Front Page: NCSC-FI
Front Page: NCSC-FI

Information security now!

This week, we take a look at scam messages that attempt to scare recipients with the cancellation of their tax returns. Our other topics include the Akira ransomware in Finland and the importance of substitute arrangements during the Christmas holiday period.


Topics covered in this week’s review

  • Criminals trying to scare people with the cancellation of tax returns
  • Akira ransomware plaguing Finnish organisations as well
  • Take care of substitute arrangements during the Christmas holiday period as well
  • Vulnerabilities

Criminals trying to scare people with the cancellation of tax returns

In early December, tax returns are once again on many Finns’ minds. However, online criminals are also familiar with the Finnish Tax Administration’s calendar.

During the past week, the NCSC-FI has received numerous reports of scam text messages claiming that the recipient’s tax returns, which were scheduled to be paid on 4 December, have been cancelled. The messages urge the recipient to learn more by clicking on an included link. The link leads to a page asking the user to identify themself using their bank credentials. In reality, any bank credentials entered on the page end up in the hands of criminals.

The Finnish Tax Administration will never send messages that include a link. All of the Finnish Tax Administration’s online services are accessed via the MyTax service, which you should only sign in to via the Finnish Tax Administration’s own website.

You should always access the MyTax service and other online services directly via the service providers’ websites instead of searching for them using search engines. This is because criminals can use search engine optimisation and paid advertisements to raise spoofed websites above official websites in search results.

Akira ransomware plaguing Finnish organisations as well

The NCSC-FI is aware of seven victims hit by the Akira ransomware in Finland in 2023. According to an article by BleepingComputer (External link), in the most recent cases, Akira has been found to be exploiting Cisco network device vulnerability CVE-2023-20269, which was publicly disclosed this autumn. In our weekly review 24/2023 , we reported that Akira has been found to encrypt various file types used by virtual machines, which can serve as backups.

In many cases, the root cause of a malware attack turns out to be devices or services visible to the internet that have not been kept updated. As such, fixing vulnerabilities and installing updates promptly is essential for preventing malware attacks. The NCSC-FI analyses vulnerable online services and contacts their owners, but the responsibility for such services ultimately lies with organisations or service providers.
The exploitation of vulnerabilities becomes faster every year, which means that organisations must also be swift when it comes to reviewing their processes and taking necessary action.

The NCSC-FI is aware of over 30 ransomware attacks on Finnish organisations in 2023. Based on received reports, the most popular targets this year have been the manufacturing sector and ICT service providers. For more information, please see our article published in November. 

Take care of substitute arrangements during the Christmas holiday period as well

With the Christmas holiday season fast approaching, the NCSC-FI would like to remind companies and organisations to take care of necessary substitute arrangements. Holiday periods are prime time for criminals, as companies often operate with reduced resources and may utilise substitutes in various functions during them.

For example, scams targeting the monetary transactions of companies have been found to increase during holiday periods. Criminals may impersonate the CEO or business partner of a company and approach a holiday substitute via email, asking them to pay invoices or transfer funds. After the email, the scammer may also call the recipient to make the scam more believable. Another typical element of these types of invoice fraud attempts is a sense of urgency: the scammer will claim that the payment must be made quickly or that the recipient is the only person who can handle it.

Any organisation can become the target of a scam attempt. Because of this, any payment requests arriving vie email should be viewed with scepticism and any irregularities should be checked without hesitation using the invoicer’s original contact information.

It is important for companies’ and organisations’ regular payment and information security processes to run normally during holiday periods as well. Because of this, it is important to provide holiday substitutes with sufficient training for their substitute tasks and to keep related instructions and documentation updated and available. When planning holiday periods, organisations should also take into account their decision-making process and ensure that any substitutes are aware of it. Mistakes can always happen, so all employees should also be aware of the organisation’s incident management process. Everyone should also be aware of who they can turn to in the event of a security incident. Reacting quickly can help stop an incorrect payment.

Organisations should also keep in mind that critical information security updates are released even during holiday periods. It is important to patch critical vulnerabilities as quickly as possible, as criminals will attempt to actively exploit vulnerabilities immediately after they are publicly disclosed. At worst, delaying updates can result in criminals attacking your company’s information systems by exploiting the vulnerabilities that the delayed updates would have fixed. Already updated systems should also be checked to verify whether patched vulnerabilities were exploited before the update.

The NCSC-FI publishes a daily vulnerability digest in which we list the latest publicly disclosed vulnerabilities. For the most notable vulnerabilities, we also publish separate vulnerability bulletins. That being said, for the most up-to-date information on updates and patches for the software and devices that you use, you should always turn to the manufacturer of said software or device.


CVE: 9.8

CVSS: CVE‑2022‑1471, CVE‑2023‑22522, CVE‑2023‑22523, CVE‑2023‑22524

What: Severe arbitrary code execution vulnerabilities in Atlassian products

Product: Atlassian Bitbucket, Confluence and Jira products

Fix: Software update

Vulnerability bulletin (in Finnish):

About the weekly review

This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 1–7 December 2023). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cyber security specialists to regular citizens.