The National Cyber Security Centre Finland’s weekly review – 46/2023

Topics covered in this week’s review

• Presence of various ransomware operators felt in Finland as well
• ServiceNow misconfiguration has resulted in data leaks
• Wave of email account breaches sparks dozens of reports
• Support for the development of information security granted to 24 companies – support of up to EUR 15,000 still available

Presence of various ransomware operators felt in Finland as well

Over the past year, we have seen various ransomware attacks spread faster and faster around the world. Different variations of ransomware and the numbers of ransomware operators have also increased.

In 2020–2022 in Finland, the NCSC-FI received an average of 40 reports of ransomware attacks a year. Early 2023 followed a similar trend, but during November there has been a moderate increase in the numbers of reports. When looking at the numbers of reports, it should be noted that they include ransomware attacks affecting the network drives of individual citizens as well as attacks on large multinational organisations and everything in between. The majority of the ransomware attacks reported to the NCSC-FI concern ransomware variations that have been detected elsewhere in the world as well.

Read more: Kiristyshaittaohjelmissa uusia toimijoita ja toimintatapoja (‘New ransomware operators and operating methods,’ article in Finnish) (External link)

ServiceNow misconfiguration has resulted in data leaks

We covered the misconfiguration in the ServiceNow platform in our weekly review 44/2023 (External link).

The NCSC-FI is aware of several cases in which the security flaw exposed by this misconfiguration has been exploited. It is very important to detect the problem and mitigate it. Some affected organisations have gotten off lightly, but others have also detected data leaks, including personal data leaks. The NCSC-FI recommends that all organisations using ServiceNow check the configuration of their services if they have not already done so.

 Read more: Incorrect default configuration on the ServiceNow platform allows data leakage (External link)

Wave of email account breaches sparks dozens of reports

The recent secure email phishing campaign targeting the email accounts of Finnish organisations has subsided, as a result of which on 8 November 2023 we rescinded the alert issued over it. The campaign saw criminals phish for the usernames and passwords of organisations’ employees via email and phishing websites. The messages were spoofed to resemble commonly used secure email solutions. However, the links to the secure email services had been changed to direct victims to websites controlled by the criminals.

The criminals used the account information that they obtained to attempt to sign in to Microsoft 365 email systems. When these attempts were successful, the criminals used the hijacked accounts to send out phishing messages internally within the affected organisations and to other organisations based on the contacts of the hijacked email account.

The numbers of reports submitted about the campaign were highest after mid-October, in response to which we issued an alert (External link) to improve organisations’ awareness of the spreading campaign.

The phishing campaign utilised dozens of different secure email message templates. Many of the phishing messages included the logos and names of targeted organisations to increase their credibility.

It seems that the subjects of the secure email phishing messages were also adapted to different sectors. For example, in the education sector, some of the phishing messages used the subject line ‘Opintojen eteneminen’ (‘Study progress’), whereas in the municipal sector, some used the subject line ‘Läsnäolotulkkaus’ (‘On-site interpreting’). The campaign was also found to make use of real secure email messages for phishing. In these cases, the phishing link was part of the content of the secure email message.

Support for the development of information security granted to 24 companies – support of up to EUR 15,000 still available

The EUR 2 million appropriation to be distributed as support for the development of information security of up to EUR 100,000 has now been used up. Support was ultimately granted to 24 companies out of a total of 150 that applied for support of up to EUR 100,000. In other words, a large proportion of applicants did not receive support. The Finnish Transport and Communications Agency Traficom will be issuing separate decisions to the companies in question.

There is still approximately EUR one million left of the EUR 6 million appropriation reserved for support for the development of information security, which will be distributed as support of up to EUR 15,000. This remaining appropriation is estimated to be enough for approximately 60–70 applicants, with the applications of a total of 232 companies still awaiting processing. As such, it is likely that a large proportion of the companies that applied for support of up to EUR 15,000 will also be left without support. The support will be granted based on the order in which applications were submitted, with applications submitted on 21 December 2022 currently being processed.

Read more: Tietoturvan kehittämisen tukea 24 yritykselle - enintään 100 000 euron tuet jaettiin loppuun (‘Support for the development of information security granted to 24 companies – support of up to EUR 100,000 no longer available,’ article in Finnish) (External link)

Vulnerabilities

CVE: CVE-2023-5869
CVSS: 8.8
What: Critical vulnerability in POSTGRESQL database management software
Product: POSTGRESQL
Fix: Update

CVE: CVE-2023-36052
CVSS: 8.6
What: Azure CLI REST command information disclosure vulnerability
Product: Azure CLI REST
Fix: Update

CVE: CVE-2023-34060
CVSS: 9.8
What: VMware Cloud Director authentication bypass vulnerability
Product: VMware Cloud Director
Fix: Check VMware’s security advisory (External link) based on your version number to determine whether you are affected and how you should respond. 
Korjaus: Tarkista oman versiosi perusteella VMwaren tiedotteesta (External link) mahdollinen haavoittuvuustilanne ja korjaustoimenpiteet.