{"id":991420,"date":"2025-11-02T14:19:39","date_gmt":"2025-11-02T11:19:39","guid":{"rendered":"https:\/\/gpss.ro\/?page_id=991420"},"modified":"2025-11-02T14:20:25","modified_gmt":"2025-11-02T11:20:25","slug":"threat-intelligence","status":"publish","type":"page","link":"https:\/\/delve.ro\/ro\/threat-intelligence\/","title":{"rendered":"Threat Intelligence"},"content":{"rendered":"\n        <div class=\"gpss-language-switcher\" style=\"margin-bottom: 20px; padding: 15px; background: #f0f9ff; border-left: 4px solid #3b82f6; border-radius: 8px;\">\n            <div style=\"display: flex; align-items: center; justify-content: space-between; flex-wrap: wrap; gap: 10px;\">\n                <div style=\"display: flex; align-items: center; gap: 10px;\">\n                    <span style=\"font-weight: 600; color: #1e40af;\">\ud83c\udf0d Limb\u0103 \/ Language:<\/span>\n                    <button onclick=\"switchLanguage('en')\" id=\"btn-lang-en\" class=\"lang-btn lang-btn-active\" style=\"padding: 8px 16px; background: #3b82f6; color: white; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddec\ud83c\udde7 English (Original)\n                    <\/button>\n                    <button onclick=\"switchLanguage('ro')\" id=\"btn-lang-ro\" class=\"lang-btn\" style=\"padding: 8px 16px; background: #e5e7eb; color: #374151; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103\n                    <\/button>\n                <\/div>\n                <small style=\"color: #6b7280; font-style: italic;\">Traducere automat\u0103 \/ Automatic translation<\/small>\n            <\/div>\n        <\/div>\n\n        <div id=\"content-en\" class=\"lang-content\" style=\"display: block;\">\n            <div class=\"article-content\"><h2 id=\"cyber-brief-september-2025\">Cyber Brief (September 2025)<\/h2><p>October 1, 2025 - Version: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Executive summary<\/h2><ul><li><p>We analysed 285 open source reports for this Cyber Security Brief<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p>Relating to <strong>cyber policy and law enforcement<\/strong>, Russia-linked bulletproof host Stark Industries has evaded EU sanctions, and Italy approved the first artificial intelligence law in line with the EU\u2019s AI act. Czechia\u2019s cyber agency warns critical infrastructure entities against Chinese technology and updates its assessment of China-linked disruption to \u2018high\u2019.<\/p><\/li><li><p>In regards to <strong>cybercrime<\/strong>, Cloudflare and Microsoft jointly take down RaccoonO365 PhaaS domains, and ESET discloses PromptLock, the first alleged AI-powered ransomware. Acronis identified a spearphishing campaign using FileFix to harvest credentials.<\/p><\/li><li><p>On the <strong>cyberespionage<\/strong> front, Iran-linked UNC1549 conducted a multi-sector spearphishing campaign in Europe, and two Dutch teenagers were arrested for Russia-linked espionage against Europol and Eurojust. Russia-linked APTs Turla and Gamaredon reportedly collaborated to target Ukraine.<\/p><\/li><li><p>There were <strong>disruptive<\/strong> attacks that impacted several European airports, and Moldova\u2019s electoral commission suffered a denial-of-service attack days before its elections. Ukraine\u2019s HUR cyber units attacked Russian fuel and telecommunications networks.<\/p><\/li><li><p>Regarding <strong>data exposure and leaks<\/strong> incidents, Polish Bank PKO Polski, allegedly experienced a breach of its employee contact data, and London North Eastern Railway reported a breach of its customer data.<\/p><\/li><li><p>On the <strong>hacktivism<\/strong> front, Russia-linked hacktivists NoName057 claimed DDoS attacks against Romanian websites to oppose joint Romanian-Ukraine drone development, and claimed DDoS attacks against French websites citing their solidarity with the French \u2018Block Everything\u2019 protest.<\/p><\/li><\/ul><h2 id=\"europe\">Europe<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Cyber policy and law enforcement<\/h3><p><strong>Bulletproof host Stark Industries evades EU sanctions<\/strong><br> On September 11, KrebsOnSecurity reported that EU sanctions imposed on May 20, 2025, against Stark Industries Solutions, a bulletproof host tied to Russia-linked threat actors, had limited effect. Within weeks, Stark rebranded as \u2018the[.]hosting\u2019 under Dutch entity WorkTitans BV. By June 24, 2025, they shifted infrastructure to Moldova\u2019s PQ Hosting Plus. Both remain linked to the original operators. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/krebsonsecurity.com\/2025\/09\/bulletproof-host-stark-industries-evades-eu-sanctions\/\">link<\/a> <\/p><p><strong>Italy approves new AI law<\/strong><br> On September 17, Italy\u2019s Parliament approved a law on the safe use of artificial intelligence. The law covers several sectors, including public administration, health, labour, justice, and education, requiring traceability and human oversight of AI decisions. This makes Italy the first European Union country with comprehensive AI regulations aligned with the EU\u2019s AI Act. <code>artificial intelligence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/technology\/italy-enacts-ai-law-covering-privacy-oversight-child-access-2025-09-17\/\">link<\/a> <\/p><p><strong>Czech cyber agency warns critical sectors against using technology that transfers data to China<\/strong><br> On September 3, the Czech Republic\u2019s National Cyber and Information Security Agency (NUKIB) warned critical infrastructure operators to avoid using Chinese technology citing a newly assessed \u2018High\u2019 risk of disruption. The agency stressed that Chinese suppliers can access sensitive data and already conduct hostile cyber activity, urging sectors like energy, healthcare, transport, and finance to include these threats in risk analyses and adopt strong mitigation measures. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/nukib.gov.cz\/cs\/infoservis\/aktuality\/2294-nukib-vydal-varovani-pred-hrozbou-spocivajici-v-predavani-dat-a-ve-vykonu-vzdalene-spravy-z-cinske-lidove-republiky\/\">link<\/a> <\/p><p><strong>Poland increases cybersecurity budget amid daily Russia-linked attacks disrupting hospitals and water supply plants<\/strong><br> On September 16, Poland announced an increase in its cybersecurity budget from 600 million euros to one billion euros after ongoing reported Russia-linked sabotage attacks. Several incidents reportedly caused temporary outages at healthcare facilities, in addition to a major attempt against a water supply plant in a major city. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ft.com\/content\/3e7c7a96-09e7-407f-98d7-a29310743d28\">link<\/a> <\/p><h3 id=\"cyberespionage-prepositioning\">Cyberespionage &amp; prepositioning<\/h3><p><strong>Iran-linked UNC1549 deploys malware in campaign targeting defence, telco and aerospace sectors in Europe<\/strong><br> On September 22, CheckPoint research reported on Iran-aligned UNC1549 conducting a long-running cyberespionage campaign targeting the defence, telecommunications, and aviation sectors in Europe. The campaign involved spearphishing attacks luring victims to fake career portals. These portals were used to deliver malware through a multi-stage DLL side-loading technique, which involved the use of previously undocumented low-level APIs. <code>Iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/research.checkpoint.com\/2025\/nimbus-manticore-deploys-new-malware-targeting-europe\/\">link<\/a><\/p><p><strong>Dutch teenagers arrested for Russia-linked spying on Europol and Eurojust<\/strong><br> On September 27, Dutch authorities arrested two 17-year-old boys accused of using Wi-Fi sniffer devices to surveil Europol, Eurojust and the Canadian embassy after recruitment via Telegram to spy for Russia. A Europol spokesperson confirmed the incident, reporting no signs of a compromise on the agency\u2019s systems. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/dutch-teens-arrested-for-trying-to-spy-on-europol-for-russia\/\">link<\/a><\/p><p><strong>Targeted cyberattack on Austrian Interior Ministry IT systems<\/strong><br> On August 30, an Austrian media outlet reported a cyberattack affecting the IT infrastructure of Austria's Ministry of Interior, which led to unauthorised access of 100 out of 60.000 e-mail accounts. No sensitive or personal data were reportedly affected. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ots.at\/presseaussendung\/OTS_20250830_OTS0009\/gezielter-und-professioneller-cyberangriff-auf-die-it-infrastruktur-des-innenministeriums\">link<\/a> <\/p><p><strong>Russia-linked Gamaredon and Turla collaborate<\/strong><br> On September 19, ESET revealed the first known collaboration between the Russian FSB-linked groups Gamaredon and Turla. Gamaredon used tools like PteroGraphin, PteroOdd, and PteroPaste to restart Turla\u2019s Kazuar v3 backdoor and to deploy Kazuar v2 implants on select machines in Ukraine. Turla appears to be operating only on high-value targets in Ukraine, while Gamaredon handles broader initial access operations. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/gamaredon-x-turla-collab\/\">link<\/a><\/p><h3 id=\"disruption-destruction\">Disruption &amp; destruction<\/h3><p><strong>European airports disrupted by cyberattack<\/strong><br> On September 20, a cyberattack on Collins Aerospace\u2019s MUSE system disabled electronic check-in and baggage drop at Brussels, Heathrow, Berlin, and other European airports, forcing a switch to manual operations. In Brussels, several flights were cancelled or diverted, and authorities advised that half of the departing flights scheduled for September 21 be cancelled to ease the backlog. <code>transport<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/en\/cyberattack-causes-flight-delays-cancellations-brussels-airport-2025-09-20\/\">link<\/a><\/p><p><strong>Moldova\u2019s electoral commission experienced cyberattack ahead of elections<\/strong><br> On September 26, Moldova\u2019s Central Election Commission experienced an alleged Russia-linked cyberattack days before its parliamentary elections. Wi-Fi routers were allegedly hijacked for denial-of-service against its servers. The European Commission deployed its new cyber reserve to assist Moldova, marking the first activation of the EU capability under the Cyber Solidarity Act. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politico.eu\/article\/moldova-electoral-commission-cyberattack-days-ahead-vote-russia-democracy-doina-nistor\/\">link<\/a><\/p><p><strong>Ukraine\u2019s HUR cyber units attack Russian fuel and telecom networks, causing millions in losses<\/strong><br> On September 7, Ukraine\u2019s Defense Intelligence (HUR) cyber units launched cyberattacks against Russian infrastructure, reportedly disrupting fuel payment systems, telecom networks, and online platforms. The attacks also included the defacement of Russian websites with pro-Ukraine messages marking Military Intelligence Day. The attacks allegedly caused an estimated 1\u20133 million US dollars in losses. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ukrinform.ua\/rubric-ato\/4034135-kiberkorpus-gur-zablokuvav-palivni-kartki-u-rosii-i-poklav-desatki-onlajnresursiv-dzerelo.html\">link<\/a><\/p><h3 id=\"information-operations\">Information operations<\/h3><p><strong>Russia-linked information operations targeting Moldovan elections<\/strong><br> On September 3, Recorded Future reported on Russia-linked information operations targeting Moldovan elections. These campaigns included Operation Overload, Foundation to Battle Injustice, Operation Undercut, Portal Kombat, and Russia-based social media pages. The campaigns pushed unfavourable narratives of Moldova\u2019s President and advocated for a closer relationship between Moldova and Russia. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.recordedfuture.com\/research\/russian-influence-assets-converge-on-moldovan-elections\">link<\/a> <\/p><p><strong>Russia-linked Storm-1516 targets European and North American countries leveraging AI-generated deepfakes<\/strong><br> On September 18, Recorded Future reported on CopyCop (Storm-1516), a Russian GRU-linked influence campaign that launched over 200 fake media sites targeting the US, France, Canada, Germany, Armenia and Moldova. It now also publishes in Turkish, Ukrainian and Swahili, pushing AI-generated deepfakes and dossiers to undermine support for Ukraine. Its reach and organic engagement remain high. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.recordedfuture.com\/research\/copycop-deepens-its-playbook-with-new-websites-and-targets\">link<\/a> <\/p><p><strong>ISD uncovers Czech X network spreading pro-Russia propaganda ahead of elections<\/strong><br> On September 4, the Institute for Strategic Dialogue (ISD) published an investigation exposing a Czech-language X community of around 70 pseudonymous accounts spreading pro-Russia propaganda and anti-Ukraine narratives ahead of the Czech elections in October. The accounts repackage Russia state media articles promoting conspiracies for Czech audiences. Its current reach remains limited. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.isdglobal.org\/digital_dispatches\/an-anti-ukrainian-community-on-x-a-gateway-for-russian-propaganda-in-the-czech-information-space\/\">link<\/a><\/p><p><strong>Russia-linked disinformation targets Poland after drone incident<\/strong><br> On September 12, Poland reported that a Russian disinformation campaign followed drone incursions into its airspace. Poland\u2019s National Research Institute NASK detected anti-Ukraine disinformation campaigns portraying Poland as weak and suggesting military escalation with Belarus. Poland\u2019s cybersecurity leadership held emergency meetings and pledged to provide verified updates to counter the campaign\u2019s wide online reach. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politico.eu\/article\/after-testing-drone-defenses-russia-tested-nato-disinformation-response\/\">link<\/a><\/p><h3 id=\"data-exposure-and-leaks\">Data exposure and leaks<\/h3><p><strong>PKO Bank Polski allegedly breached with data of employees contact information for sale<\/strong><br> On September 9, an unnamed threat actor on a cybercrime forum claimed to sell data pertaining to the details of 32.815 employees and 17.135 devices obtained from Polish Bank PKO Polski. The bank confirmed that an actor had contacted them over allegedly obtained employee contact information, but reported that no sensitive or private data of bank employees or its customers were exposed. <code>finance<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/dailydarkweb.net\/pko-bank-polski-allegedly-breached-data-of-32000-employees-for-sale\/\">link<\/a> <\/p><p><strong>LNER reports third-party data breach affecting customer contact details<\/strong><br> On September 10, London North Eastern Railway (LNER) reported that files held by a third-party supplier had been accessed without authorisation, exposing customer contact details and partial past journey information but did not include payment, bank or password data. Train services and ticketing were reportedly unaffected. <code>transport<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.lner.co.uk\/news\/lner-media-update-data-information\/\">link<\/a> <\/p><h3 id=\"hacktivism\">Hacktivism<\/h3><p><strong>Pro-Russia hacktivists NoName057 target Romanian government and transport sites<\/strong><br> On September 29, pro-Russia hacktivist group NoName057 claimed responsibility for unverified distributed denial-of-service (DDoS) campaigns targeting at least five Romanian websites, including government, transportation and airport entities. The group framed the activity as part of their #OpRomania campaign, citing media reports of joint Romanian-Ukrainian drone development. <code>Russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/Noname05716\/status\/1972622176907047316\">link<\/a><\/p><p><strong>NoName057 targets French organisations amid Block Everything protests<\/strong><br> On September 10 and 11, Russia-linked hacktivist group NoName057 made unverified claims of DDoS attacks against at least 15 French organisations, including government agencies, an insurance firm, an airport and manufacturing entities, citing support for France\u2019s \u2018Block Everything\u2019 protests. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/Noname05716\/status\/1965679615898276129\">link<\/a> <\/p><h2 id=\"world\">World<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Cyber policy and law enforcement<\/h3><p><strong>US Secret Service dismantle network of electronic devices in New York City<\/strong><br> On September 23, the US Secret Service reportedly dismantled a network of electronic devices located within 55km of the United Nations. They seized over 300 SIM servers and 100.000 SIM cards. These could have been used to carry out anonymous threats towards US officials and could have been used to conduct telecommunications attacks, including DDoS. They reportedly found evidence of communications between nation-state threat actors and individuals known to law enforcement. <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.secretservice.gov\/newsroom\/releases\/2025\/09\/us-secret-service-dismantles-imminent-telecommunications-threat-new-york\">link<\/a><\/p><h3 id=\"cyberespionage-prepositioning-2\">Cyberespionage &amp; prepositioning<\/h3><p><strong>WhatsApp patches zero-click flaw exploited in targeted attacks<\/strong><br> On August 29, WhatsApp released patches for a critical zero-click vulnerability (CVE-2025-55177) affecting iOS, WhatsApp Business on iOS, and macOS clients, which was exploited in sophisticated targeted attacks. The flaw allowed unauthorised users to trigger content processing from arbitrary URLs on a victim\u2019s device, potentially combined with an Apple OS-level vulnerability (CVE-2025-43300). Affected users were urged to update promptly and consider a factory reset if notified of compromise. <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/whatsapp-patches-vulnerability-exploited-in-zero-day-attacks\/\">link<\/a> <\/p><p><strong>North Korea-linked Famous Chollima monitors their infrastructure using public threat intelligence sources<\/strong><br> On September 4, SentinelLabs reported that North Korea-linked threat actor Famous Chollima is leveraging public threat intelligence sources to actively monitor their infrastructure. The threat actor used Gmail addresses with Astrill VPN IPs to create Validin accounts. They also monitor the Maltrail project on GitHub to check for indicators linked to Lazarus and used Slack to coordinate their activities. <code>north korea<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.sentinelone.com\/labs\/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops\/\">link<\/a> <\/p><p><strong>APT29 watering hole campaign mimicking Cloudflare verification pages<\/strong><br> On August 29, Amazon disrupted a watering hole campaign by Russia-linked threat actor APT29. The group compromised websites to redirect users to domains mimicking Cloudflare, luring them into Microsoft\u2019s device code authentication flow for credential harvesting. Amazon isolated affected infrastructure, partnered with providers to block domains, and shared intelligence with Microsoft. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/aws.amazon.com\/es\/blogs\/security\/amazon-disrupts-watering-hole-campaign-by-russias-apt29\/\">link<\/a> <\/p><h3 id=\"cybercrime\">Cybercrime<\/h3><p><strong>Cloudflare and Microsoft joint takedown of RaccoonO365 PhaaS domains<\/strong><br> On September 10, Cloudflare and Microsoft announced that they dismantled RaccoonO365, a Phishing-as-a-Service enterprise that sold phishing kits via telegram designed to steal Microsoft 365 credentials. They conducted a joint takedown of hundreds of Cloudflare domains and Worker accounts in coordination with Microsoft\u2019s broader efforts through a civil lawsuit filed in August. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cloudflare.com\/threat-intelligence\/research\/report\/cloudflare-participates-in-global-operation-to-disrupt-raccoono365\/\">link<\/a> <\/p><p><strong>Global spearphishing campaign leverages FileFix to harvest credentials<\/strong><br> On September 16, Acronis reported a spearphishing campaign leveraging a variant of the FileFix technique to harvest credentials. The campaign uses multilingual phishing pages and leveraged steganography to hide an obfuscated PowerShell and payloads inside JPG images. The multi-stage payloads fetched a Go-based loader that drops the StealC infostealer that harvests browsers, wallets and cloud credentials. Worldwide detections suggest an accelerating global campaign. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.acronis.com\/en\/tru\/posts\/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography\/\">link<\/a> <\/p><p><strong>Malicious npm packages used to conduct supply-chain attack<\/strong><br> On September 8, Aikido\u2019s intelligence feed reported an incident affecting 18 popular npm packages with over 2.6 billion weekly downloads. Unknown threat actors injected malicious code that acts as a browser-based interceptor, capable of hijacking network traffic and application APIs. It reportedly monitors for cryptocurrency addresses and transactions, which they then redirect to attacker-controlled wallet addresses. The threat actors were able to modify the packages after delivering phishing e-mails to maintainers. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.aikido.dev\/blog\/npm-debug-and-chalk-packages-compromised\">link<\/a> <\/p><p><strong>ESET reveals first alleged case of AI-powered ransomware PromptLock<\/strong><br> On August 27, ESET disclosed PromptLock, a proof-of-concept ransomware they claim is the first known AI-powered variant. It reportedly leverages a local OpenAI gpt-oss:20 b model via the Ollama API to dynamically generate and execute malicious Lua scripts to enumerate files, exfiltrate data and encrypt systems across Windows, macOS and Linux. While not yet observed in the wild, PromptLock highlights that AI-driven adaptability will likely continue to enhance threat actor operations. <code>artificial intelligence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.welivesecurity.com\/en\/ransomware\/first-known-ai-powered-ransomware-uncovered-eset-research\/\">link<\/a><\/p><h4 id=\"opportunistic\">Opportunistic<\/h4><p><strong>Cisco ASA vulnerabilities CVE-2025-20333 and CVE-2025-20362 actively exploited as zero-days<\/strong><br> On September 25, Cisco reported that a threat actor is chaining exploitation of two zero-days affecting Cisco ASA devices, namely CVE-2025-20333 and CVE-2025-20362. The exploitation allows for unauthenticated, remote code execution and full device control on affected devices. Cisco observed the exploitation on legacy Cisco ASA 5500-X firewalls running ASA Software with VPN web services enabled. Related CERT-EU product: TA 25-153. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/resources\/asa_ftd_continued_attacks\">link<\/a> <\/p><p><strong>Cisco IOS and IOS XE zero-day vulnerability CVE-2025-20352 exploited in the wild<\/strong><br> On September 24, Cisco issued a security advisory for Cisco IOS and IOS XE for CVE-2025-20352. Attackers exploiting this vulnerability can perform Denial-of-Service with low privileges and remote code execution with root privileges. A threat actor exploited this vulnerability in the wild as a zero-day after compromising local administrator credentials. Affected organisations should patch as there are no known workarounds for this vulnerability. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisco-warns-of-ios-zero-day-vulnerability-exploited-in-attacks\/\">link<\/a> <\/p><p><strong>GreyNoise warns of massive scans targeting Cisco ASA devices ahead of possible exploits<\/strong><br> On September 4, GreyNoise reported a sharp surge in scans against Cisco ASA devices, logging up to 25.000 unique IPs, mostly from a Brazilian botnet, probing ASA login portals and Cisco IOS Telnet\/SSH. Researchers warn such reconnaissance often precedes vulnerability disclosures and urge administrators to patch ASA devices, enable MFA, restrict external access to interfaces, and use shared indicators to block or limit suspicious traffic before exploitation attempts occur. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.greynoise.io\/blog\/scanning-surge-cisco-asa-devices\">link<\/a> <\/p><p><strong>Over 3.300 secrets stolen in GhostAction supply chain campaign via GitHub workflows<\/strong><br> On 5 September, GitGuardian disclosed GhostAction, a supply chain campaign in which threat actors injected malicious GitHub Actions workflows into 817 repositories across 327 users. These workflows exfiltrated 3.325 secrets, including PyPI, npm and Docker Hub tokens, to an attacker-controlled endpoint via HTTP POST requests. The breach underscores the significant risks of compromised CI\/CD pipelines and workflows within the software supply chain. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.gitguardian.com\/ghostaction-campaign-3-325-secrets-stolen\/\">link<\/a> <\/p><p><strong>Microsoft Entra ID flaw allowed hijacking any company\u2019s tenant<\/strong><br> On September 21, serious vulnerability CVE-2025-55241 was revealed in Microsoft Entra ID (formerly Azure AD) that let attackers hijack any company\u2019s tenant. By exploiting \u2018actor tokens\u2019 (undocumented, unsigned tokens) via the deprecated Azure AD Graph API, a threat actor could impersonate any user, including global administrators, accessing sensitive data without triggering tenant logs. Microsoft patched the issue on September 4. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/dirkjanm.io\/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens\/\">link<\/a> <\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Conclusions or attributions made in this document merely reflect what publicly available sources report. They do not reflect our stance.&#160;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <div id=\"content-ro\" class=\"lang-content\" style=\"display: none;\">\n            <div class=\"article-content\"><?xml encoding=\"UTF-8\"><h2 id=\"cyber-brief-september-2025\">Cyber &#8203;&#8203;Brief (septembrie 2025)<\/h2><p>1 octombrie 2025 - Versiunea: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Rezumat<\/h2><ul><li><p>Am analizat 285 de rapoarte open source pentru acest brief de securitate cibernetic&#259;<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p>Referitor la<strong>politica cibernetic&#259; &#537;i aplicarea legii<\/strong>, gazda antiglon&#539;, Stark Industries, legat&#259; de Rusia, s-a sus&#539;inut de sanc&#539;iunile UE, iar Italia a aprobat prima lege a inteligen&#539;ei artificiale &icirc;n conformitate cu actul AI al UE. Agen&#539;ia cibernetic&#259; a Cehiei avertizeaz&#259; entit&#259;&#539;ile cu infrastructur&#259; critic&#259; &icirc;mpotriva tehnologiei chineze &#537;i &icirc;&#537;i actualizeaz&#259; evaluarea privind perturb&#259;rile legate de China la &bdquo;mare&rdquo;.<\/p><\/li><li><p>&Icirc;n ceea ce prive&#537;te<strong>criminalitatea cibernetic&#259;<\/strong>, Cloudflare &#537;i Microsoft elimin&#259; &icirc;mpreun&#259; domeniile RaccoonO365 PhaaS, iar ESET dezv&#259;luie PromptLock, primul presupus ransomware alimentat de AI. Acronis a identificat o campanie de spearphishing folosind FileFix pentru a colecta acredit&#259;ri.<\/p><\/li><li><p>Pe<strong>ciberspionaj<\/strong>&Icirc;n fa&#539;a, UNC1549, legat de Iran, a condus o campanie de spearphishing multisectorial &icirc;n Europa, iar doi adolescen&#539;i olandezi au fost aresta&#539;i pentru spionaj legat de Rusia &icirc;mpotriva Europol &#537;i Eurojust. APT-urile Turla &#537;i Gamaredon, legate de Rusia, au colaborat pentru a viza Ucraina.<\/p><\/li><li><p>Au fost<strong>perturbator<\/strong>atacuri care au afectat mai multe aeroporturi europene, iar comisia electoral&#259; a Moldovei a suferit un atac de refuzare a serviciului cu c&acirc;teva zile &icirc;nainte de alegeri. Unit&#259;&#539;ile cibernetice HUR din Ucraina au atacat re&#539;elele ruse&#537;ti de combustibil &#537;i telecomunica&#539;ii.<\/p><\/li><li><p>&Icirc;n ceea ce prive&#537;te<strong>expunerea datelor &#537;i scurgerile<\/strong>incidente, Polish Bank PKO Polski, ar fi experimentat o &icirc;nc&#259;lcare a datelor de contact ale angaja&#539;ilor s&#259;i, iar London North Eastern Railway a raportat o &icirc;nc&#259;lcare a datelor clien&#539;ilor s&#259;i.<\/p><\/li><li><p>Pe<strong>hacktivism<\/strong>&Icirc;n fa&#539;a, hacktivi&#537;tii NoName057, lega&#539;i de Rusia, au sus&#539;inut atacuri DDoS &icirc;mpotriva site-urilor rom&acirc;ne&#537;ti pentru a se opune dezvolt&#259;rii comune de drone rom&acirc;no-ucrainene &#537;i au sus&#539;inut atacuri DDoS &icirc;mpotriva site-urilor franceze, invoc&acirc;nd solidaritatea lor cu protestul francez &bdquo;Block Everything&rdquo;.<\/p><\/li><\/ul><h2 id=\"europe\">Europa<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>Gazda antiglon&#539; Stark Industries se sustrage de la sanc&#539;iunile UE<\/strong><br>Pe 11 septembrie, KrebsOnSecurity a raportat c&#259; sanc&#539;iunile UE impuse pe 20 mai 2025 &icirc;mpotriva Stark Industries Solutions, o gazd&#259; antiglon&#539; legat&#259; de actori de amenin&#539;&#259;ri lega&#539;i de Rusia, au avut un efect limitat. &Icirc;n c&acirc;teva s&#259;pt&#259;m&acirc;ni, Stark a redenumit &bdquo;[.]gazd&#259;&rdquo; sub entitatea olandez&#259; WorkTitans BV. P&acirc;n&#259; la 24 iunie 2025, au mutat infrastructura la PQ Hosting Plus din Moldova. Ambele r&#259;m&acirc;n legate de operatorii originali.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/krebsonsecurity.com\/2025\/09\/bulletproof-host-stark-industries-evades-eu-sanctions\/\">link<\/a> <\/p><p><strong>Italia aprob&#259; noua lege AI<\/strong><br>Pe 17 septembrie, Parlamentul Italiei a aprobat o lege privind utilizarea &icirc;n siguran&#539;&#259; a inteligen&#539;ei artificiale. Legea acoper&#259; mai multe sectoare, inclusiv administra&#539;ia public&#259;, s&#259;n&#259;tatea, munca, justi&#539;ia &#537;i educa&#539;ia, necesit&acirc;nd trasabilitate &#537;i supraveghere uman&#259; a deciziilor AI. Acest lucru face ca Italia s&#259; fie prima &#539;ar&#259; din Uniunea European&#259; cu reglement&#259;ri cuprinz&#259;toare privind IA, aliniate cu Actul AI al UE.<code>inteligen&#539;&#259; artificial&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/technology\/italy-enacts-ai-law-covering-privacy-oversight-child-access-2025-09-17\/\">link<\/a> <\/p><p><strong>Agen&#539;ia cibernetic&#259; ceh&#259; avertizeaz&#259; sectoarele critice &icirc;mpotriva utiliz&#259;rii tehnologiei care transfer&#259; date &icirc;n China<\/strong><br>Pe 3 septembrie, Agen&#539;ia Na&#539;ional&#259; de Securitate Cibernetic&#259; &#537;i Informa&#539;ional&#259; a Republicii Cehe (NUKIB) a avertizat operatorii de infrastructur&#259; critic&#259; s&#259; evite utilizarea tehnologiei chineze, invoc&acirc;nd un risc &bdquo;ridicat&rdquo; de &icirc;ntrerupere recent evaluat. Agen&#539;ia a subliniat c&#259; furnizorii chinezi pot accesa date sensibile &#537;i pot conduce deja activit&#259;&#539;i cibernetice ostile, &icirc;ndemn&acirc;nd sectoare precum energia, s&#259;n&#259;tatea, transportul &#537;i finan&#539;ele s&#259; includ&#259; aceste amenin&#539;&#259;ri &icirc;n analizele de risc &#537;i s&#259; adopte m&#259;suri puternice de atenuare.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/nukib.gov.cz\/cs\/infoservis\/aktuality\/2294-nukib-vydal-varovani-pred-hrozbou-spocivajici-v-predavani-dat-a-ve-vykonu-vzdalene-spravy-z-cinske-lidove-republiky\/\">link<\/a> <\/p><p><strong>Polonia m&#259;re&#537;te bugetul pentru securitate cibernetic&#259; pe fondul atacurilor zilnice legate de Rusia care perturb&#259; spitalele &#537;i fabricile de alimentare cu ap&#259;<\/strong><br>Pe 16 septembrie, Polonia a anun&#539;at o cre&#537;tere a bugetului s&#259;u de securitate cibernetic&#259; de la 600 de milioane de euro la un miliard de euro dup&#259; atacurile de sabotaj raportate &icirc;n curs de desf&#259;&#537;urare legate de Rusia. Mai multe incidente au provocat &icirc;ntreruperi temporare la unit&#259;&#539;ile de asisten&#539;&#259; medical&#259;, pe l&acirc;ng&#259; o tentativ&#259; major&#259; &icirc;mpotriva unei fabrici de alimentare cu ap&#259; dintr-un ora&#537; important.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ft.com\/content\/3e7c7a96-09e7-407f-98d7-a29310743d28\">link<\/a> <\/p><h3 id=\"cyberespionage-prepositioning\">Spionaj cibernetic &#537;i prepozi&#539;ionare<\/h3><p><strong>UNC1549, legat de Iran, implementeaz&#259; programe malware &icirc;n campanie care vizeaz&#259; sectoarele ap&#259;r&#259;rii, telecomunica&#539;iilor &#537;i aerospa&#539;iale din Europa<\/strong><br>Pe 22 septembrie, cercetarea CheckPoint a raportat despre UNC1549 aliniat cu Iranul care desf&#259;&#537;oar&#259; o campanie de spionaj cibernetic de lung&#259; durat&#259; care vizeaz&#259; sectoarele de ap&#259;rare, telecomunica&#539;ii &#537;i avia&#539;ie din Europa. Campania a implicat atacuri de tip spearphishing care atrage victimele c&#259;tre portaluri de carier&#259; false. Aceste portaluri au fost folosite pentru a furniza malware printr-o tehnic&#259; de &icirc;nc&#259;rcare lateral&#259; a DLL &icirc;n mai multe etape, care a implicat utilizarea API-urilor de nivel sc&#259;zut nedocumentate anterior.<code>Iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/research.checkpoint.com\/2025\/nimbus-manticore-deploys-new-malware-targeting-europe\/\">link<\/a><\/p><p><strong>Adolescen&#539;i olandezi aresta&#539;i pentru spionaj legate de Rusia asupra Europol &#537;i Eurojust<\/strong><br>Pe 27 septembrie, autorit&#259;&#539;ile olandeze au arestat doi b&#259;ie&#539;i &icirc;n v&acirc;rst&#259; de 17 ani acuza&#539;i c&#259; au folosit dispozitive de sniffer Wi-Fi pentru a supraveghea Europol, Eurojust &#537;i ambasada Canadei, dup&#259; ce au fost recruta&#539;i prin Telegram pentru spionaj pentru Rusia. Un purt&#259;tor de cuv&acirc;nt al Europol a confirmat incidentul, raport&acirc;nd niciun semn de compromis asupra sistemelor agen&#539;iei.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/dutch-teens-arrested-for-trying-to-spy-on-europol-for-russia\/\">link<\/a><\/p><p><strong>Atac cibernetic direc&#539;ionat asupra sistemelor IT ale Ministerului de Interne austriac<\/strong><br>Pe 30 august, un mijloc de pres&#259; austriac a raportat un atac cibernetic care a afectat infrastructura IT a Ministerului de Interne din Austria, care a dus la accesul neautorizat a 100 din 60.000 de conturi de e-mail. Nu au fost raportate date sensibile sau personale afectate.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ots.at\/presseaussendung\/OTS_20250830_OTS0009\/gezielter-und-professioneller-cyberangriff-auf-die-it-infrastruktur-des-innenministeriums\">link<\/a> <\/p><p><strong>Gamaredon &#537;i Turla, lega&#539;i de Rusia, colaboreaz&#259;<\/strong><br>Pe 19 septembrie, ESET a dezv&#259;luit prima colaborare cunoscut&#259; &icirc;ntre grupurile ruse&#537;ti legate de FSB Gamaredon &#537;i Turla. Gamaredon a folosit instrumente precum PteroGraphin, PteroOdd &#537;i PteroPaste pentru a reporni u&#537;a din spate Kazuar v3 a Turla &#537;i pentru a implementa implanturi Kazuar v2 pe anumite ma&#537;ini din Ucraina. Turla pare s&#259; opereze doar pe &#539;inte de mare valoare &icirc;n Ucraina, &icirc;n timp ce Gamaredon se ocup&#259; de opera&#539;iuni de acces ini&#539;ial mai largi.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/gamaredon-x-turla-collab\/\">link<\/a><\/p><h3 id=\"disruption-destruction\">Perturbare &#537;i distrugere<\/h3><p><strong>Aeroporturile europene perturbate de un atac cibernetic<\/strong><br>Pe 20 septembrie, un atac cibernetic asupra sistemului MUSE al Collins Aerospace a dezactivat &icirc;nregistrarea electronic&#259; &#537;i predarea bagajelor la Bruxelles, Heathrow, Berlin &#537;i alte aeroporturi europene, for&#539;&acirc;nd trecerea la opera&#539;iuni manuale. La Bruxelles, mai multe zboruri au fost anulate sau deviate, iar autorit&#259;&#539;ile au sf&#259;tuit ca jum&#259;tate din zborurile de plecare programate pentru 21 septembrie s&#259; fie anulate pentru a u&#537;ura &icirc;nt&acirc;rzierile.<code>transport<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/en\/cyberattack-causes-flight-delays-cancellations-brussels-airport-2025-09-20\/\">link<\/a><\/p><p><strong>Comisia electoral&#259; a Moldovei a suferit atacuri cibernetice &icirc;naintea alegerilor<\/strong><br>La 26 septembrie, Comisia Electoral&#259; Central&#259; a Moldovei a suferit un presupus atac cibernetic legat de Rusia cu c&acirc;teva zile &icirc;nainte de alegerile sale parlamentare. Routerele Wi-Fi au fost deturnate pentru refuzul serviciului &icirc;mpotriva serverelor sale. Comisia European&#259; &#537;i-a desf&#259;&#537;urat noua rezerv&#259; cibernetic&#259; pentru a sprijini Moldova, marc&acirc;nd prima activare a capacit&#259;&#539;ii UE &icirc;n temeiul Actului de solidaritate cibernetic&#259;.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politico.eu\/article\/moldova-electoral-commission-cyberattack-days-ahead-vote-russia-democracy-doina-nistor\/\">link<\/a><\/p><p><strong>Unit&#259;&#539;ile cibernetice HUR din Ucraina atac&#259; re&#539;elele ruse&#537;ti de combustibil &#537;i telecomunica&#539;ii, provoc&acirc;nd pierderi de milioane<\/strong><br>Pe 7 septembrie, unit&#259;&#539;ile ucrainene de informa&#539;ii pentru ap&#259;rare (HUR) au lansat atacuri cibernetice &icirc;mpotriva infrastructurii ruse, care ar fi perturbat sistemele de plat&#259; a combustibilului, re&#539;elele de telecomunica&#539;ii &#537;i platformele online. Atacurile au inclus &#537;i degradarea site-urilor web ruse&#537;ti cu mesaje pro-Ucrainei care marcheaz&#259; Ziua Informa&#539;iilor Militare. Se presupune c&#259; atacurile au cauzat pierderi estimate la 1-3 milioane de dolari SUA.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ukrinform.ua\/rubric-ato\/4034135-kiberkorpus-gur-zablokuvav-palivni-kartki-u-rosii-i-poklav-desatki-onlajnresursiv-dzerelo.html\">link<\/a><\/p><h3 id=\"information-operations\">Opera&#539;iuni de informare<\/h3><p><strong>Opera&#539;iuni de informare legate de Rusia care vizeaz&#259; alegerile din Moldova<\/strong><br>Pe 3 septembrie, Recorded Future a raportat despre opera&#539;iunile de informare legate de Rusia care vizeaz&#259; alegerile din Republica Moldova. Aceste campanii au inclus Opera&#539;iunea Overload, Foundation to Battle Injustice, Operation Undercut, Portal Kombat &#537;i pagini de social media din Rusia. Campaniile au impulsionat nara&#539;iuni nefavorabile ale Pre&#537;edintelui Republicii Moldova &#537;i au pledat pentru o rela&#539;ie mai str&acirc;ns&#259; &icirc;ntre Moldova &#537;i Rusia.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.recordedfuture.com\/research\/russian-influence-assets-converge-on-moldovan-elections\">link<\/a> <\/p><p><strong>Storm-1516, legat de Rusia, vizeaz&#259; &#539;&#259;rile europene &#537;i nord-americane, utiliz&acirc;nd deepfake-uri generate de AI<\/strong><br>Pe 18 septembrie, Recorded Future a raportat pe CopyCop (Storm-1516), o campanie de influen&#539;&#259; rus&#259; legat&#259; de GRU, care a lansat peste 200 de site-uri media false care vizeaz&#259; SUA, Fran&#539;a, Canada, Germania, Armenia &#537;i Moldova. Acum public&#259;, de asemenea, &icirc;n turc&#259;, ucrainean&#259; &#537;i swahili, &icirc;mping&acirc;nd deepfakes &#537;i dosare generate de inteligen&#539;&#259; artificial&#259; pentru a submina sprijinul pentru Ucraina. Aspectul s&#259;u &#537;i implicarea organic&#259; r&#259;m&acirc;n ridicate.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.recordedfuture.com\/research\/copycop-deepens-its-playbook-with-new-websites-and-targets\">link<\/a> <\/p><p><strong>ISD descoper&#259; re&#539;eaua ceh&#259; X care r&#259;sp&acirc;nde&#537;te propagand&#259; pro-Rusia &icirc;nainte de alegeri<\/strong><br>Pe 4 septembrie, Institutul pentru Dialog Strategic (ISD) a publicat o investiga&#539;ie care dezv&#259;luie o comunitate X de limb&#259; ceh&#259; cu aproximativ 70 de relat&#259;ri pseudonime care r&#259;sp&acirc;ndesc propagand&#259; pro-Rusia &#537;i nara&#539;iuni anti-Ucrainei &icirc;nainte de alegerile cehe din octombrie. Conturile reambaleaz&#259; articolele mass-media de stat din Rusia care promoveaz&#259; conspira&#539;ii pentru publicul ceh. Aria sa actual&#259; r&#259;m&acirc;ne limitat&#259;.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.isdglobal.org\/digital_dispatches\/an-anti-ukrainian-community-on-x-a-gateway-for-russian-propaganda-in-the-czech-information-space\/\">link<\/a><\/p><p><strong>Dezinformarea legat&#259; de Rusia vizeaz&#259; Polonia dup&#259; incidentul cu drone<\/strong><br>Pe 12 septembrie, Polonia a raportat c&#259; o campanie rus&#259; de dezinformare a urmat incursiilor cu drone &icirc;n spa&#539;iul s&#259;u aerian. Institutul Na&#539;ional de Cercetare NASK din Polonia a detectat campanii de dezinformare anti-Ucrainei care descriu Polonia ca fiind slab&#259; &#537;i sugereaz&#259; escaladarea militar&#259; cu Belarus. Conducerea securit&#259;&#539;ii cibernetice din Polonia a organizat &icirc;nt&acirc;lniri de urgen&#539;&#259; &#537;i s-a angajat s&#259; ofere actualiz&#259;ri verificate pentru a contracara acoperirea larg&#259; a campaniei online.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politico.eu\/article\/after-testing-drone-defenses-russia-tested-nato-disinformation-response\/\">link<\/a><\/p><h3 id=\"data-exposure-and-leaks\">Expunerea datelor &#537;i scurgerile<\/h3><p><strong>PKO Bank Polski ar fi &icirc;nc&#259;lcat datele de contact ale angaja&#539;ilor pentru v&acirc;nzare<\/strong><br>Pe 9 septembrie, un actor de amenin&#539;&#259;ri f&#259;r&#259; nume de pe un forum de criminalitate cibernetic&#259; a sus&#539;inut c&#259; a v&acirc;ndut date referitoare la detaliile a 32.815 de angaja&#539;i &#537;i 17.135 de dispozitive ob&#539;inute de la Polish Bank PKO Polski. Banca a confirmat c&#259; un actor i-a contactat &icirc;n leg&#259;tur&#259; cu informa&#539;iile de contact presupuse a angaja&#539;ilor, dar a raportat c&#259; nu au fost expuse date sensibile sau private ale angaja&#539;ilor b&#259;ncii sau ale clien&#539;ilor acesteia.<code>finante<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/dailydarkweb.net\/pko-bank-polski-allegedly-breached-data-of-32000-employees-for-sale\/\">link<\/a> <\/p><p><strong>LNER raporteaz&#259; &icirc;nc&#259;lcarea datelor de la ter&#539;i care afecteaz&#259; datele de contact ale clien&#539;ilor<\/strong><br>Pe 10 septembrie, London North Eastern Railway (LNER) a raportat c&#259; fi&#537;ierele de&#539;inute de un furnizor ter&#539; au fost accesate f&#259;r&#259; autoriza&#539;ie, expun&acirc;nd datele de contact ale clien&#539;ilor &#537;i informa&#539;iile par&#539;iale ale c&#259;l&#259;toriei anterioare, dar nu includ date de plat&#259;, banc&#259; sau parole. Se pare c&#259; serviciile de tren &#537;i biletele nu au fost afectate.<code>transport<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.lner.co.uk\/news\/lner-media-update-data-information\/\">link<\/a> <\/p><h3 id=\"hacktivism\">Hacktivism<\/h3><p><strong>Hacktivi&#537;tii pro-rusi NoName057 vizeaz&#259; guvernul rom&acirc;n &#537;i site-urile de transport<\/strong><br>Pe 29 septembrie, grupul hacktivist pro-rus NoName057 &#537;i-a revendicat responsabilitatea pentru campaniile de refuzare a serviciului distribuite (DDoS) neverificate care vizeaz&#259; cel pu&#539;in cinci site-uri web rom&acirc;ne&#537;ti, inclusiv entit&#259;&#539;i guvernamentale, de transport &#537;i aeroporturi. Grupul a &icirc;ncadrat activitatea ca parte a campaniei #OpRomania, cit&acirc;nd relat&#259;ri media despre dezvoltarea comun&#259; rom&acirc;no-ucrainean&#259; de drone.<code>Rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/Noname05716\/status\/1972622176907047316\">link<\/a><\/p><p><strong>NoName057 vizeaz&#259; organiza&#539;iile franceze pe fondul protestelor Block Everything<\/strong><br>Pe 10 &#537;i 11 septembrie, grupul hacktivist NoName057, legat de Rusia, a f&#259;cut afirma&#539;ii neverificate cu privire la atacuri DDoS &icirc;mpotriva a cel pu&#539;in 15 organiza&#539;ii franceze, inclusiv agen&#539;ii guvernamentale, o firm&#259; de asigur&#259;ri, un aeroport &#537;i entit&#259;&#539;i de produc&#539;ie, invoc&acirc;nd sprijinul pentru protestele &bdquo;Block Everything&rdquo; din Fran&#539;a.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/Noname05716\/status\/1965679615898276129\">link<\/a> <\/p><h2 id=\"world\">Lumea<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>Serviciul Secret al SUA a dezmembrat re&#539;eaua de dispozitive electronice din New York<\/strong><br>Pe 23 septembrie, Serviciul Secret al SUA a demontat o re&#539;ea de dispozitive electronice situate la 55 km de Na&#539;iunile Unite. Au confiscat peste 300 de servere SIM &#537;i 100.000 de carduri SIM. Acestea ar fi putut fi folosite pentru a efectua amenin&#539;&#259;ri anonime la adresa oficialilor americani &#537;i ar fi putut fi folosite pentru a efectua atacuri de telecomunica&#539;ii, inclusiv DDoS. Se pare c&#259; ei au g&#259;sit dovezi ale comunic&#259;rii dintre actorii amenin&#539;&#259;rilor statului na&#539;ional &#537;i indivizi cunoscu&#539;i de for&#539;ele de ordine.<code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.secretservice.gov\/newsroom\/releases\/2025\/09\/us-secret-service-dismantles-imminent-telecommunications-threat-new-york\">link<\/a><\/p><h3 id=\"cyberespionage-prepositioning-2\">Spionaj cibernetic &#537;i prepozi&#539;ionare<\/h3><p><strong>WhatsApp corecteaz&#259; defectul zero-click exploatat &icirc;n atacuri direc&#539;ionate<\/strong><br>Pe 29 august, WhatsApp a lansat patch-uri pentru o vulnerabilitate critic&#259; zero-click (CVE-2025-55177) care afecteaz&#259; iOS, WhatsApp Business pe iOS &#537;i clien&#539;ii macOS, care a fost exploatat&#259; &icirc;n atacuri &#539;intite sofisticate. Defectul a permis utilizatorilor neautoriza&#539;i s&#259; declan&#537;eze procesarea con&#539;inutului de la adrese URL arbitrare pe dispozitivul unei victime, poten&#539;ial combinat cu o vulnerabilitate la nivel de sistem de operare Apple (CVE-2025-43300). Utilizatorii afecta&#539;i au fost &icirc;ndemna&#539;i s&#259; actualizeze prompt &#537;i s&#259; ia &icirc;n considerare o resetare din fabric&#259; dac&#259; li s-a notificat un compromis.<code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/whatsapp-patches-vulnerability-exploited-in-zero-day-attacks\/\">link<\/a> <\/p><p><strong>Faimosul Chollima, legat de Coreea de Nord, &icirc;&#537;i monitorizeaz&#259; infrastructura folosind surse publice de informa&#539;ii despre amenin&#539;&#259;ri<\/strong><br>Pe 4 septembrie, SentinelLabs a raportat c&#259; actorul de amenin&#539;&#259;ri legat de Coreea de Nord, Faimosul Chollima, folose&#537;te surse publice de informa&#539;ii despre amenin&#539;&#259;ri pentru a-&#537;i monitoriza &icirc;n mod activ infrastructura. Actorul amenin&#539;&#259;rii a folosit adrese Gmail cu IP-uri VPN Astrill pentru a crea conturi Validin. De asemenea, monitorizeaz&#259; proiectul Maltrail pe GitHub pentru a verifica indicatorii lega&#539;i de Lazarus &#537;i au folosit Slack pentru a-&#537;i coordona activit&#259;&#539;ile.<code>coreea de nord<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.sentinelone.com\/labs\/contagious-interview-threat-actors-scout-cyber-intel-platforms-reveal-plans-and-ops\/\">link<\/a> <\/p><p><strong>Campanie APT29 care imit&#259; paginile de verificare Cloudflare<\/strong><br>Pe 29 august, Amazon a &icirc;ntrerupt o campanie de amenin&#539;are a actorului APT29, legat de Rusia. Grupul a compromis site-urile web pentru a redirec&#539;iona utilizatorii c&#259;tre domenii care imit&#259; Cloudflare, atr&#259;g&acirc;ndu-i &icirc;n fluxul de autentificare a codului dispozitivului Microsoft pentru colectarea acredit&#259;rilor. Amazon a izolat infrastructura afectat&#259;, a colaborat cu furnizorii pentru a bloca domeniile &#537;i a partajat informa&#539;ii cu Microsoft.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/aws.amazon.com\/es\/blogs\/security\/amazon-disrupts-watering-hole-campaign-by-russias-apt29\/\">link<\/a> <\/p><h3 id=\"cybercrime\">Crima cibernetic&#259;<\/h3><p><strong>Eliminarea &icirc;n comun de Cloudflare &#537;i Microsoft a domeniilor PhaaS RaccoonO365<\/strong><br>Pe 10 septembrie, Cloudflare &#537;i Microsoft au anun&#539;at c&#259; au dezmembrat RaccoonO365, o &icirc;ntreprindere Phishing-as-a-Service care vindea truse de phishing prin telegram&#259; concepute pentru a fura acredit&#259;rile Microsoft 365. Ei au efectuat o eliminare comun&#259; a sute de domenii Cloudflare &#537;i conturi de lucr&#259;tor, &icirc;n coordonare cu eforturile mai ample ale Microsoft, printr-un proces civil intentat &icirc;n august.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cloudflare.com\/threat-intelligence\/research\/report\/cloudflare-participates-in-global-operation-to-disrupt-raccoono365\/\">link<\/a> <\/p><p><strong>Campania global&#259; de spearphishing folose&#537;te FileFix pentru a colecta acredit&#259;ri<\/strong><br>Pe 16 septembrie, Acronis a raportat o campanie de spearphishing care folose&#537;te o variant&#259; a tehnicii FileFix pentru a colecta acredit&#259;ri. Campania folose&#537;te pagini de phishing multilingve &#537;i steganografia cu efect de p&acirc;rghie pentru a ascunde un PowerShell obscur &#537;i &icirc;nc&#259;rc&#259;turile utile &icirc;n imaginile JPG. &Icirc;nc&#259;rc&#259;turile utile &icirc;n mai multe etape au preluat un &icirc;nc&#259;rc&#259;tor bazat pe Go care elimin&#259; infostealer-ul StealC care recolteaz&#259; browsere, portofele &#537;i acredit&#259;rile cloud. Detect&#259;rile la nivel mondial sugereaz&#259; o campanie global&#259; accelerat&#259;.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.acronis.com\/en\/tru\/posts\/filefix-in-the-wild-new-filefix-campaign-goes-beyond-poc-and-leverages-steganography\/\">link<\/a> <\/p><p><strong>Pachete npm r&#259;u inten&#539;ionate utilizate pentru a desf&#259;&#537;ura atacuri asupra lan&#539;ului de aprovizionare<\/strong><br>Pe 8 septembrie, fluxul de informa&#539;ii al Aikido a raportat un incident care a afectat 18 pachete populare npm cu peste 2,6 miliarde de desc&#259;rc&#259;ri s&#259;pt&#259;m&acirc;nale. Actori necunoscu&#539;i de amenin&#539;&#259;ri au injectat cod r&#259;u inten&#539;ionat care ac&#539;ioneaz&#259; ca un interceptor bazat pe browser, capabil s&#259; deturneze traficul de re&#539;ea &#537;i API-urile aplica&#539;iilor. Se pare c&#259; monitorizeaz&#259; adresele &#537;i tranzac&#539;iile criptomonedelor, pe care apoi le redirec&#539;ioneaz&#259; c&#259;tre adresele de portofel controlate de atacatori. Actorii amenin&#539;&#259;rilor au reu&#537;it s&#259; modifice pachetele dup&#259; ce au livrat e-mail-uri de phishing &icirc;ntre&#539;in&#259;torilor.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.aikido.dev\/blog\/npm-debug-and-chalk-packages-compromised\">link<\/a> <\/p><p><strong>ESET dezv&#259;luie primul presupus caz de ransomware bazat pe inteligen&#539;&#259; artificial&#259; PromptLock<\/strong><br>Pe 27 august, ESET a dezv&#259;luit PromptLock, un ransomware cu dovad&#259; de concept despre care sus&#539;in c&#259; este prima variant&#259; cunoscut&#259; bazat&#259; pe inteligen&#539;&#259; artificial&#259;. Se pare c&#259; folose&#537;te un model local OpenAI gpt-oss:20 b prin API-ul Ollama pentru a genera &#537;i executa dinamic scripturi Lua r&#259;u inten&#539;ionate pentru a enumera fi&#537;iere, a exfiltra datele &#537;i a cripta sistemele pe Windows, macOS &#537;i Linux. De&#537;i nu este &icirc;nc&#259; observat &icirc;n s&#259;lb&#259;ticie, PromptLock subliniaz&#259; c&#259; adaptabilitatea bazat&#259; pe inteligen&#539;&#259; artificial&#259; va continua probabil s&#259; &icirc;mbun&#259;t&#259;&#539;easc&#259; opera&#539;iunile actorilor de amenin&#539;&#259;ri.<code>inteligen&#539;&#259; artificial&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.welivesecurity.com\/en\/ransomware\/first-known-ai-powered-ransomware-uncovered-eset-research\/\">link<\/a><\/p><h4 id=\"opportunistic\">Oportunist&#259;<\/h4><p><strong>Vulnerabilit&#259;&#539;ile Cisco ASA CVE-2025-20333 &#537;i CVE-2025-20362 exploatate activ ca zero-days<\/strong><br>Pe 25 septembrie, Cisco a raportat c&#259; un actor de amenin&#539;are conecteaz&#259; exploatarea a dou&#259; dispozitive zero-day care afecteaz&#259; Cisco ASA, &#537;i anume CVE-2025-20333 &#537;i CVE-2025-20362. Exploatarea permite executarea codului neautentificat, de la distan&#539;&#259; &#537;i controlul complet al dispozitivului pe dispozitivele afectate. Cisco a observat exploatarea firewall-urilor vechi Cisco ASA 5500-X care ruleaz&#259; software ASA cu servicii web VPN activate. Produs CERT-EU &icirc;nrudit: TA 25-153.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/resources\/asa_ftd_continued_attacks\">link<\/a> <\/p><p><strong>Vulnerabilitatea de zi zero a Cisco IOS &#537;i IOS XE CVE-2025-20352 exploatat&#259; &icirc;n s&#259;lb&#259;ticie<\/strong><br>Pe 24 septembrie, Cisco a emis un aviz de securitate pentru Cisco IOS &#537;i IOS XE pentru CVE-2025-20352. Atacatorii care exploateaz&#259; aceast&#259; vulnerabilitate pot efectua &bdquo;Denial-of-Service&rdquo; cu privilegii reduse &#537;i execu&#539;ia de cod de la distan&#539;&#259; cu privilegii root. Un actor de amenin&#539;are a exploatat aceast&#259; vulnerabilitate &icirc;n s&#259;lb&#259;ticie ca o zi zero dup&#259; ce a compromis acredit&#259;rile de administrator local. Organiza&#539;iile afectate ar trebui s&#259; corecteze, deoarece nu exist&#259; solu&#539;ii de solu&#539;ionare cunoscute pentru aceast&#259; vulnerabilitate.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisco-warns-of-ios-zero-day-vulnerability-exploited-in-attacks\/\">link<\/a> <\/p><p><strong>GreyNoise avertizeaz&#259; despre scan&#259;ri masive care vizeaz&#259; dispozitivele Cisco ASA &icirc;nainte de posibile exploat&#259;ri<\/strong><br>Pe 4 septembrie, GreyNoise a raportat o cre&#537;tere brusc&#259; a scan&#259;rilor &icirc;mpotriva dispozitivelor Cisco ASA, &icirc;nregistr&acirc;nd p&acirc;n&#259; la 25.000 de IP-uri unice, majoritatea de la o re&#539;ea botnet brazilian&#259;, analiz&acirc;nd portalurile de conectare ASA &#537;i Cisco IOS Telnet\/SSH. Cercet&#259;torii avertizeaz&#259; c&#259; o astfel de recunoa&#537;tere precede adesea dezv&#259;luirile de vulnerabilit&#259;&#539;i &#537;i &icirc;ndeamn&#259; administratorii s&#259; patcheze dispozitivele ASA, s&#259; activeze MFA, s&#259; restric&#539;ioneze accesul extern la interfe&#539;e &#537;i s&#259; foloseasc&#259; indicatori partaja&#539;i pentru a bloca sau limita traficul suspect &icirc;nainte de a avea loc &icirc;ncerc&#259;rile de exploatare.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.greynoise.io\/blog\/scanning-surge-cisco-asa-devices\">link<\/a> <\/p><p><strong>Peste 3.300 de secrete furate &icirc;n campania lan&#539;ului de aprovizionare GhostAction prin fluxurile de lucru GitHub<\/strong><br>Pe 5 septembrie, GitGuardian a dezv&#259;luit GhostAction, o campanie pentru lan&#539;ul de aprovizionare &icirc;n care actorii amenin&#539;&#259;rilor au injectat fluxuri de lucru r&#259;u inten&#539;ionate GitHub Actions &icirc;n 817 depozite din 327 de utilizatori. Aceste fluxuri de lucru au exfiltrat 3.325 de secrete, inclusiv jetoane PyPI, npm &#537;i Docker Hub, c&#259;tre un punct final controlat de atacator prin solicit&#259;ri HTTP POST. &Icirc;nc&#259;lcarea subliniaz&#259; riscurile semnificative ale conductelor &#537;i fluxurilor de lucru CI\/CD compromise &icirc;n cadrul lan&#539;ului de aprovizionare cu software.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.gitguardian.com\/ghostaction-campaign-3-325-secrets-stolen\/\">link<\/a> <\/p><p><strong>Defectul Microsoft Entra ID a permis deturnarea chiria&#537;ului oric&#259;rei companii<\/strong><br>Pe 21 septembrie, vulnerabilitatea grav&#259; CVE-2025-55241 a fost dezv&#259;luit&#259; &icirc;n Microsoft Entra ID (fostul Azure AD), care le-a permis atacatorilor s&#259; deturneze chiria&#537;ul oric&#259;rei companii. Prin exploatarea &bdquo;token-urilor de actor&rdquo; (token-uri nedocumentate, nesemnate) prin intermediul API-ului Azure AD Graph &icirc;nvechit, un actor de amenin&#539;are ar putea uzurpa identitatea oric&#259;rui utilizator, inclusiv administratorii globali, acces&acirc;nd date sensibile f&#259;r&#259; a declan&#537;a jurnalele chiria&#537;ilor. Microsoft a corectat problema pe 4 septembrie.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/dirkjanm.io\/obtaining-global-admin-in-every-entra-id-tenant-with-actor-tokens\/\">link<\/a> <\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Concluziile sau atribu&#539;iile f&#259;cute &icirc;n acest document reflect&#259; doar ceea ce raporteaz&#259; sursele disponibile public. Ele nu reflect&#259; pozi&#539;ia noastr&#259;.&nbsp;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <script>\n        function switchLanguage(lang) {\n            \/\/ Ascunde ambele versiuni\n            document.getElementById(\"content-ro\").style.display = \"none\";\n            document.getElementById(\"content-en\").style.display = \"none\";\n\n            \/\/ Reseteaz\u0103 stilurile butoanelor\n            document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n                btn.style.background = \"#e5e7eb\";\n                btn.style.color = \"#374151\";\n                btn.classList.remove(\"lang-btn-active\");\n            });\n\n            \/\/ Afi\u0219eaz\u0103 versiunea selectat\u0103\n            if (lang === \"ro\") {\n                document.getElementById(\"content-ro\").style.display = \"block\";\n                document.getElementById(\"btn-lang-ro\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-ro\").style.color = \"white\";\n                document.getElementById(\"btn-lang-ro\").classList.add(\"lang-btn-active\");\n            } else {\n                document.getElementById(\"content-en\").style.display = \"block\";\n                document.getElementById(\"btn-lang-en\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-en\").style.color = \"white\";\n                document.getElementById(\"btn-lang-en\").classList.add(\"lang-btn-active\");\n            }\n\n            \/\/ Salveaz\u0103 preferin\u021ba \u00een localStorage\n            localStorage.setItem(\"gpss_preferred_language\", lang);\n        }\n\n        \/\/ Restaureaz\u0103 preferin\u021ba utilizatorului la \u00eenc\u0103rcare\n        document.addEventListener(\"DOMContentLoaded\", function() {\n            var preferredLang = localStorage.getItem(\"gpss_preferred_language\") || \"ro\";\n            switchLanguage(preferredLang);\n        });\n\n        \/\/ Hover effects pentru butoane\n        document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n            btn.addEventListener(\"mouseenter\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#bfdbfe\";\n                    this.style.color = \"#1e40af\";\n                }\n            });\n            btn.addEventListener(\"mouseleave\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#e5e7eb\";\n                    this.style.color = \"#374151\";\n                }\n            });\n        });\n        <\/script>\n\n        <style>\n        .lang-btn:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.3);\n        }\n        .lang-btn-active {\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.4);\n        }\n        <\/style>\n        ","protected":false},"excerpt":{"rendered":"<p>\ud83c\udf0d Limb\u0103 \/ Language: \ud83c\uddec\ud83c\udde7 English (Original) \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103 Traducere automat\u0103 \/ Automatic translation Cyber Brief (September 2025) October 1, 2025 &#8211; Version: 1 TLP:CLEAR Executive summary We analysed 285 open source reports for this Cyber Security Brief1. Relating to cyber policy and law enforcement, Russia-linked bulletproof host Stark Industries has evaded EU sanctions, and [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-991420","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/pages\/991420","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/comments?post=991420"}],"version-history":[{"count":5,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/pages\/991420\/revisions"}],"predecessor-version":[{"id":991426,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/pages\/991420\/revisions\/991426"}],"wp:attachment":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/media?parent=991420"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}