Information security now!
This week we are highlighting the importance of applying critical updates. If critical vulnerabilities are found in devices, their updates must not be delayed unnecessarily. Criminals regularly exploit unpatched devices to carry out data breaches. We also remind everyone to stay alert in organisational communications. Criminals often impersonate company executives and contact employees via instant messages or email, attempting to persuade them to transfer money under various pretexts.
Critical vulnerability still unpatched in around one hundred Finnish organisations
On 26 September 2025, the NCSC-FI published a vulnerability advisory regarding critical vulnerabilities in Cisco ASA and FTD products [1]. These products are very popular in Finland, and more than 100 vulnerable devices remain online. The vulnerability has already been exploited in cyber attacks worldwide for at least two weeks. The NCSC-FI has been in contact with owners of vulnerable devices either directly or through their service providers. Although the number of vulnerable devices has decreased, it remains high. A network device left unpatched will, over time, often lead to a data breach. The NCSC-FI has not yet received any data breach reports related to the vulnerability disclosed on 25 September 2025. Through proactive communication, the NCSC-FI also aims to help ensure that the number of data breaches remains low in the near future. However, several hundred Cisco devices in Finland have already been updated to the latest version over the past two weeks.
In recent years, critical vulnerabilities in Cisco ASA devices have led to several Akira ransomware incidents in Finland [2]. The product itself is as secure as other network edge devices and is commonly used, for example, to enable secure remote connections for an organisation's users. Organisations should monitor vulnerability advisories for the products they use on a daily basis, either independently or with the help of a service provider. An unpatched device is, quite simply, low-hanging fruit for attackers.
Fake boss on the line? CEO frauds are on the rise
During the autumn, the NCSC-FI has received several reports of CEO fraud. In these scams, criminals pose as company or organisation executives and try to get an employee to carry out unusual actions, such as paying fake invoices, making bank transfers or buying gift cards.
Scam messages are often crafted to create a sense of urgency and appeal to human emotions and the desire to help. Fraud attempts may come by email, instant messaging services or phone calls. Contacts are especially likely to target employees handling invoicing, payroll or personnel matters, as they are of particular interest to criminals. Both small companies and large corporations have been targeted, and financial losses can reach tens or even hundreds of thousands of euros.
The NCSC-FI recommends verifying the authenticity of payment requests and unusual messages before acting. Always follow your organisation’s payment procedures and do not skip any steps, even under pressure. Organisations should establish clear payment processes that ensure invoices are always verified. Follow the agreed practices and ensure that invoices cannot be paid via any fast-track routes.
September’s Cyber Weather report published
September was once again an active month in terms of the number of incidents. The increase in incidents observed at the end of the summer continued, and the overall picture for the month was mostly rainy. This publication also includes quarterly sector-specific observations.
Weekly malware review: Triada
Triada is a remote access trojan (RAT) targeting Android devices. It steals confidential information such as credit card numbers, passwords and banking details, while also opening a backdoor that allows attackers to connect the device to a botnet. The malware was first detected by Kaspersky in 2016, and it marked a new era in mobile security: Triada managed to hide in almost all of a device's processes while remaining solely in the device's RAM.
In 2025, Triada made headlines again when it was found pre-installed on counterfeit versions of popular smartphones sold online at discounted prices. In this case, Android’s improved security has worked against the user: because system partitions are now protected from modification, malware pre-installed in them is almost impossible to remove.
How to protect yourself against Triada:
- Buy devices only from trusted sources. Avoid suspiciously cheap offers and verify the seller’s legitimacy.
- Check the authenticity of the device. Compare IMEI numbers, technical details and packaging with the manufacturer's information.
- Use mobile security software. Install reputable antivirus software and keep it up to date.
- Monitor app permissions. Remove apps with unnecessarily extensive access rights.
- Keep the system up to date. Install the manufacturer's official security updates regularly.
- Because Triada can hide in a device's firmware, the best defence is a careful purchase decision.
Recently reported scams
In this summary, we provide information about scams reported to the NCSC-FI during the past week.
WHAT TO DO IF YOU GET SCAMMED
- Immediately contact your bank if you have made a payment based on a scam or a criminal has gained access to your online banking service or payment card information.
- File a police report. You can file a police report online. (External link)
- You can also report the incident to the NCSC-FI.
- Instructions for victims of data leaks (External link)
Recognise online scams and protect yourself from them
ABOUT THE WEEKLY REVIEW
This is the weekly review of the National Cyber Security Centre Finland (reporting period 4–10 October 2025). The purpose of the weekly review is to share information about current cyber phenomena. The review is intended for everyone from cyber security professionals to ordinary people.