 information security seminar was held on Thursday 12 October 2023 in Helsinki and online. The theme of this year’s seminar was the future of cyber security and threats. Some of the most frequently highlighted topics in the seminar presentations included AI and supply chains.
A summary of the seminar and presentations has now been published on Traficom’s website (in Finnish) (External link).
We also published an Information Security Now! article (External link) in which we review the key insights of the seminar. Check out the article to review how supply chains can be secured, how AI can be utilised securely and efficiently and how important cooperation is for cyber security.
When you move to the YouTube website, please note that YouTube has its own cookie and privacy policies.
Ketjutonttu was an NCSC-FI campaign funded by the National Emergency Supply Agency and carried out by Badrap Oy. The aim of Ketjutonttu was to help Finnish companies and their suppliers identify interdependencies and manage cyber risks in their supply chains. The campaign has provided the suppliers of participating organisations with a free-of-charge information security check based on open data sources. In addition to this, suppliers were provided with assistance for implementing fixes.
The results webinar of the Ketjutonttu campaign was held on 5 October 2023. A recording of the event and the final report of the campaign have now been published on our website (in Finnish) (External link).
A recently discovered critical vulnerability in Cisco IOS XE Software has resulted in an international wave of data breaches. The vulnerability can be exploited if the Web GUI of a vulnerable device is open to the public internet. Cisco Talos has identified malware operating as a backdoor and unauthorised users on breached devices. The data breaches have not been attributed to a known cyber threat actor, but according to Talos, the malware found on breached devices have all come from the same actor.
On Monday 16 October, Cisco Talos reported (External link) on the active exploitation of zero-day vulnerability CVE-2023-20198 in a Cisco IOS XE Software Web Management User Interface component. On 20 October, Talos identified an additional vulnerability (CVE-2023-20273) that has also been actively exploited. Cisco IOS XE is an operating system used on many Cisco network devices, such as routers, switches and base stations.
Tens of thousands of vulnerable devices have been identified around the world, with many found to have the previously mentioned backdoor malware installed on them. Cisco started releasing updates fixing the vulnerability on 22 October. The exploitation of the vulnerability can be mitigated by allowing access to the Cisco IOS XE Web GUI component only from trusted networks or disabling its internet-facing visibility.
By exploiting the vulnerability, an attacker can create a user account with full administrator rights on the targeted device. This allows the attacker to take full control of the device system. After this, the attacker can proceed to install the backdoor malware on the devices.
The NCSC-FI published a vulnerability bulletin on the Cisco IOS XE vulnerabilities and warned the owners of vulnerable devices in Finland about the situation. As a result, the number of devices using the Cisco IOS XE Software detected in Finland decreased from approximately 40 devices to under 20 devices. Some of the detected devices have had the backdoor malware installed on them.
Network device administrators should take note of services that are unnecessarily visible to the public internet and protect their devices to prevent various types of network attacks in the future as well.
CVE: CVE-2023-34048
CVSS: 9.8
What: Critical vulnerability enabling the execution of arbitrary code via a remote connection
Product: WMware vCenter Server
Fix: No fix available yet
This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 20–26 October 2023). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens.
