Skip to content
Front Page: NCSC-FI
Front Page: NCSC-FI
Go to SearchSearch
English
Menu

The National Cyber Security Centre Finland’s weekly review – 44/2022

Information security now!

Published

This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 28 October–3 November 2022). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens.

TLP:CLEAR

Topics covered in this week’s review

  • Denial-of-service attacks are on the rise – the impact is minor
  • Emotet malware sightings from around the world
  • Suspect in the historical Vastaamo data breach case detained in absentia
  • Identify a safe website by its address
  • Two high severity vulnerabilities in OpenSSL version 3.0

Denial-of-service attacks are on the rise – the impact is minor

The NCSC-FI has been receiving increasing numbers of reports of denial-of-service attacks during the autumn. This phenomenon was already briefly reported on in our previous weekly reviews 42/2022 and 43/2022 .

The numbers of denial-of-service attacks reported to the NCSC-FI have been increasing every month since the summer, with October having been the most active month of the year for denial-of-service attacks so far. The NCSC-FI has already received more reports of denial-of-service attacks in 2022 than it did in the entirety of the previous year.

The denial-of-service attacks reported this year have had only minimal effects on their targets. The NCSC-FI collects data about denial-of-service attacks through attack reports, for example, and builds a situational picture at the national level based on the gathered information. Every report counts, even if the attack has no real impact on the targeted organisation. The situational picture helps assess the prevalence of attacks and the situation in different sectors. The NCSC-FI also uses the data to compare the situation in Finland to international reports of denial-of-service attacks.

For more information, please see the recent article on our website:

Denial-of-service attacks are on the rise – the impact is minor (External link)

Emotet malware sightings from around the world

Following five months of inactivity around the world, the Emotet malware strain, which spreads through email attachments, is resurging once again. The recently reported cases from around the world have involved malicious Excel and Word files, which in some cases have arrived in password-protected ZIP files. The subjects of the malicious messages and files have been related to invoicing, scanning and various types of forms, among others.

The spread of Emotet and other similar malware is hindered by the fact that Microsoft Office products nowadays block macros from the internet by default. However, recent reports indicate that Emotet tries to circumvent this protective measure by urging the user to move the malicious file into their computer’s Templates folder.

The recent sightings of Emotet have come from all over the world, with no clear geographical point of origin. This has also been reported by the Feodo Tracker, a service that tracks Emotet (External link). Emotet has been characterised by cyclical activity in the past as well, so an approximately five-month break in sightings is not unusual. It is also characteristic for both the associated botnets and malicious codes to be updated during these breaks, which recent sightings suggest has happened this time as well. Back in August 2020, the NCSC-FI published a severe warning about the Emotet malware situation at the time. The NCSC-FI continues to monitor the malware campaign and will be providing further information in the event that Emotet sightings are made in Finland as well.

Bleeping Computer: Emotet botnet starts blasting malware again after 4 month break (External link)

Identify a safe website by its address

When browsing websites and using email, it is important to keep a cool head in the face of all kinds of messages. In other words, you should never make rash decisions, even if you are promised incredible profits or threatened with the potential freezing of your bank account or false criminal charges.

Even if a website looks genuine, it does not guarantee that the content of the website is genuine. In fact, it is quite easy for criminals to copy the content and appearance of genuine websites to make malicious imitations. What criminals are typically aiming for with such imitations is to try to get users to enter their usernames and passwords on malicious sites in order to hijack their accounts.

Identifying a safe website is not always simple, but with the help of this article, it becomes much easier! In the article, we break down the addresses of two websites and go through them bit by bit.

Identify a safe website by its address! (External link)

Two high severity vulnerabilities in OpenSSL version 3.0

Two high severity vulnerabilities have been found in version 3.0 of the OpenSSL library, which is used for data encryption and secure data transmission. As such, we recommend updating to version 3.0.7 as soon as possible. Version 1.1.1 and older versions are unaffected.

The OpenSSL library is utilised in numerous systems, but the vulnerable 3.0 version has not been as widely adopted as previous versions as of yet. OpenSSL is used on servers, network devices, embedded systems and container implementations, among others.

The vulnerabilities – CVE-2022-3602 and CVE-2022-3678 – were initially rated critical, but reduced to high severity as a result of an investigation by OpenSSL and cooperation partners. Related to the processing of email addresses, the vulnerabilities could potentially enable remote code execution, but the most likely scenario is denial of service.

For more information, please see our vulnerability article (in Finnish):
Two high severity vulnerabilities in OpenSSL version 3.0 

Suspect in the historical Vastaamo data breach case detained in absentia

There was a significant development in the Vastaamo data breach case last Friday thanks to the cooperation between authorities led by the National Bureau of Investigation (NBI): a Finnish man suspected of the serious data breach was detained in absentia, as his current whereabouts are unknown. The detained person is suspected of having perpetrated both the data breach itself and the subsequent blackmailing, as reported on YLE’s website (External link). Additionally, three former Vastaamo employees are suspected of a data protection offence due to gross negligence in the processing of personal data. For more information, please see the YLE news article (External link).

The data breach at the psychotherapy firm Vastaamo was a historical personal data breach case in both Finland and the world. The data breach was followed by blackmail messages, in which both Vastaamo and its patients were issued demands to pay a ransom if they wanted to prevent their patient records from being leaked to the internet, where they would be publicly available. A large proportion of the information eventually ended up on the dark net for all to see. This type of blackmail attack had never been recorded before, nor have comparable cases occurred in Finland or the rest of the world since Vastaamo. What makes the case especially chilling is the nature of the stolen information: extremely personal psychotherapy information was used to blackmail people who may have already been in a notably vulnerable position. The data obtained by the criminals also included the personal identity codes of Vastaamo clients.

Immediately after the case was reported, Finnish authorities launched an extensive cooperation effort to support the victims and catch the perpetrators. Working together with various authorities and volunteer operators, we also started compiling instructions for the blackmail victims and published the tietovuotoapu.fi (External link) website for those in need of help less than a week after the breach was revealed. With effective cooperation facilitated by people’s intense desire to work for the common good, we were able to quickly provide help to those in need. The tietovuotoapu.fi site is still operational, providing support to people affected by data breaches. Following the incident, several search engines providing access to the information stolen from Vastaamo have popped up on the internet, which the NCSC-FI has actively strived to shut down in cooperation with the parties hosting the sites.

Early this year, the NBI also noted that criminals have started to use the personal data of persons affected by the Vastaamo data breach in fraudulent orders and other identity thefts. For more information, please see this article by Helsingin Sanomat (in Finnish) (External link). We continue to urge everyone affected by the data breach to file a police report (External link) at the nearest police station or online. Reports and information about the Vastaamo case can also be submitted to the NCSC-FI.

We continue to monitor the case and provide support to those affected by the data breach itself and the subsequent blackmailing. We have also compiled an article entitled ‘Questions and answers for victims of identity theft or data leaks’ on our website. There are also instructions available for victims of data leaks on the Suomi.fi service (External link). The largely volunteer-operated Victim Support Finland (External link) also provides support to and answers the questions of all victims of crimes.

What was learned about the incident?

Becoming a topic of widespread discussion across Finland, the incident highlighted lessons that every organisation should learn: you have to be familiar with your own services and be able to monitor and evaluate them. If your own resources or expertise are insufficient, you must ask for help from a professional in the field. The price of investing in things like the mapping of your online services or testing the level of information security of your systems is small compared to the risk of a serious data breach. Kybermittari is also an excellent tool that can give management an overview of an organisation’s level of cyber competence quickly.

The incident has resulted in plenty of public discussion about the state of information security and data protection in Finland. Furthermore, in 2021, the Finnish Government issued a resolution on improving information security and data protection in the critical sectors of society. The NCSC-FI plays a key role in promoting the objectives of the resolution, such as more effective and organised cooperation.

The Vastaamo data breach is, without a doubt, one of the turning points of Finland’s cyber security history. It served as a stark reminder of the importance of cyber security in contemporary society and brought together various operators from the central government, the voluntary sector and the private sector in an unprecedented manner to help the victims of the crime.

Vulnerabilities

Two high severity vulnerabilities in OpenSSL version 3.0
CVE: CVE-2022-3602 and CVE-2022-3678
What: Two high severity vulnerabilities in OpenSSL version 3.0
Product: OpenSSL 3.0
Fix: Update OpenSSL versions 3.0.0–3.0.6 to version 3.0.7.

Additional information: Two high severity vulnerabilities in OpenSSL version 3.0 (External link)
For more general information about vulnerabilities and the terminology used, please see our Information Security Now! article ‘NCSC-FI vulnerability coordination in a nutshell.’

Subscribe to the NCSC-FI’s newsletters or RSS feeds to be notified as soon as new information is published.