Weekly review of the National Cyber Security Centre Finland (NCSC-FI) - 14/2025

Information security now!

Published 04.04.2025 16:08

This week, we report on malware that steals information and is being distributed under the guise of copyright infringement. Other topics include the risks associated with edge devices and the tools provided by the EU Digital Services Act to combat election interference.

Topics covered in this week’s review

Information-stealing malware being distributed under the guise of copyright infringement
Edge devices remain a constant target for malicious actors
Digital Services Act offers tools to prevent election interference on online platforms
Recently reported scams
Vulnerabilities

Information-stealing malware being distributed under the guise of copyright infringement

Malware that steals information has been distributed via emails warning of alleged copyright infringement. Yle reported (External link) at the end of March on emails sent in its name.

The malware campaign now in the news first emerged globally in October 2024. The emails were sent in the name of media and cultural organisations and accused the recipient of copyright infringement. Since last autumn, similar scam messages have been detected in Finland and several other countries. The messages have been translated into the target country’s language and use the names and details of organisations based in the respective countries.

The aim of the emails is to get the recipient to open an attachment containing malware designed to steal information. The malware attempts to steal passwords and data stored in the browser. The stolen data may be sold on or used in further data breach attempts.

If you receive a suspicious message, you can check its legitimacy with the customer service of the organisation supposedly sending it. For example, a sense of urgency, a strange sender address, or spelling errors are good reasons to doubt the authenticity of the message.
Do not open email attachments unless you are absolutely sure they are legitimate.
Keep your device and software up to date.
Only download software from trusted sources.

Edge devices remain a constant target for malicious actors

On Thursday 3 April 2025, the NCSC-FI published a vulnerability bulletin regarding a flaw identified in Ivanti Connect Secure products, which has already been exploited in older versions. The vulnerability also affects Pulse Connect Secure products from the same vendor, for which no security updates are available. This is just the latest example of the risks network edge devices pose to organisational cybersecurity.

Suspected China-Nexus Threat Actor Actively Exploiting Critical Ivanti Connect Secure Vulnerability (CVE-2025-22457) (External link)

Edge devices refer to systems that operate between a personal or organisational network and the public internet, handling traffic between them. These include VPN gateways, firewall appliances and routers. For many organisations, edge devices are a necessary risk that must be managed. They are fertile ground for malicious actors and are consistently targeted. Vulnerabilities and misconfigurations, along with compromised credentials, are among the most significant factors exposing organisations to data breaches.

Particularly products that have reached end-of-life (EOL) should be replaced with devices that continue to receive security updates from the manufacturer. Using outdated devices in production environments creates an ever-growing risk of data breaches. If a legacy device cannot be replaced, the associated risks must be assessed comprehensively and addressed with, for example, increased monitoring. Ideally, organisations prepare in advance for the end-of-life of their systems and services, replacing them with new solutions before obsolescence becomes an issue.

Digital Services Act offers tools to prevent election interference on online platforms

The EU’s Digital Services Act (DSA) has been in effect since 17 February 2024. The regulation requires very large online platforms – such as Facebook, Instagram, TikTok and similar services – to implement risk mitigation measures to address systemic risks that arise on their platforms, including the spread of disinformation or other forms of external influence. These systemic risks may target, for example, electoral processes or public discourse taking place on the platforms. In Finland, compliance with the Digital Services Act is monitored by the Finnish Transport and Communications Agency Traficom.

In late 2024, it was reported that external influence had been directed at elections held in Romania via the TikTok platform. The platform is suspected of having failed to meet its obligations under the Digital Services Act to reduce systemic risks.

In practice, the Digital Services Act requires platforms to provide tools that allow users to assess the reliability of different sources of information and to implement procedures that can detect manipulation of the service and, where necessary, quickly stop harmful activity. During elections, platforms are also expected to take measures to limit the visibility and amplification of misleading content through algorithmic recommendation systems.

The Digital Services Act also requires platforms to have mechanisms in place allowing anyone to report illegal content detected on the platform. These reports must be processed effectively, and the platform must decide on the alleged illegal content in a timely and efficient manner. The Act also aims to strengthen user rights in cases where a platform restricts a user’s account or activity.

The European Commission has exclusive powers to supervise the implementation of risk mitigation measures by very large online platforms. National authorities in Finland can, when necessary, request support from the Commission for communication with platforms – for example, to address risks related to elections or to initiate investigations into platform conduct.

You can report suspected non-compliance with the Digital Services Act to Traficom (External link)

More information about very large online platforms on the European Commission’s website (External link)

Recently reported scams

In this summary, we provide information about scams reported to the NCSC-FI during the past week.

Immediately contact your bank if you have made a payment based on a scam or a criminal has gained access to your online banking service or payment card information.
File a police report. You can file a police report online. (External link)
You can also report the incident to the NCSC-FI.
Instructions for victims of data leaks (External link)

Recognise online scams and protect yourself from them

Vulnerabilities

CVE: CVE-2025-22457
CVSS: 9
What: Exploitation reported in older product versions.
Product: Ivanti Connect Secure, Invanti Policy Secure and ZTA Gateway
Fix: Install the latest updates and remove outdated products. Read more in the vulnerability bulletin (External link) (in Finnish).

For more general information about vulnerabilities and the terminology used, please see our Information Security Now! article ‘NCSC-FI vulnerability coordination in a nutshell’.

This is the weekly review of the National Cyber Security Centre Finland (NCSC-FI) (reporting period 28 March–3 April 2025). The purpose of the weekly review is to share information about current cyber phenomena. The weekly review is intended for a wide audience, from cybersecurity specialists to regular citizens.