National Cyber Security Centre's weekly review – 19/2024

Topics covered in this week’s review

• We removed the alert about Palo Alto critical vulnerability
• Mirai malware is difficult to eliminate
• National Cyber Security Centre's case IDs updated
• Recently reported scams

We removed the alert about Palo Alto critical vulnerability

Organisations using Palo Alto GlobalProtect faced a serious threat in April. A critical vulnerability was identified in the product. The vulnerability was actively exploited before corrective updates were released. We published a vulnerability report, and soon after, we received the first reports of data breaches.

After receiving the first data breach reports, we assessed the situation to be serious in Finland and decided to publish an alert on the vulnerability on 18 April 2024. The vulnerability had significant impact and required devices to be updated and investigated. The aim of the alert was to inform Finnish organisations that they should take urgent measures regarding Palo Alto devices.

Overall, approximately 15 incidents related to Palo Alto devices were reported to the National Cyber Security Centre (NCSC-FI). More serious breaches were not observed. The threat to organisations has passed thanks to device updates, and we have not received any new reports in two weeks, so the warning was removed on 7 May 2024.

We published the alert on the Palo Alto vulnerability based on reports from organisations. Reports to the NCSC-FI will also play an important role moving forward, and we hope that the organisations and users do not hesitate to contact us. Information from the reports can also help prevent security incidents in other organisations. Our situation awareness products and shared information are largely dependent on the reports we receive, which is why an individual report may play a significant role.

Read more:

• Critical vulnerability in Palo Alto GlobalProtect (External link) (in Finnish)
• Data breaches to Palo Alto GlobalProtect products – requires immediate action (External link)
• Alert on Palo Alto GlobalProtect has been removed (External link) (in Finnish)
• Why is it important to investigate information security incidents and why should you notify authorities? (External link) (in Finnish)

Mirai malware is difficult to eliminate

The Mirai malware targeted at networked smart devices (the Internet of Things, IoT) is one of the most significant, still ongoing phenomena affecting cyber security in recent decades. Mirai's program code is publicly available, and cyber criminals are continuously updating and copying it into new variants. The prevention and clean-up of Mirai infections has proved to be difficult, especially for cultural reasons: it is easily seen as ‘someone else’s problem.’ In other words, Mirai will probably remain a nuisance for a long time, says Specialist XX in our recent blog post titled ‘Mirai is the future (External link)’. 

The fight against Mirai-based malware and botnets has proved to be a wicked problem. There are numerous vulnerable devices on the Internet and they are owned by almost as many people, from households to large companies. Smart devices are often adopted without any consideration for their protection and lifecycle, and even if the user is interested in protecting their devices, each device requires different measures, which is a challenge in terms of both competence and time. Users of infected devices find it difficult to detect the infection themselves. The infection often affects third parties, for example in the form of a denial of service attack on an infected device, which, from the perspective of the infected device’s owner, is easily seen as ‘someone else's problem’.

A sustainable fight against Mirai would require a large group of operators to take shared responsibility around the world. In Finland, the work against malware is going relatively well, thanks to legislation that encourages reacting to malicious connections and good cooperation between Traficom and telecommunications companies.

Specialist XX has listed ways in which everyone can join the fight to eliminate the operating conditions of Mirai and many other types of malware:

1. Demand information from smart device vendors on how long the device software is supported and how to keep it updated.
2. Follow the device’s instructions for use.
3. Change the default passwords of your devices. Use a different password for each device and user account.
4. Check your devices regularly (perhaps once a month while also checking the smoke detectors in your home, for example). Install updates whenever available. If possible, set updates to install automatically.
5. Use cloud services to share content outside your home instead of opening your home network to the Internet.
6. Disable the device when the support for its software ends, at the latest.

National Cyber Security Centre's case IDs updated

The [FICORA #1234567] tag previously used in our email header field has been changed to [NCSC-FI #1234]. Please take the change in the identifier format into account with regard to automatic processing rules that read the identifiers. The changes have been applied to new cases since 7 May 2024.

For more information, please contact kyberturvallisuuskeskus@traficom.fi.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.