National Cyber Security Centre's weekly review – 27/2024

M365 data breaches torment companies again

The National Cyber Security Centre (NCSC-FI) has recently been notified of various phishing activities targeting the Microsoft M365 user accounts of organisations. Some of the phishing attempts have led to a data breach in the email account in question.

Phishing attempts vary

Data breaches are attempted with the help of constantly evolving and changing topics. In recent phishing messages, the sender requests to share a file with you in Sharepoint, Dropbox, DocuSign, and more. Earlier in the spring, we talked in our Weekly Review 11/2024 about how M365 accounts were breached using a PDF file shared through the Dropbox service. 

We have also received reports about breaches in which an email account has been hacked despite multi-factor authentication. The adversary-in-the-middle (AiTM) technology is able to bypass multi-factor authentication. AiTM phishing technology has already become more common in phishing for Microsoft 365 user credentials.

The hacked accounts are used for purposes such as billing fraud and sending thousands of new phishing messages. The hacker may also reply to or delete messages from the inbox.

How to protect yourself against M365 data breaches

The NCSC-FI encourages all Microsoft 365 customers to use two-step authentication and to limit email forwarding rules.

You should report any data breaches or their attempts to the police. It is also advisable to report the cases to  the National Cyber Security Centre . When notifying the National Cyber Security Centre, you can include an example of a phishing message and information on how the incident impacts your organisation.

Phishing via Booking.com

The Booking.com hotel reservation service, also popular in FInland, has reported several cases where messages sent to customers via the service have not come from the hotel, but from a fraudster. The scam messages have been used to gain access to information such as credit card numbers. We also wrote about this phenomenon in our weekly review last autumn [34/2023 ]. We also mentioned the reports we received about this scam in our weekly review in early spring 2024 [07/2024 ].

How the scam messages look

The scam messages sent appear to be completely reliable due to correct hotel information, correct customer names and correct hotel reservations. The messages are also received via the Booking.com service, just like real messages from hotels. However, the links in the messages take you to a fake website that may look deceptively like the hotel or reservation service website. Credit card information entered on the fake website ends up in the hands of criminals. It seems that, as a result of spreading phishing messages and malicious attachment files, criminals have gained access to hotel management accounts, for example, through which they pretend to be the hotel on the Booking.com website. As such, it is very difficult to spot the scam.

How to identify scam messages and how to protect yourself from scams

As with phishing messages in general, criminals attempt to gain access to your money, online banking or email credentials or credit card information under various pretences. They demand your actions or information by claiming that the situation is urgent or exceptional. Messages may also threaten the customer or provide links through which you are asked to give your information. If you suspect that someone is attempting to mislead you, you should contact the hotel by phone and ask the hotel to confirm that they actually need information or payment.

Tips for cyber-secure holiday travel

The summer holiday season is at its busiest, and many people are heading for a holiday trip to relax and get out of the hectic everyday life. Although travel offers an opportunity to break out from the digital world, it is important to remember cyber security even when on holiday. Read our tips for cyber-secure travel below.

Before your trip

• Update your hardware and software. Updates often include important fixes that protect your devices. 
• Back up important data. You can use cloud services or an external hard drive to ensure that your data is safe even if your device is lost or stolen. 
• Restrict access to your devices by enabling access codes, passwords, and similar.
• Make sure you know how to find and empty the device if it disappears while travelling. You can find instructions for this on the manufacturers' websites. 
• Pack only the devices you need. 
• On computers, tablets and mobile phones, you can put on a screen protector that prevents people next to you from seeing your screen, on an airplane, for example.

During and after your trip

• Keep track of transactions on your card. If you notice suspicious payments, notify your bank immediately. 
• If you are using shared devices in places such as online cafés, remember to log out of all services and clear your browsing history and cache before exiting. Also avoid storing any personal information on the device.

Network connection

• You should primarily use your own mobile data connection as the network connection. Please check any country-specific fees with your operator before you leave. 
• You should avoid open and unprotected Wi-Fi connections. Such networks are public and may be less secure. If you need to use such a network, try to avoid logging in to sensitive services. You can also use a virtual private network (VPN) connection to secure the connection.

Social media 

• It is advisable to post your travel experiences to social media only afterwards. A public update about a trip may attract burglars to your empty home.
• Make sure that photos that go on social media do not display any sensitive information on your passport, for example.
• Get permission from others to share photos or information of them.

Current EU funding opportunities for the cyber security sector

Several interesting EU funding opportunities are opening up in the field of cyber security in July. Funding opportunities are available for operators in the private, public and research sectors. Funding is granted for the deployment and utilisation of new technologies and for research, innovation and development activities. NATO's DIANA accelerator programme also opens up interesting opportunities for developing ambitious innovative technologies in cooperation with an extensive network of partners and experts.

Are you interested in hearing more about the application rounds, or do you need support in preparing the application or finding project partners? The National Coordination Centre for Cyber Security Research, Development and Innovation (NCC-FI) is happy to help you with questions about application!

Read more in Finnish.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.

Vulnerabilities

CVE: CVE-2024-6387
CVSS: CVSS:3.1: 8.3
What: Critical vulnerability in OpenSSH software
Product: OpenSSH versions from 8.5p1, before 9.8p1. OpenSSH versions before 4.4p1.
Fix: The software provider has released a repair update that should be installed as soon as possible. The problem is fixed in OpenSSH version 9.8p1.
Read more: Vulnerability report 17/2024 (in Finnish)