National Cyber Security Centre's weekly review 50/2024

Identify a new way of spreading malware and protect yourself

In week 40, we reported on about Lumma Stealer malware , which can steal passwords, cookies, cryptocurrencies and other sensitive information stored on your device from a number of web browsers and email programs. More observations have been reported to Traficom's National Cyber Security Centre (NCSC-FI), where users are being lured into running text copied from a webpage in a Windows command prompt to install malware. This method is described as "ClickFix (External link)" and is currently being used to spread a number of different kinds of malware.

If you suspect that your device is infected with malware, follow these steps:

• Scan your system with antivirus software and follow its instructions.
• Change your password. Update the passwords of all user accounts you use on the infected computer. This will help prevent unauthorised access to your accounts.
• Log out of all active online services (social media, email) on your infected device to prevent unauthorised access to your data.
• Wherever possible, please enable multi-factor authentication as an additional protection for your user accounts.
• Keep your operating system and other software on your device up-to-date.

Organisations are recommended to add security measures to workstations, such as blocking access to PowerShell and command lines with a default user ID. This will help reduce the risk of malware being installed and protect your organisation's data.

Human error can result in a data leak

The NCSC-FI regularly receives reports of different data leaks. Data leaks can be roughly divided into two types: technical and personal leaks and document leaks. In the first case it is often the result of a data breach or data scraping using software robotics, resulting in data being leaked or put up for sale. This data mostly comprises names, email addresses and bank details, for example.

Another type of data leakage that emerges less frequently is various types of document leaks. These are often caused by human error. Either the systems in use are not correctly defined or it is assumed that the link and the file behind it are only viewable by the recipient of the email.

We focus here on this latter part of data leakage. Much of the information in organisations is and should be in the public domain. It is important for staff and stakeholders to have access to various documents related to preparedness, safety and induction. However, it is also worth considering how information is distributed to those who need it. Even if the information is in the public domain, is it appropriate for the documents to be easily accessible to all on the internet? With website solutions, an organisation may only ensure that the actual front page of a site asks for a login, but if a person has a direct link to a document, direct and unrestricted access to the information is gained.

Example: https://turvallisuus.lumivarasto[.]fi would correctly display only the login page, but https://turvallisuus.lumivarasto[.]fi/kaakkois-suomi would give direct access to that particular page.

Another common risk is direct links to documents in different cloud services that are distributed by email. Cloud services allow access to shared information for anyone who knows the link. Organisations should therefore also look at documents and resource sharing from their own cloud environments. In the worst case, these can leak highly sensitive information. By default, it would therefore be good not to allow direct sharing from environments without separate security controls such as tying the sharing to the recipient's email address, or without other authentication mechanisms or different encryption solutions.

November Cyber Weather 2024

November demonstrated the importance of preparedness when Finland was hit by two very different anomalies in a digitalised society – a submarine cable between Finland and Germany broke, and storm Jari arrived in Finland causing localised disruptions to telecommunications.

What has been described as the greyest month of the year has also been marred by scam and phishing campaigns in the name of various banks. The situation regarding denial-of-service attacks has calmed down towards the end of the year, with fewer reports of disruption caused by attacks received in November than in early autumn.

The past month has also brought some glimmers of hope for cybersecurity. The EU's Cyber Resilience Act (CRA), enacted in November, sets minimum EU standards for cybersecurity for digital products and software connected to the internet. The legislation is expected to improve the overall security of society, as more secure devices will be available and on the market. The legislation will enter into force in stages over the period 2026–2027.

Read more about the latest Cyber Weather.

Enisa publishes a report on the Cyber Europe 24 exercise

Enisa, the European Union's cyber security agency, has published the final report of a Europe-wide cyber exercise it organised over the summer. Around 5,000 people from all over Europe took part in the exercise. The NCSC-FI was responsible for the national planning and implementation of the exercise.

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.

Vulnerabilities

CVE: CVE-2024-11639, CVE-2024-11772 and CVE-2024-11773
CVSS: 10, 9.1 and 9.1
What: Critical vulnerabilities in Ivanti Cloud Services (CSA) products Product: Ivanti Cloud Services (CSA)
Repair: Patch, further information in the vulnerability bulletin (in Finnish).