The National Cyber Security Centre Finland’s weekly review – 45/2022

Topics covered in this week’s review

• Operators critical to security of supply being targeted by cyber threats with increasing frequency
• Year-end sales starting – beware of fake webshops
• ‘Älyä ostoksiin’ campaign encouraging responsible choices
• Scammers developing their techniques
• Critical vulnerabilities in VMware Workspace ONE Assist software
• Critical vulnerability in Citrix Gateway and Citrix ADC products

Operators critical to security of supply being targeted by cyber threats with increasing frequency

In September, we published an Information Security Now! article entitled ‘Threat level in cyber environment has risen’ detailing the ongoing change in the cyber environment that started earlier this year. During the autumn, reports of denial-of-service attacks, phishing, data breaches and related ransomware have only continued to increase further. This trend has also been noted in other parts of the world.

During the autumn, the cyber threats faced by critical industries have also been highlighted with increasing frequency, especially in Europe and North America. Realised cyber threats do not always differentiate between targets, meaning that a cyber attack can affect individual citizens and multinational, multi-million-euro conglomerates critical to security of supply alike. What is decidedly different for the two aforementioned types of victims, however, is the impact of the realised threat. Cyber attacks can start in many different ways and often consist of multiple phases. According to the most recent Microsoft Digital Defence Report 2022, most ransomware attacks start with email-based phishing, which means that even in large organisations the first target is often an individual person.

Many cyber security publications have recently called attention to the industrial automation systems used in critical infrastructure and industrial production facilities (OT [Operational Technology]/ICS [Industrial Control System]). For example, cyber security firm Dragos highlighted OT/ICS systems in its most recent analysis of industrial ransomware attacks. In its analysis, Dragos assesses that in Q4 of this year, we will see industrial ransomware attacks targeting OT/ICS systems in particular. This assessment is also corroborated by Microsoft in their aforementioned Digital Defence Report 2022 (External link). As an example of factors that increase the risk of OT/ICS being targeted, Microsoft mentions protocols specific to automation systems, which are in many cases excluded from cyber security monitoring.

Of all the industrial ransomware infections detected around the world during the third quarter of the year, approximately 69% occurred in Europe and North America. Meanwhile Dragos’s statistics (External link) show that traditional industries and the energy industry together accounted for 80% of the ransomware cases that occurred during the third quarter of the year. Based on public sources, 2022 has seen energy sector operators fall victim to ransomware attacks in at least eight EU countries, for example. The countries in question are the Netherlands, Belgium, Spain, Italy, Greece, Luxembourg, Germany and Romania. The NCSC-FI has also received reports of ransomware attacks targeting industries critical to security of supply in Finland.

Ransomware can disrupt production in many different ways, either directly or indirectly:

• Ransomware can include protocols and commands specific to automation systems, which can be used to negatively affect production systems by shutting them down, for example.
• Inadequate network isolation and separation can provide a way for ransomware to spread to OT environments.
• OT environments may have to be shut down as a precaution to prevent ransomware from spreading to the most critical systems.

Another area that is often overlooked when it comes to cyber security is supply chains. In early November, Reuters reported on a cyber attack on Supeo (External link), a subcontractor of the Danish train operator DSB, which temporarily prevented DSB’s train drivers from operating trains, thus suspending rail transports across the country for several hours. Another famous example of a supply chain attack is the series of breaches carried out via SolarWinds’ management tool a few years back. These incidents highlight how important it is for operators to examine their critical supply chains and prepare for the disruption thereof.

Although we have focused on industrial OT/ICS systems and supply chain threats here, the fact is that the effects of the ongoing change of the cyber operating environment are not limited to the industrial sector, meaning that all sectors need to take steps to ensure their preparedness. This includes examining practices related to protection against cyber threats, the availability of backups, recovery from cyber incidents and crisis communications in the event of a realised threat. The party responsible for risk management and crisis communications is always the management of the organisation. It should also be noted that even if procedures are well-planned on paper, their successful execution in the event of a crisis also requires active practice; Gen. George S. Patton’s adage “You fight like you train” holds true for cyber security as well.

Year-end sales starting – beware of fake webshops

Retailers market a variety of different sales in November, such as Singles' Day, Black Friday, Black Week and Cyber Monday. The Christmas season is also just around the corner, and the end of the year is also the busiest season for sending and receiving parcels. Year-end sales typically attract large crowds of people, which is why they are also of interest to criminals.

Things that you should especially watch out for when shopping online include fake webshops and subscription traps. You should also keep in mind that criminals will often attempt to create a feeling of urgency or promote offers that seem unbelievably good. Before making a purchase, stop for a moment and consider whether everything is truly what it seems. Below are our five tips for a safer online shopping experience.

1. Make sure that you are on the correct website

Even if a website looks genuine, it does not guarantee that the content of the website is genuine. In fact, it is quite easy for criminals to copy the content and appearance of genuine websites to make fake versions for use in scams. What criminals typically seek to accomplish with these types of fake sites is to try to get the user to enter their username and password (such as bank credentials) in order to hijack the user’s account.

If you access a website via a link that you received via email or text message, it is important to always verify exactly what website you have ended up on. The most important thing to do is to check the domain of the website, which you can see on your browser’s address bar. The address displayed on the address bar can look like this, for example: https://www.traficom.fi/fi/viestinta/fi-verkkotunnukset/fi-verkkotunnushaku. There are some specific tricks to identifying the domain of a website, but luckily there is a logic to these tricks that everyone can learn.

Read more: Identify a safe website by its address!

2. Think twice before entering your information

Criminals are constantly carrying out phishing attacks under the guise of nearly all online services, and anyone can become a victim. As such, you should always think twice before entering your information (such as your password or phone number) on any online service. You should be especially careful about entering your bank credentials on a website.

When it comes to assessing the reliability of a website, there are a number of small factors to consider, both individually and together:

• typos
• suspicious content or probing questions
• the way you accessed the website (email link, redirected from another site, etc.)
• the graphical style of logos and the appearance of the website
• exceptionally low prices in webshops
• identification of contact information and background operators.

Recognising a well-made phishing website is difficult, but these tips should get you started. It is also good to keep in mind that many websites are genuine and have no malicious intents behind them.

Tips for identifying suspicious websites

3. Beware of subscription traps, which are often disguised as amazing offers

Scammers will often attempt to get consumers to pay small fees with misleading advertisements. These advertisements can promise anything from amazing prizes, great offers, gift cards or affordable subscriptions to otherwise expensive services.

Clicking on such an advertisement will take you to a subscription page or form asking for your personal data. The scammers’ aim in asking for your personal data is to get you to commit to a service or product subscription subject to a monthly fee. By providing your personal data, the subscription trap is activated and you will start to receive monthly packages or be charged a regular service or membership fee. In other words, what you were led to believe was a one-off purchase turns out to be a long-term subscription.

The Finnish Competition and Consumer Authority has compiled a comprehensive set of instructions on how to report different types of scams.

KKV: Report a scam (External link)

4. If you receive a notification of an arrived package, make sure that it is actually from the claimed sender

In recent years, there have been a number of package delivery scams going around in Finland, meaning messages sent by scammers impersonating the Finnish postal service Posti and other delivery services. When sent as text messages, these scam messages will often appear in the same thread as genuine messages sent by the delivery service being impersonated because the scammers will use the same name as the actual delivery service, relying on the fact that phone applications cannot tell the difference. The text message will claim that there is a package or other delivery addressed to you awaiting delivery or pick-up. Clicking the link included in the message will take you to a scam website that will look nearly identical to the actual website of the delivery service being impersonated, where you will be asked to enter your bank credentials, for example.

5. Do not trust email sender information blindly

The sender’s email address may have been spoofed, their computer may have been breached or their email password may have been guessed. Never click on any links included in messages that appear in any way suspicious. If a link is directing you to a specific service, you can access it directly via your browser instead.

How to protect yourself against online scams

If you realise that you have been scammed, file a police report. If you have given out your bank credentials or lost money, contact your bank as well. The banks and companies that scammers impersonate are happy to receive notice of scams so that they can warn other customers. You can also submit a report to the NCSC-FI.

‘Älyä ostoksiin’ campaign encouraging responsible choices

Traficom’s #älyäostoksiin (‘Smart purchases’) campaign is running once again. The aim of the campaign is to encourage smart and responsible consumption in the purchase of household smart devices, drones and various wireless devices.

The Älyä ostoksiin website provides important information about the information security of household smart devices, the recycling of used electronics and the safe flying of drones as well as instructions for the purchasing and use of wireless devices. The smart consumer’s checklist on the website provides good tips for the purchasing, use and recycling of devices. (Website available in Finnish and Swedish.)

You can also spot the campaign on social media and TV.

Scammers developing their techniques

This week, we have once again received reports of various types of scams. Bank impersonation scams and police-themed extortion scams remain common. There have also been some CEO fraud attempts going around.

The majority of online scams are opportunistic shots in the dark: criminals will send out massive numbers of poorly-prepared scam messages, trusting that at least a small fraction of recipients will fall for them. These types of scams include different types of extortion messages, such as so-called sextortion scams and police-themed extortion scams. These messages are often accusatory and emphasise the urgency of the matter in an attempt to make the victim panic and thus become more susceptible to the scam.

We have also been receiving reports of more targeted scams, such as invoice fraud, which involves criminals attempting to convince an organisation to change their invoice payment information and pay large sums into accounts controlled by the criminals. Criminals will often utilise publicly available information to make their scams appear more believable. For example, information on the personnel of organisations is often available from public sources. By using the name of an actual CEO, for example, scammers can make their messages more credible.

Criminals typically seek to exploit people’s haste and carelessness. One of the ways in which the employees of an organisation can be misled is through use of email addresses that resemble the organisation’s official addresses. For example, if an organisation’s official email addresses followed the format name@firm.fi, criminals might try using addresses like name@flrm.fi (replacing the letter i with the letter l) or name@fimr.fi (misspelling firm). These kinds of subtle changes in email addresses can easily end up being overlooked in the middle of a busy workday.

Scammers can also use misleading email addresses to increase the credibility of their messages. For example, adding an address that resembles the address of the organisation’s CEO in the CC field can make a scam message appear more important and urgent.

The majority of scam emails and outright spam never reach their intended recipients thanks to technical safeguards, such as email filtering. However, these safeguards are not perfect, which means that some scam messages will inevitably reach users’ inboxes. As such, we urge everyone to be vigilant when using email and other communications channels, especially when there are monetary transactions involved. For more detailed instructions on how to protect yourself against scams, please see our article ‘How to protect yourself against online scams.’

Vulnerabilities

Critical vulnerabilities in VMware Workspace ONE Assist software

CVE: CVE-2022-31685, CVE-2022-31686, CVE-2022-31687
CVSS: 9.8
What: VMware Workspace ONE Assist
Product: VMware Workspace ONE Assist 21.x, 22.x
Fix: Update the product to version 22.10 or newer

Critical vulnerability in Citrix Gateway and Citrix ADC products

CVE: CVE-2022-27510, CVE-2022-27513, CVE-2022-27516
CVSS: 9.8
What: Citrix Gateway and Citrix ADC

Product:

• Citrix ADC and Citrix Gateway 13.1 before 13.1-33.47
• Citrix ADC and Citrix Gateway 13.0 before 13.0-88.12
• Citrix ADC and Citrix Gateway 12.1 before 12.1.65.21
• Citrix ADC 12.1-FIPS before 12.1-55.289
• Citrix ADC 12.1-NDcPP before 12.1-55.289

Fix: Update the product to the following versions

• Citrix ADC and Citrix Gateway 13.1-33.47 and later releases
• Citrix ADC and Citrix Gateway 13.0-88.12 and later releases of 13.0
• Citrix ADC and Citrix Gateway 12.1-65.21 and later releases of 12.1
• Citrix ADC 12.1-FIPS 12.1-55.289 and later releases of 12.1-FIPS
• Citrix ADC 12.1-NDcPP 12.1-55.289 and later releases of 12.1-NDcPP

Subscribe to the NCSC-FI’s newsletters or RSS feeds to be notified as soon as new information is published.