05-14-2024, 11:10 AM
News Hackers Exploit Unpatched Bug in Helsinki Education Division Data Breach
<p><img width="1000" height="790" src="https://thecyberexpress.com/wp-content/uploads/shutterstock_273257906.webp" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="Helsinki Education Division Data Breach, Data Breach, Helsinki Education Division" decoding="async" srcset="https://thecyberexpress.com/wp-content/uploads/shutterstock_273257906.webp 1000w, https://thecyberexpress.com/wp-content/u...0x237.webp 300w, https://thecyberexpress.com/wp-content/u...8x607.webp 768w, https://thecyberexpress.com/wp-content/u...0x474.webp 600w, https://thecyberexpress.com/wp-content/u...0x119.webp 150w, https://thecyberexpress.com/wp-content/u...0x593.webp 750w" sizes="(max-width: 1000px) 100vw, 1000px" /></p>Hackers exploited an unpatched remote access server vulnerability in the Helsinki education division data breach to scour through records of 80,000 students, their guardians, and all of administrative personnel.
The City of Helsinki detected the data breach on April 30, promptly initiating an investigation that found the hacker had gained access to student and personnel usernames and email addresses.
Hannu Heikkinen, the chief digital officer of the City of Helsinki, in a Monday press conference <a href="https://www.hel.fi/en/news/investigation-into-helsinki-education-division-data-breach-proceeds">said</a>, “Further investigation has shown that the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division.”
<blockquote><em>“Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,”</em> Heikkinen said.</blockquote>
“This is a very serious <a class="wpil_keyword_link" title="data" href="https://thecyberexpress.com/what-is-data/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3945">data</a> breach, with possible, unfortunate consequences for our customers and personnel,” said City Manager Jukka-Pekka Ujula. “We regret this situation deeply.”
<h3>Helsinki Education Division Data Breach Linked to Remote Access Bug</h3>
The preliminary investigation found out that the Helsinki Education Division data breach was possible due to a vulnerability in a remote access server.
<blockquote><em>“The server had a vulnerability which the culprit was able to exploit to connect to the Education Division network.” </em></blockquote>
The city authorities did not reveal the name of the remote access server but said a hotfix patch was available at the time of exploitation, but why it was not installed on the server is currently unknown.
<blockquote>“Our <a class="wpil_keyword_link" title="security" href="https://thecyberexpress.com/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3944">security</a> update and device maintenance controls and procedures have been insufficient,” said Heikkinen.</blockquote>
The breach targeted an extensive group, with most of the network drive data – comprising of tens of millions of files - containing non-identifying information or ordinary personal data, minimizing potential abuse, according to the city authorities.
However, some files include confidential or sensitive personal data such as fees for early childhood education customers, children's status information like information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, and sick leave records of Education Division personnel.
The data breach also includes historical customer and personnel data. Meaning, even if an individual is not currently a customer or a member of staff at the Education Division, the <a class="wpil_keyword_link" title="hacker" href="https://thecyberexpress.com/what-is-a-hacker/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3947">hacker</a> may still have accessed their data.
<blockquote><em>“Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians,”</em> Ujula said.</blockquote>
Satu Järvenkallas, executive director of the Education Division, said the authorities are currently unable to provide an accurate assessment of what data the hacker may have accessed as “the volume of data under investigation is significant.”
<h3>VPN Gateways, Network Edge Devices Need ‘Special Attention’</h3>
The City officials immediately notified the Data Protection Ombudsman, the Finnish Police, and Traficom’s National <a class="wpil_keyword_link" title="Cyber" href="https://thecyberexpress.com/cyber-news/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3946">Cyber</a> Security Centre after the discovery of the data breach at the Helsinki’s Education Division.
<a href="https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/tietomurrot-mita-ne-ovat">Traficom’s</a> cybersecurity center acknowledged the notification and said it was supporting the City of Helsinki in investigating the case. “The data breach that targeted the City of Helsinki is exceptionally large for its size in the municipal sector. The case affects many Finns and causes great concern,” it <a href="https://twitter.com/CERTFI/status/1789982352434770410">said</a> on platform X (formerly known as Twitter).
Critical vulnerabilities in network edge devices like this pose a risk to organizations' <a class="wpil_keyword_link" title="cybersecurity" href="https://thecyberexpress.com/what-is-cybersecurity/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3943">cybersecurity</a>, said Traficom’s NCSC. Exploiting the <a class="wpil_keyword_link" title="vulnerabilities" href="https://thecyberexpress.com/what-are-vulnerabilities/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3948">vulnerabilities</a> of VPN products intended for establishing secure remote connections, it is also possible for parties outside the organization to gain access to the internal networks, “especially if other measures to limit the attack are not in use,” it added.
<blockquote><em>“Severe and easy-to-exploit vulnerabilities have been detected in the network edge devices of many major device manufacturers, such as <a class="wpil_keyword_link" title="VPN" href="https://thecyberexpress.com/how-to-get-a-vpn/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3954">VPN</a> gateways, in the past six months,”</em> said Samuli Bergström, the director of the cybersecurity center. <em>“That is why it is important that special attention is paid to resources and expertise in organizations.” </em></blockquote>
A very recent example of one such VPN appliance abuse is the zero-day exploitation in Ivanti VPN products, Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. Chinese state-backed hackers used two zero-day vulnerabilities in these products: an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug to compromise several organizations including <a href="https://thecyberexpress.com/mitre-data-breach-hackers-exploit-zero-days/">MITRE</a>.
“Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city’s senior management,” Ujula said.
“After the breach, we have taken measures to ensure that a similar breach is no longer possible,” Heikkinen added.
<blockquote><em>“We have not discovered evidence that the perpetrator would have accessed the networks or data of other divisions. However, we are monitoring all City of Helsinki networks closely.”</em></blockquote>
Information for affected individuals is <a href="https://www.hel.fi/en/decision-making/data-breach">available</a> via the <a href="https://thecyberexpress.com/finland-warns-of-new-android-malware-campaign/#google_vignette">Traficom</a>’s Cybersecurity Centre website, data breach customer service, crisis emergency services and MIELI Mental Health Finland.
<span style="color: #ff0000;"><i>Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. <a style="color: #ff0000;" href="https://thecyberexpress.com/" target="_blank" rel="noopener">The Cyber Express</a> assumes no liability for the accuracy or consequences of using this information.</i></span>
https://thecyberexpress.com/helsinki-edu...ta-breach/
<p><img width="1000" height="790" src="https://thecyberexpress.com/wp-content/uploads/shutterstock_273257906.webp" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="Helsinki Education Division Data Breach, Data Breach, Helsinki Education Division" decoding="async" srcset="https://thecyberexpress.com/wp-content/uploads/shutterstock_273257906.webp 1000w, https://thecyberexpress.com/wp-content/u...0x237.webp 300w, https://thecyberexpress.com/wp-content/u...8x607.webp 768w, https://thecyberexpress.com/wp-content/u...0x474.webp 600w, https://thecyberexpress.com/wp-content/u...0x119.webp 150w, https://thecyberexpress.com/wp-content/u...0x593.webp 750w" sizes="(max-width: 1000px) 100vw, 1000px" /></p>Hackers exploited an unpatched remote access server vulnerability in the Helsinki education division data breach to scour through records of 80,000 students, their guardians, and all of administrative personnel.
The City of Helsinki detected the data breach on April 30, promptly initiating an investigation that found the hacker had gained access to student and personnel usernames and email addresses.
Hannu Heikkinen, the chief digital officer of the City of Helsinki, in a Monday press conference <a href="https://www.hel.fi/en/news/investigation-into-helsinki-education-division-data-breach-proceeds">said</a>, “Further investigation has shown that the perpetrator has gained access to the usernames and email addresses of all city personnel, as well as the personal IDs and addresses of students, guardians and personnel from the Education Division.”
<blockquote><em>“Additionally, the perpetrator has also gained access to content on network drives belonging to the Education Division,”</em> Heikkinen said.</blockquote>
“This is a very serious <a class="wpil_keyword_link" title="data" href="https://thecyberexpress.com/what-is-data/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3945">data</a> breach, with possible, unfortunate consequences for our customers and personnel,” said City Manager Jukka-Pekka Ujula. “We regret this situation deeply.”
<h3>Helsinki Education Division Data Breach Linked to Remote Access Bug</h3>
The preliminary investigation found out that the Helsinki Education Division data breach was possible due to a vulnerability in a remote access server.
<blockquote><em>“The server had a vulnerability which the culprit was able to exploit to connect to the Education Division network.” </em></blockquote>
The city authorities did not reveal the name of the remote access server but said a hotfix patch was available at the time of exploitation, but why it was not installed on the server is currently unknown.
<blockquote>“Our <a class="wpil_keyword_link" title="security" href="https://thecyberexpress.com/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3944">security</a> update and device maintenance controls and procedures have been insufficient,” said Heikkinen.</blockquote>
The breach targeted an extensive group, with most of the network drive data – comprising of tens of millions of files - containing non-identifying information or ordinary personal data, minimizing potential abuse, according to the city authorities.
However, some files include confidential or sensitive personal data such as fees for early childhood education customers, children's status information like information requests by student welfare or information about the need of special support and medical certificates regarding the suspension of studies for upper secondary students, and sick leave records of Education Division personnel.
The data breach also includes historical customer and personnel data. Meaning, even if an individual is not currently a customer or a member of staff at the Education Division, the <a class="wpil_keyword_link" title="hacker" href="https://thecyberexpress.com/what-is-a-hacker/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3947">hacker</a> may still have accessed their data.
<blockquote><em>“Considering the number of users in the city’s services now and in previous years, in the worst case, this data breach affects over 80,000 students and their guardians,”</em> Ujula said.</blockquote>
Satu Järvenkallas, executive director of the Education Division, said the authorities are currently unable to provide an accurate assessment of what data the hacker may have accessed as “the volume of data under investigation is significant.”
<h3>VPN Gateways, Network Edge Devices Need ‘Special Attention’</h3>
The City officials immediately notified the Data Protection Ombudsman, the Finnish Police, and Traficom’s National <a class="wpil_keyword_link" title="Cyber" href="https://thecyberexpress.com/cyber-news/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3946">Cyber</a> Security Centre after the discovery of the data breach at the Helsinki’s Education Division.
<a href="https://www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/tietomurrot-mita-ne-ovat">Traficom’s</a> cybersecurity center acknowledged the notification and said it was supporting the City of Helsinki in investigating the case. “The data breach that targeted the City of Helsinki is exceptionally large for its size in the municipal sector. The case affects many Finns and causes great concern,” it <a href="https://twitter.com/CERTFI/status/1789982352434770410">said</a> on platform X (formerly known as Twitter).
Critical vulnerabilities in network edge devices like this pose a risk to organizations' <a class="wpil_keyword_link" title="cybersecurity" href="https://thecyberexpress.com/what-is-cybersecurity/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3943">cybersecurity</a>, said Traficom’s NCSC. Exploiting the <a class="wpil_keyword_link" title="vulnerabilities" href="https://thecyberexpress.com/what-are-vulnerabilities/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3948">vulnerabilities</a> of VPN products intended for establishing secure remote connections, it is also possible for parties outside the organization to gain access to the internal networks, “especially if other measures to limit the attack are not in use,” it added.
<blockquote><em>“Severe and easy-to-exploit vulnerabilities have been detected in the network edge devices of many major device manufacturers, such as <a class="wpil_keyword_link" title="VPN" href="https://thecyberexpress.com/how-to-get-a-vpn/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="3954">VPN</a> gateways, in the past six months,”</em> said Samuli Bergström, the director of the cybersecurity center. <em>“That is why it is important that special attention is paid to resources and expertise in organizations.” </em></blockquote>
A very recent example of one such VPN appliance abuse is the zero-day exploitation in Ivanti VPN products, Ivanti Connect Secure (formerly Pulse Secure) and Ivanti Policy Secure gateways. Chinese state-backed hackers used two zero-day vulnerabilities in these products: an authentication bypass (CVE-2023-46805) and a command injection (CVE-2024-21887) bug to compromise several organizations including <a href="https://thecyberexpress.com/mitre-data-breach-hackers-exploit-zero-days/">MITRE</a>.
“Reaction to the data breach has been quick and all the necessary resources are being and will be used on protective measures. This is the highest priority for the city’s senior management,” Ujula said.
“After the breach, we have taken measures to ensure that a similar breach is no longer possible,” Heikkinen added.
<blockquote><em>“We have not discovered evidence that the perpetrator would have accessed the networks or data of other divisions. However, we are monitoring all City of Helsinki networks closely.”</em></blockquote>
Information for affected individuals is <a href="https://www.hel.fi/en/decision-making/data-breach">available</a> via the <a href="https://thecyberexpress.com/finland-warns-of-new-android-malware-campaign/#google_vignette">Traficom</a>’s Cybersecurity Centre website, data breach customer service, crisis emergency services and MIELI Mental Health Finland.
<span style="color: #ff0000;"><i>Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. <a style="color: #ff0000;" href="https://thecyberexpress.com/" target="_blank" rel="noopener">The Cyber Express</a> assumes no liability for the accuracy or consequences of using this information.</i></span>
https://thecyberexpress.com/helsinki-edu...ta-breach/