Weekly review of the National Cyber Security Centre Finland (NCSC-FI) – 25/2025

Where to get help if you fall victim to an online scam

Falling victim to an online scam is no trivial matter. A person may lose money or have their personal and sensitive information compromised. The impact of such crimes can also extend to emotional distress and a loss of sense of security. To minimise harm, it is important to act quickly. Our new article outlines the first steps you should take if you realise — or even suspect — that you have been scammed. It also provides guidance on where victims can find help with technical issues, financial matters, and emotional wellbeing. A broad group of organisations contributed to the article as part of a collaborative effort to raise awareness about online scams. 

Where to get help if you fall victim to an online scam (External link) (in Finnish)

DNS administrators: Clean up your DNS to prevent subdomain takeovers

A DNS record (Domain Name System record) defines where traffic related to a domain name is directed.  One type of DNS record, the CNAME record, contains information such as an IP address or another network address, indicating the source (e.g. a server or cloud service) from which the content is delivered. The MX record, another DNS record type, specifies the mail server responsible for receiving emails on behalf of the domain.

Poorly maintained or outdated DNS records can expose an organisation to DNS dangling vulnerabilities. These may be exploited to cause harm to the organisation, its customers, or its stakeholders. It is essential to manage the lifecycle of domain names carefully and remove any unnecessary or unused DNS records.

A dangling DNS occurs when a DNS record points to an external service that no longer exists, but the record itself has not been removed. This often involves a service previously hosted through a cloud provider that has since been decommissioned. If the CNAME record is left in place, the subdomain remains “dangling” on the internet, potentially allowing it to be taken over. If a dangling MX record is hijacked, an attacker could send and receive emails using the organisation’s domain name.

Subdomain takeover occurs when an attacker identifies a dangling subdomain belonging to an organisation and registers the resource that the DNS record still points to. This does not require access to the organisation’s DNS management system. Once hijacked, the subdomain can be used for various malicious purposes online. Subdomain takeovers can be prevented by keeping DNS records up to date.

Potential risks of subdomain takeovers include:

• Hijacking of web services (subdomain takeover)
• Malicious websites appearing under the organisation’s name
• Phishing for customer data

What you can do:

• Remove unnecessary DNS records.
• Monitor the status of subdomains regularly.
• Ensure DNS management is centralised and has clear responsibilities assigned.
• Check DNS records for decommissioned services (e.g. AWS, GitHub).

Finnish Safety Investigation Authority publishes report on the Helsinki data breach

On 17 June 2025, the Safety Investigation Authority of Finland (OTKES) held a press conference regarding the Helsinki data breach and published its investigation report on the incident. The report provides a detailed account of the events that occurred in spring 2024 within the City of Helsinki’s Education Division. The Office of the Data Protection Ombudsman also released a related statement.

A serious incident in one organisation offers valuable lessons for others — lessons that should be taken seriously and reviewed within your own organisation. Key takeaways from the NCSC-FI perspective include:

• Know what devices and products are in use in your organisation, especially at the network edge
• Update devices regularly and replace outdated equipment in time
• Ensure that edge devices use multi-factor authentication or another secure method of access control
• Monitor the environment, at least for critical devices
• Practise regularly so that critical events are detected early and handled appropriately

Many serious data breaches in recent years have been caused by outdated or unpatched devices.

Devices at the network edge should be replaced when they reach their technical end of life. Likewise, the latest updates should be installed promptly — critical security patches immediately. Attackers exploit vulnerabilities faster than ever. In Finland, unprotected edge devices continue to cause numerous serious breaches each year.

Updated guideline on the operation of information security inspection bodies

The Finnish Transport and Communications Agency Traficom has published an updated guideline on the operation of information security inspection bodies. The revised guideline includes, among other things, updates related to the NIS 2 Directive as well as instructions on how to apply for cryptographic product evaluation accreditation.

Information security inspection bodies are companies approved by Traficom that are authorised to assess the compliance of information systems and telecommunications arrangements used by central government authorities with national information security requirements.

The updated guideline was published on 13 June 2025 and is effective from the date of publication. It is available on the website of the NCSC-FI.

The guideline can be used by both the inspection bodies themselves and by clients who use or plan to use their evaluation services. It is also freely available to anyone interested in the topic or in the operation of information security inspection bodies more broadly.

Guideline for information security inspection bodies, 13 June 2025 (External link) (in Finnish)

Updated guideline on the operation of information security inspection bodies (External link) (in Finnish)

Cloud service criteria and evaluation event brought together providers and authorities

The NCSC-FI organised an event aimed at cloud service providers, presenting the criteria and processes involved in the evaluation and approval of information systems. The event was intended for cloud service providers aiming to offer services that will process nationally or internationally classified information in electronic form.

The event featured an update from the Ministry of Finance on the progress of cloud service development within the public sector. Following this, NCSC-FI experts gave presentations on the evaluation of cloud environments and the current status of the criteria under development. The event concluded with a joint discussion on the topic, including reflections on future progress and models for collaboration.

The event was organised by the Assessments Department of the NCSC-FI, which acts as the national Security Accreditation Authority (SAA). The SAA is responsible for the accreditation of information systems processing classified information within the EU and NATO, as well as for evaluation services related to systems handling nationally classified information. These services are available to both public authorities and private sector organisations.

The event was held on 11 June and was attended by representatives from around 40 organisations. The topic clearly attracted interest, and the questions and comments from participants reflected a high level of expertise. Presentation materials can be requested by emailing ncsa(@)traficom.fi.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.

Vulnerabilities

CVE: CVE-2025-23121, CVE-2025-24286 & CVE-2025-24287
CVSS: 9.9
What: Several critical vulnerabilities that expose devices to data breaches.
Product: VeeAm
Fix: Update Veeam Backup & Replication to version 12.3.2 (build 12.3.2.3617).

CVE: CVE-2025-5349 & CVE-2025-5777
CVSS: 9.3
What: The vulnerabilities allow access control to be bypassed.
Product: Citrix
Fix: The vendor urges customers using NetScaler ADC and NetScaler Gateway to install the updated versions as soon as possible.