Skip to content
Front Page: NCSC-FI
Front Page: NCSC-FI
Go to SearchSearch
English
Menu

The National Cyber Security Centre Finland’s weekly review – 48/2022

Information security now!

Published

This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 25 November–1 December 2022). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens.

TLP:CLEAR

Topics covered in this week’s review

  • Social media data leaks making headlines
  • Cyber attack on vocational education and training provider Keuda
  • Denial-of-service attacks continue to be reported in large numbers
  • Beware of phishing messages and email account compromise
  • Applications for the information security voucher now being accepted
  • Vulnerabilities

Social media data leaks making headlines

During the week, there were reports of WhatsApp possibly having suffered a data leak, as a result of which the phone numbers of over a million Finnish people had, allegedly, been put on sale online. According to a report by Cybernews (External link), the phone numbers of approximately 500 million WhatsApp users have been leaked and are now on sale online. It remains unclear how up to date the data is, however. WhatsApp’s parent company, Meta, has provided no comment on the incident. This is hardly the first time that data from social media giants has been leaked and subsequently spread online. Just last year, we reported on the Facebook data of approximately 1.2 million Finns having been leaked . If you suspect that your data might have been leaked, you can check whether this is the case by entering your phone number on the Have I Been Pwned service (External link). The website also offers a notification service through which you can get notified if your data is found in a new data leak. Last year, NCSC-FI Senior Specialist Juha Tretjakov commented on a similar data leak on the Finnish newspaper Iltasanomat (External link).

Earlier this year, there were also reports of the data of approximately 54 million Twitter users having been scraped via the Twitter API and subsequently put on sale and even published online. While most of the data were already public, they also included phone numbers and email addresses.

Be sure to check our guide for the best tips for managing your user accounts

Take control of your passwords – Who is using your account?
Advice for victims of identity theft or data breaches

Cyber attack on vocational education and training provider Keuda

On Monday 28 November, Keuda announced on their website that they had suffered a cyber attack. (External link)To limit the impacts of the attack, Keuda announced that they had shut down network and server connections. On Monday, Keuda also announced that they would be re-organising their computer and network dependent teaching. The incident is being investigated with the help of an information security firm, and reports to the police, the Data Protection Ombudsman and the NCSC-FI have been submitted. Reports submitted to the NCSC-FI are confidential, and in these types of incidents, we provide free-of-charge assistance to organisations as needed.

Keuda reports that the situation will continue for an indefinite period and that recovery measures have been initiated.  Despite the attack on Keuda, the current cyber security situation in the education sector remains normal.

Organisations today have to deal with numerous kinds of cyber attacks, no matter which sector they operate in. While these attacks can sometimes be targeted, this is not often the case. In fact, there are numerous actors who indiscriminately map services accessible via the internet, send out malicious attachments, engage in email phishing and carry out denial-of-service attacks on organisations. The aim of these attackers is to discover weaknesses among organisations that they could exploit to further their goals.

There are lessons to be learned for other organisations as well about the cyber incidents highlighted by the media. Keuda decided to publish a bulletin on their website in which they report on the day-to-day development of the situation. This kind of communications is vital in the event of a cyber incident, benefiting staff, customers and external parties alike. Having the victim of the attack report on the facts directly eliminates the need to speculate or wonder why services are not functioning.

This kind of open communication approach was also adopted by the Finnish News Agency STT when it suffered a cyber attack, which is why the agency was awarded NCSC-FI’s Information Security Trailblazer award at the Tietoturva 2022 information security seminar.

NCSC-FI recommends that organisations should constantly develop their information security and also take communications into account while doing so. Cyber incidents that organisations should communicate about include

  • Cyber attacks that temporarily paralyse the organisation’s operations.
  • Denial-of-service attacks on websites that affect the availability of services.
  • Phishing messages sent out from breached email accounts, which all recipients of the messages should we warned about.
  • Data leaks that contain data on customers, for example.

Practising cyber security response procedures can help organisations to more effectively manage actual incidents and identify areas in need of further development. While cyber security is often viewed as a technical matter, the Keuda and STT incidents highlight the importance of communications as well.

Organisations can also utilise exercise scenarios developed by the NCSC-FI to practice their response in different situations.

Denial-of-service attacks continue to be reported in large numbers

The NCSC-FI has been receiving increasing numbers of reports of denial-of-service attacks during the autumn. We reported on the phenomenon in greater detail in our weekly review 44/2022 .

Compared to October, the situation has calmed down in November, but in terms of the number of denial-of-service attacks reported, November was still the third-busiest month of 2022, accounting for approximately 14% of this year’s reports. Denial-of-service attacks were reported from numerous sectors during November, with some attacks also affecting the availability of services.

The reported attacks have consisted primarily of application-level attacks, in which the attacker’s aim is to flood the services of the targeted website with various requests. Usually this means millions of requests over the course of only a few minutes. In October, these types of attacks had momentary effects on the availability of some websites. Organisations can prepare for these types of attacks not only by implementing technical measures, but also by preparing a plan for filtering data traffic in the event of an incident, for example. Measures included in such plans can include blocking traffic from other countries until the situation eases up, for example.

OP Financial Group announced on Twitter (External link) on Friday 25 November that they had been targeted by a denial-of-service attack. Although the impact of the attack on users was either brief or non-existent, it was widely reported on by the media due to OP’s active communication. This highlights how important it is for organisations to consider, preferably in advance, how to communicate about attacks. If the affected services have a large number of users and the effects are quickly noticed by users, information on the attack should be provided as soon as possible. If it is clear that you are dealing with a denial-of-service attack, this can be publicly announced as well. Doing so will help customers understand why services are unavailable and calm them down as they wait for the organisation to address the issue. Denial-of-service attacks are everyday occurrences and can affect any organisation or sector.

Beware of phishing messages and email account compromise

During the past week, the NCSC-FI has received reports of phishing messages sent out from compromised email accounts. The subjects of the emails have made references to payment reminders, for example, while the actual messages have contained links to Sharepoint and included the signature of the compromised email account user. If the recipient clicks the link and enters their login details, the phishing attempt was a success and criminals now have the victim’s user name and password.

The NCSC-FI contacts affected organisations based on received reports and helps them assess the situation. The most important things to do are to immediately change the password of the compromised email account and notify the recipients of the phishing messages, both internal and external, so that the phishing campaign can be stopped. After these first steps, the organisation can examine their logs for more information on the attacker’s actions, including whether the attacker did anything else besides send out phishing messages.

The NCSC-FI recommends that all organisations should implement multi-factor authentication for email and other services. The fact is that this simple tool would have helped avoid the majority of reported email account compromise incidents. If multi-factor authentication is not enabled, the email account can be expected to be breached on the same day that the successful phishing attempt occurred.

Applications for the information security voucher now being accepted

Support for the development of information security, i.e. the information security voucher, can only be granted to businesses in sectors critical to the functioning of society registered in Finland for measures to improve information security in Finland. You can apply for the support as of 1 December 2022. The support may only be granted for costs that have been generated after the application was submitted and by 31 December 2024 at the latest.

The support will be granted for as long as budgeted funding is available. By 1 December at 16:15, 60% of the funding to be granted had already been reserved. However, there is still plenty of funding available for support of up to EUR 15,000. Of the funding reserved for support of up to EUR 100,000, 128% has already been reserved, meaning that in practice the amount of funding applied for has already exceeded the amount of funding available. Applications for the support are still being accepted, but there may not be enough funding to grant it.

Apply for support for the development of information security

Vulnerabilities

CVE:CVE-2022-4135
CVSS: 9.6
What: Chrome browser vulnerability
Product: Google Chrome browser
Fix: Update Chrome as soon as possible; instances of the vulnerability being exploited have already been reported around the world.

CVE:CVE-2021-35587
CVSS: 9.8
What: Exploitation of an old Oracle vulnerability
Product: Oracle Fusion Middleware
Fix: Update the product – the CISA warns of active exploitation of this one-year-old vulnerability.

Google provides details about the Chrome vulnerability on its website (External link)
The Hacker News article on the Oracle vulnerability (External link)
For more general information about vulnerabilities and the terminology used, please see our Information Security Now! article ‘NCSC-FI vulnerability coordination in a nutshell’.

Subscribe to the NCSC-FI’s newsletters or RSS feeds to be notified as soon as new information is published.