{"id":992320,"date":"2025-11-03T00:44:52","date_gmt":"2025-11-02T21:44:52","guid":{"rendered":"https:\/\/gpss.ro\/threat-intelligence\/cyber-brief-25-09-august-2025\/"},"modified":"2025-11-03T00:44:52","modified_gmt":"2025-11-02T21:44:52","slug":"cyber-brief-25-09-august-2025","status":"publish","type":"threat_intelligence","link":"https:\/\/delve.ro\/ro\/threat-intelligence\/cyber-brief-25-09-august-2025\/","title":{"rendered":"Cyber Brief 25-09 &#8211; August 2025"},"content":{"rendered":"<div class=\"gpss-language-switcher\" style=\"margin-bottom: 20px; padding: 15px; background: #f0f9ff; border-left: 4px solid #3b82f6; border-radius: 8px;\">\n            <div style=\"display: flex; align-items: center; justify-content: space-between; flex-wrap: wrap; gap: 10px;\">\n                <div style=\"display: flex; align-items: center; gap: 10px;\">\n                    <span style=\"font-weight: 600; color: #1e40af;\">\ud83c\udf0d Limb\u0103 \/ Language:<\/span>\n                    <button onclick=\"switchLanguage('en')\" id=\"btn-lang-en\" class=\"lang-btn lang-btn-active\" style=\"padding: 8px 16px; background: #3b82f6; color: white; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddec\ud83c\udde7 English (Original)\n                    <\/button>\n                    <button onclick=\"switchLanguage('ro')\" id=\"btn-lang-ro\" class=\"lang-btn\" style=\"padding: 8px 16px; background: #e5e7eb; color: #374151; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103\n                    <\/button>\n                <\/div>\n                <small style=\"color: #6b7280; font-style: italic;\">Traducere automat\u0103 \/ Automatic translation<\/small>\n            <\/div>\n        <\/div>\n\n        <div id=\"content-en\" class=\"lang-content\" style=\"display: block;\">\n            <div class=\"article-content\"><h2 id=\"cyber-brief-august-2025\">Cyber Brief (August 2025)<\/h2><p>September 2, 2025 - Version: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Executive summary<\/h2><ul><li><p>We analysed 321 open source reports for this Cyber Brief<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p>Relating to <strong>cyber policy and law enforcement<\/strong>, Ukraine, Romania, and Moldova joined forces and created a regional cyber alliance, and Romania created a CSIRT for the energy sector. Russia reportedly conducted tests to block WhatsApp and Telegram, and ordered state-backed MAX messenger app to be pre-installed on phones and tables. <\/p><\/li><li><p>On the <strong>cyberespionage<\/strong> front, threat actors breached critical organisations in the Netherlands through a Citrix vulnerability, an Iran-linked threat actor targets Berlin Justice Senator, and several countries advise on Chinese threat actors targeting telecommunications.<\/p><\/li><li><p>Relating to <strong>cybercrime<\/strong>, Salty 2FA phishing kit targets global industries, Akira ransomware was at the front of the news, and macOS was targeted in phishing and malvertisement campaign.<\/p><\/li><li><p>There were <strong>disruptive<\/strong> attacks in Moldova and Norway, affecting government and water systems. Moreover, pro-Ukraine supposed hacktivists take over Russian TV on UA Independence Day.<\/p><\/li><li><p>As regards <strong>data exposure and leaks<\/strong> incidents, Orange Belgium, Bouygues Telecom, Air France and KLM disclosed data breaches while the breach of Salesforce CRM service provider exposed customer data at scale. Ukraine conducted a cyber operation exposing secrets of Russia\u2019s new nuclear submarine. North Korea-linked Kimsuky suffer data breach.<\/p><\/li><\/ul><h2 id=\"europe\">Europe<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Cyber policy and law enforcement<\/h3><p><strong>Regional Cyber Alliance formed by Ukraine, Romania and Moldova<\/strong><br> On August\u202f1, Ukraine\u2019s National Security and Defence Council announced the creation of a regional cyber alliance involving Ukraine, Romania and Moldova, following consultations on July\u202f30 in Chernivtsi. Its goals: enhancing cooperation against cyber and hybrid threats, AI-based threat detection, joint training, and strengthening infrastructure resilience and democratic institutions. The alliance is open to new democratic partners and aims to reinforce collective cyber defence, especially against threats from Russia. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.rnbo.gov.ua\/ua\/Diialnist\/7250.html\">link<\/a> <\/p><p><strong>Romania sets up energy cybersecurity centre to support Ukraine and Moldova<\/strong><br> On August 18, Romania\u2019s Ministry of Energy issued an ordinance to establish a CSIRT for the energy sector. It cites rising cyber threats fuelled by market liberalisation and Russia\u2019s war in Ukraine, underscoring Romania\u2019s role as a key electricity supplier to both Ukraine and Moldova and its duty to uphold regional energy security. Romania\u2019s National Cybersecurity Directorate has already stepped up coordination with Ukrainian and Moldovan counterparts. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.romania-insider.com\/romania-cybersecurity-incident-response-center-energy-2025\">link<\/a> <\/p><h3 id=\"cyberespionage-prepositioning\">Cyberespionage &amp; prepositioning<\/h3><p><strong>Iran-linked threat actor targets Berlin Justice Senator<\/strong><br> On August 19, Tagesschau reported that Berlin\u2019s Justice Senator Felor Badenberg fell victim to a targeted cyberattack, likely by an Iran-linked group. Threat actors accessed her personal data, e-mails, and digital calendar, revealing her movements and home addresses. The attack originated from a malicious e-mail disguised as the Central Council of Jews. Authorities quickly isolated the affected computer, and investigations are ongoing. <code>iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.tagesschau.de\/inland\/regional\/berlin\/hacker-erbeuten-persoenliche-daten-von-justizsenatorin-badenberg-100.html\">link<\/a> <\/p><p><strong>Dutch National Cyber Security Centre says threat actors successfully breached critical organisations through Citrix vulnerability<\/strong><br> On August 11, the National Cyber Security Centre (NCSC) of the Netherlands updated a warning related to the exploitation of Citrix Netscaler vulnerability CVE-2025-6543. They mention that several critical organisations have fallen victim of successful attacks, and that threat actors have actively erased their tracks in order to hide compromise, showing a level of sophistication in these attacks. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ncsc.nl\/actueel\/nieuws\/2025\/07\/22\/casus-citrix-kwetsbaarheid\">link<\/a> <\/p><p><strong>Russia-linked threat actor Curly COMrades targets Georgia and Moldova<\/strong><br> On August 12, Bitdefender reported that Curly COMrades, a cyberespionage threat actor active since mid-2024, targeted Georgian government and judicial bodies and Moldovan energy firms with the custom three-stage MucorAgent backdoor. The group used COM hijacking, stealthy persistence, credential theft, and living-off-the-land tools to align operations with Russian interests while blending malicious traffic with legitimate activity. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bitdefender.com\/en-us\/blog\/businessinsights\/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\">link<\/a> <\/p><h3 id=\"cybercrime\">Cybercrime<\/h3><p><strong>Colt Technology Services targeted with Warlock ransomware<\/strong><br> On August 12, Colt Technology Services suffered a cyberattack that disrupted hosting, porting, Colt Online, and Voice API platforms. The firm confirmed support systems, not its core network, were impacted and reported the incident to authorities. WarLock claimed responsibility, offering alleged stolen data for sale. Security researchers suggest a Microsoft SharePoint flaw (CVE-2025-53770) enabled access, with hundreds of gigabytes of files exfiltrated. <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/colt-telecom-attack-claimed-by-warlock-ransomware-data-up-for-sale\/\">link<\/a> <\/p><p><strong>IT system supplier cyberattack impacts 200 municipalities in Sweden<\/strong><br> On August 27, a cyberattack on Milj\u00f6data\u2014an IT-system provider used by about 80 % of Sweden\u2019s municipal administrations\u2014disrupted access in over 200 municipalities and raised concerns about stolen sensitive data, with attackers demanding a ransom of 1,5 BTC (approx. 146.000 Euro) to avoid data leaks. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/it-system-supplier-cyberattack-impacts-200-municipalities-in-sweden\/\">link<\/a> <\/p><p><strong>Salty 2FA phishing kit targets global industries<\/strong><br> On August 19, ANY.RUN published a report on Salty 2FA, a new phishing framework hitting organisations across the US and Europe. It primarily targets Microsoft 365 users in finance, telecom, energy, logistics, healthcare, consulting, education, and government sectors. Victims span multiple regions, including the USA, the UK, Germany, Spain, Italy, Switzerland, Canada, and Greece, with lures themed around voicemail, payroll, invoices, and proposal requests. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\">link<\/a> <\/p><h3 id=\"disruption-destruction\">Disruption &amp; destruction<\/h3><p><strong>Moldova's government systems targeted in coordinated cyberattack<\/strong><br> On August 12, Moldova\u2019s Information Technology and Cyber Security Service (STISC) announced that its government systems were victims of a large organised cybersecurity attack. They assessed the threat actors were foreign, trying to damage key cyber systems that help run important state services. They also divulged that they suspect some government employees were involved. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/newsinterpretation.com\/major-cyber-attack-disrupts-moldovas-government-systems-amid-employee-suspicion\/\">link<\/a> <\/p><p><strong>Pro-Russia supposed hacktivists linked to Norwegian dam sabotage<\/strong><br> On August 13, Norwegian authorities officially linked a cyber-sabotage incident from April to pro-Russia supposed hacktivists. On April 7, attackers remotely opened a flood gate at the Bremanger dam\u2014used for fish farming\u2014releasing some 500 litres\/sec for four hours before being stopped. No injuries occurred, but officials warned the act was intended to instil fear\u2014not cause physical damage. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.vg.no\/nyheter\/i\/mPJaE4\/pst-sjefen-mener-pro-russiske-hackere-sto-bak-cyberangrepet-mot-damanlegget-i-bremanger\">link<\/a><\/p><p><strong>Russia suspected of jamming GPS signal of European Commission President Ursula von der Leyen's plane<\/strong><br> On August 31, European Commission President Ursula von der Leyen's plane was hit with GPS jamming the previous day while landing in Bulgaria. The European Commission suspects Russia of conducting the attack. Despite the interference, the plane landed successfully and there were no real consequences of the actions. The Commission's President was on a tour of European countries that are \"frontline states\" of Russia. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politico.eu\/article\/ursula-von-der-leyen-plane-hit-by-gps-jamming-russia\/\">link<\/a><\/p><h3 id=\"information-operations\">Information operations<\/h3><p><strong>Moldovan authorities warn of Russian disinformation campaign targeting diaspora voters<\/strong><br> On August 4, Politico published an article about Russia disinformation operations aimed at Moldovans living in Europe, ahead of the Presidential elections in September. In fact, according to National Security Adviser Stanislav Secrieru, the goal of the campaign is to encourage them not to vote or encouraging those who do to support a fake pro-EU force. They do so through imitating legitimate European news outlets. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politico.eu\/article\/russia-moldova-voting-elections-candidates-west-kremlin\/\">link<\/a> <\/p><p><strong>Russian disinformation campaign cloned British 999 call with AI<\/strong><br> On July 31, BBC Verify revealed that the voice of a British 999 emergency call handler was cloned using AI for a Russia-linked disinformation campaign. The synthetic voice, lifted from an NHS training video, was used to spread fear ahead of Poland\u2019s May 2025 presidential election. The real call handler, Aaron, was shocked by its realism. <code>artificial intelligence<\/code> <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bbc.com\/news\/live\/ce35ly75ppkt?post=asset%3Ac8d1c46f-1b14-49bc-83d7-7a8b20345eee#post\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks\">Data exposure and leaks<\/h3><p><strong>Orange Belgium discloses data breach impacting 850.000 customers<\/strong><br> At the end of July, Orange Belgium detected a cyberattack impacting around 850.000 customer accounts. The breach exposed names, telephone numbers, SIM card numbers, PUK codes, and tariff plans\u2014but did not include passwords, e-mail addresses, financial data, or home addresses. Orange promptly blocked access. Affected users were notified via e-mail or SMS and urged to remain vigilant against phishing attempts. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/corporate.orange.be\/en\/node\/57971\">link<\/a> <\/p><p><strong>Bouygues Telecom confirms breach of 6,4 million customer records<\/strong><br> On August 4, Bouygues Telecom disclosed a cyberattack that exposed personal and contractual data of 6,4 million clients, including IBANs. The operator reported the incident to CNIL and law enforcement, stating that it was resolved promptly. The breach raises the risk of phishing and banking scams. The company has not shared technical details, and the intrusion method remains unknown. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.lemondeinformatique.fr\/actualites\/lire-apres-un-piratage-6-4-millons-de-comptes-clients-bouygues-telecom-compromis-97604.html\">link<\/a> <\/p><p><strong>Air\u202fFrance and KLM disclose data breach<\/strong><br> On August\u202f7, Air\u202fFrance and KLM disclosed that attackers breached a third-party customer service platform, exposing an undisclosed number of customer records. Affected data includes names, contact details, Flying\u202fBlue account information and subject lines of support tickets\u2014but excludes sensitive personal or financial details like passwords, travel data, miles, passports or credit card information. The airlines cut off access, notified regulators, and informed customers to stay vigilant to phishing attempts. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/nieuws.klm.com\/klm-informeert-klanten-over-incident-met-persoonsgegevens\/#\">link<\/a> <\/p><p><strong>HUR cyber operation exposes secrets of Russia\u2019s new nuclear submarine<\/strong><br> On August 4, Ukraine\u2019s military intelligence (HUR) published documents allegedly obtained via cyber operations, revealing detailed blueprints, crew lists, and vulnerabilities of Russia\u2019s new Borei\u2011class nuclear submarine, the K\u2011555 Prince Dmitry Pozharsky. The leak, exposing internal systems and personal data of the entire crew, is seen by analysts as a major intelligence coup with serious implications for Russian naval security. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.kyivpost.com\/post\/57506\">link<\/a> <\/p><h2 id=\"world\">World<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Cyber policy and law enforcement<\/h3><p><strong>Russia reportedly conducts tests to block WhatsApp and Telegram<\/strong><br> On August 11, The Kyiv Independent published an article about Russia reportedly conducting tests to block WhatsApp and Telegram. In fact, the applications allegedly had their voice and video calls blocked. These actions come amid recurrent internet shutdowns, and the signing of a new law on June 24 to create a national digital platform. Their goal is to try to replace foreign services with domestic ones. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/kyivindependent.com\/russia-tests-blocking-telegram-whatsapp-calls\/\">link<\/a> <\/p><p><strong>Russia orders state-backed MAX messenger app, a WhatsApp rival, pre-installed on phones and tablets<\/strong><br> On August 21, the Russian government announced that from September 1, 2025, all mobile phones and tablets sold in Russia must come pre-installed with MAX, a state-backed WhatsApp rival integrated with government services. The mandate also includes pre-installing the domestic app store RuStore on Apple devices and, from January 1, 2026, LIME HD TV on smart TVs. Critics warn of surveillance risks. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/technology\/russia-orders-state-backed-max-messenger-app-whatsapp-rival-pre-installed-phones-2025-08-21\/\">link<\/a><\/p><p><strong>FTC Chair warns tech firms against weakening data security or censoring Americans under foreign laws<\/strong><br> On August 21, FTC Chair Andrew N. Ferguson sent letters to 13 major tech firms\u2014including Apple, Amazon, Meta, Microsoft, and Alphabet\u2014warning them not to weaken data security or censor American users under pressure from foreign laws such as the EU Digital Services Act or the UK\u2019s Online Safety and Investigatory Powers Acts. He cautioned that doing so could breach US law. <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2025\/08\/ftc-chairman-ferguson-warns-companies-against-censoring-or-weakening-data-security-americans-behest\">link<\/a> <\/p><p><strong>Microsoft scales back Chinese access to cyber early warning system<\/strong><br> On August 21, Reuters reported that Microsoft has reduced access for certain Chinese firms to its cybersecurity early-warning system following suspicions that Beijing-linked actors exploited the Microsoft Active Protections Program (MAPP) to facilitate a hacking campaign targeting SharePoint servers in late June and early July. As a precaution, Microsoft is withholding proof-of-concept code from those firms and reaffirmed its commitment to reviewing and removing partners who breach their contracts. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/sustainability\/boards-policy-regulation\/microsoft-scales-back-chinese-access-cyber-early-warning-system-2025-08-20\/\">link<\/a> <\/p><p><strong>Massive INTERPOL operation arrests 1.209 cybercriminals across Africa<\/strong><br> Between June and August 2025, INTERPOL-led Operation Serengeti 2.0 resulted in 1.209 cybercriminal arrests across 18 African nations and the UK. Targeting ransomware, online scams, and business e-mail compromise, the operation seized 97.4\u202fmillion US dollars and dismantled 11.432 malicious infrastructures, impacting nearly 88.000 victims globally. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.interpol.int\/News-and-Events\/News\/2025\/African-authorities-dismantle-massive-cybercrime-and-fraud-networks-recover-millions\">link<\/a> <\/p><h3 id=\"cyberespionage-prepositioning-2\">Cyberespionage &amp; prepositioning<\/h3><p><strong>Several countries advise on Chinese threat actors targeting telecommunications<\/strong><br> On August 27, 13 countries, namely seven European Union countries, the Five Eyes, and Japan, issued an advisory warning about China-linked cyberespionage threat actors. They focus on those targeting networks worldwide, especially in telecommunications and government, and mention Salt Typhoon specifically. The threat actor\u2019s main focus are routers of major telecommunications providers, as well as edge routers, compromised devices, and trusted connections. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa25-239a\">link<\/a> <\/p><p><strong>China-linked threat actor conducts 10-month-long campaign infiltrating telecommunications in South-west Asia<\/strong><br> On July 29, Unit42 published their findings about a 10-month-long campaign conducted by a China-linked threat actor targeting telecommunications in South-west Asia. From February to November 2024, they found indicators of compromise in telecommunication companies in several countries, leveraging interconnected mobile roaming networks. However, they did not find clear evidence of data collection or exfiltration. The campaign, dubbed CL-STA-0969, was highly sophisticated and heavily overlaps with Liminal Panda. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/unit42.paloaltonetworks.com\/infiltration-of-global-telecom-networks\/\">link<\/a> <\/p><p><strong>Russia-linked threat actor Turla conducts adversary-in-the-middle campaign targeting diplomats in Moscow<\/strong><br> On July 31, Microsoft Threat Intelligence reported on a cyberespionage campaign by the Russia-linked threat actor Turla, also known as Secret Blizzard. This campaign targets embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow installs a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Turla to maintain persistence on diplomatic devices, likely for intelligence collection. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/31\/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats\/\">link<\/a> <\/p><p><strong>Static Tundra exploiting Cisco devices in long-running cyberespionage campaign<\/strong><br> On August 20, Cisco reported that the Russian state-sponsored cyberespionage group Static Tundra has been exploiting CVE-2018-0171 in Cisco IOS Smart Install to compromise unpatched, end-of-life network devices. The group is linked to the FSB\u2019s Centre 16 unit and operates as a sub-cluster of the broader Energetic Bear group. Their primary goal is intelligence gathering, targeting sectors such as telecommunications, higher education, and manufacturing across multiple continents. Related CERT-EU product: TA 25-134. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.talosintelligence.com\/static-tundra\/\">link<\/a> <\/p><p><strong>Surge in Fortinet brute-force activity may signal zero-day risk<\/strong><br> On August 3, GreyNoise observed a sharp rise in brute-force attempts against Fortinet SSL VPNs, followed by August 5 activity targeting FortiManager. Such spikes precede new vulnerability disclosures in 80% of cases. The malicious actor\u2019s adaptive campaign uses specific IPs for testing and intrusion. The top targeted regions are Brazil and Hong Kong. Defenders should block listed IPs, tighten login controls, and restrict external access. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.greynoise.io\/blog\/vulnerability-fortinet-vpn-bruteforce-spike\">link<\/a> <\/p><p><strong>Tracking Candiru\u2019s DevilsTongue spyware in multiple countries<\/strong><br> On August 5, Recorded Future published a report on Candiru\u2019s spyware infrastructure. They uncovered eight operational clusters linked to Candiru\u2019s DevilsTongue spyware. The infrastructure varies in design, with some using intermediaries or Tor. Five clusters are likely still active\u2014among them, Hungary and Saudi Arabia. One Indonesia-linked cluster was active until November 2024, while two Azerbaijani clusters remain of uncertain status. <code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/assets.recordedfuture.com\/content\/dam\/insikt-report-pdfs\/2025\/cta-2025-0805.pdf\">link<\/a> <\/p><p><strong>Canadian House of Commons breach likely tied to Microsoft SharePoint ToolShell flaw<\/strong><br> In mid-August, Canada\u2019s House of Commons reportedly began investigating a cyberattack that occurred on August 8. Attackers exploited Microsoft SharePoint Toolshell (CVE-2025-53770) to access a database of employee details used for managing computers and mobile devices. Stolen data includes staff names, e-mail addresses, job titles, office locations, and device information. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cbc.ca\/news\/politics\/house-of-commons-data-breach-1.7608061\">link<\/a> <\/p><p><strong>Belarus-linked DSLRoot proxy network deploys hardware in US residences, including military homes<\/strong><br> On August 8, Infrawatch and KrebsOnSecurity uncovered DSLRoot, a Belarusian-run residential proxy network operating across 20+ US states. The network exploits consumer modems and Android devices\u2014without authentication\u2014to provide rotating SOCKS5 proxies. The investigation revealed compromised homes, including one linked to the military, highlighting the risks of foreign-operated proxy infrastructure inside the US. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/infrawatch.app\/blog\/dslroot-us-proxy-investigation\">link<\/a> <\/p><p><strong>Apple issues emergency patches for zero-day CVE-2025-43300 actively exploited in targeted attacks<\/strong><br> On August 20, Apple released emergency updates to fix CVE-2025-43300, an out-of-bounds write flaw in Image I\/O actively exploited in sophisticated attacks. The patch applies to iOS 18.6.2, iPadOS 18.6.2, 17.7.10, and macOS Sequoia 15.6.1, Sonoma 14.7.8, Ventura 13.7.8. This is the sixth zero-day exploited in 2025, making immediate installation of these updates critical. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/support.apple.com\/en-us\/124925\">link<\/a> <\/p><h3 id=\"cybercrime-2\">Cybercrime<\/h3><p><strong>Russia-linked RomCom exploits WinRAR CVE-2025-8088 exploited as a zero-day in phishing attacks<\/strong><br> On August 8, ESET researchers reported that Russia-linked threat actor RomCom exploited WinRAR CVE-2025-8088 as a zero-day in spearphishing attacks to deploy various backdoors. The directory traversal flaw, fixed in version 7.13, allowed crafted archives to place executables in autorun paths for remote code execution. Users must manually update WinRAR, which lacks auto-update. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/winrar-zero-day-flaw-exploited-by-romcom-hackers-in-phishing-attacks\/\">link<\/a> <\/p><p><strong>Akira affiliates abuse drivers for evasion tactics<\/strong><br> On August 5, GuidePoint reported that Akira ransomware activity involved repeated abuse of two Windows drivers\u2014<code>rwdrv.sys<\/code> and <code>hlpdrv.sys<\/code>. The group likely used <code>rwdrv.sys<\/code> to gain kernel-level access and enable <code>hlpdrv.sys<\/code>, which disables Windows Defender via registry changes. This Bring Your Own Vulnerable Driver (BYOVD) technique has appeared in multiple cases and serves as a strong detection indicator for defenders. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.guidepointsecurity.com\/blog\/gritrep-akira-sonicwall\/\">link<\/a> <\/p><p><strong>ClickFix phishing campaign targets macOS with AppleScript-based credential theft<\/strong><br> On August 7, Forcepoint reported a ClickFix phishing campaign targeting macOS users with a fake CAPTCHA page that delivers the Odyssey Stealer malware. The malicious AppleScript steals credentials, crypto wallet data, cookies, and files, then exfiltrates them via a ZIP archive. The threat actor uses OS-specific instructions and obfuscation to avoid detection and erases traces post-exfiltration. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.forcepoint.com\/blog\/x-labs\/odyssey-stealer-attacks-macos-users\">link<\/a> <\/p><p><strong>Cookie Spider malvertising campaign delivering Shamos malware for macOS<\/strong><br> On August 20, CrowdStrike reported on Cookie Spider\u2019s Shamos malware campaign targeting over 300 macOS environments between June and August 2025. The cybercrime group used malvertising and fake help sites to trick users into running a malicious one-line command that bypassed Gatekeeper security checks and installed Shamos, which stole credentials, cryptocurrency data, and enabled persistence. CrowdStrike observed spoofed ads, GitHub repositories, and botnet modules in this activity. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/falcon-prevents-cookie-spider-shamos-delivery-macos\/\">link<\/a> <\/p><p><strong>Storm-2460 leverages Windows zero-day and fake ChatGPT app to deliver malware<\/strong><br> On August 18, Microsoft reported on a malware campaign leveraging a trojanized version of the open-source ChatGPT Desktop app to distribute a new modular backdoor called PipeMagic delivering a framework for running ransomware operations. Storm-2460, the financially motivated group behind PipeMagic, leveraged a Windows zero-day vulnerability (CVE-2025-29824) in the Common Log File System (CLFS). <code>finance<\/code> <code>technology<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/08\/18\/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework\/\">link<\/a> <\/p><p><strong>SpyVPN Chrome extension secretly screenshots users\u2019 activity and exfiltrates data<\/strong><br> On August 19, Koi Security revealed that a Chrome-featured VPN extension named FreeVPN.One\u2014also known as SpyVPN \u2014with over 100.000 installs was covertly taking screenshots of everything users visited (banking, Google Sheets, personal photos) and sending them off to a remote server without consent or any visible indication. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.koi.security\/blog\/spyvpn-the-vpn-that-secretly-captures-your-screen\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks-2\">Data exposure and leaks<\/h3><p><strong>Google confirms Salesforce CRM data breach<\/strong><br> On August 5, Google updated a June report confirming its Salesforce CRM was breached via a vishing attack linked to UNC6040 (ShinyHunters), a financially motivated threat actor. Attackers accessed limited business contact data before access was cut. The incident is part of a broader campaign using malicious OAuth apps and social engineering, targeting major firms. Salesforce maintains that its core platform remains secure. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks\/\">link<\/a> <\/p><p><strong>Widespread data theft targets Salesforce instances via Salesloft Drift<\/strong><br> On August 26, Google reported that an unknown threat actor named UNC6395 abused OAuth tokens from Salesloft\u2019s Drift app to exfiltrate data from Salesforce instances of technology, finance, and healthcare firms. Between August 8 and 18, attackers automated theft of AWS keys, passwords, and Snowflake tokens. Salesforce and Salesloft revoked tokens on August 20 and removed Drift from AppExchange. Affected organisations were notified. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/data-theft-salesforce-instances-via-salesloft-drift?hl=en\">link<\/a> <\/p><p><strong>North Korea-linked Kimsuky suffer data breach<\/strong><br> On August 11, two unaffiliated threat actors named Saber and cyb0rg, publicly leaked data reportedly from North Korea-linked Kimsuky group. They mention moral reasons for the leak, namely saying that Kimsuky are morally perverted because they steal to enrich their leaders and fulfil their political agenda. The dump amounts to 8.9GB of data, and includes phishing logs from targeted South Korean governmental entities and websites, malware, among others. <code>north korea<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/north-korean-kimsuky-hackers-exposed-in-alleged-data-breach\/\">link<\/a> <\/p><h3 id=\"information-operations-2\">Information operations<\/h3><p><strong>China\u2019s GoLaxy uses AI-driven propaganda system GoPro to influence public opinion<\/strong><br> On August 6, a New York Times article reported that leaked internal documents, obtained by Vanderbilt University researchers, reveal how Chinese firm GoLaxy uses its AI-powered Smart Propaganda System GoPro to monitor and shape public opinion in Hong Kong, Taiwan, and China, and collect data on US politicians. While no US election targeting is confirmed, GoPro can mass-produce tailored propaganda, bolstering China\u2019s influence as US countermeasures wane. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.nytimes.com\/2025\/08\/06\/us\/politics\/china-artificial-intelligence-information-warfare.html?searchResultPosition=1\">link<\/a> <\/p><h3 id=\"disruption-destruction-2\">Disruption &amp; destruction<\/h3><p><strong>Malicious npm packages targeting WhatsApp developers contain remote kill-switch<\/strong><br> On August 6, Socket\u2019s Threat Research Team revealed two malicious npm packages\u2014naya-flore and nvlore-hsc\u2014masquerading as WhatsApp integration libraries. These packages feature a remote kill-switch that fetches a base-64\u2013encoded whitelist of phone numbers; if a developer\u2019s number isn\u2019t listed, the code executes a destructive rm \u2013rf * to wipe their system. Despite having over 1110 downloads, both packages remain active on npm. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/socket.dev\/blog\/malicious-npm-packages-target-whatsapp-developers-with-remote-kill-switch\">link<\/a> <\/p><p><strong>Pro-Ukraine supposed hacktivists take over Russian TV on UA Independence Day<\/strong><br> On August 24, Ukraine\u2019s Independence Day, pro-Ukraine supposed hacktivists\u2014likely Belarusian Cyber Partisans\u2014hijacked Russia\u2019s third-largest TV provider, airing messages on war losses and shortages for three hours across 116 channels, reaching 50.000 households. Ukrainian intelligence called them \u201clocal cyber partisans\u201d; no group claimed responsibility. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cybernews.com\/cyber-war\/pro-ukrainian-cyber-partisans-hack-russian-tv-independence-day\/\">link<\/a> <\/p><h3 id=\"opportunistic\">Opportunistic<\/h3><p><strong>N-able N-central vulnerabilities exploited in the wild<\/strong><br> On August 13, CISA warned that threat actors are exploiting two N-able N-central vulnerabilities - CVE-2025-8875 and CVE-2025-8876 - enabling command execution and injection. N-able patched them in version 2025.3.1 and urged immediate updates. According to Shodan, there are around 2000 instances exposed online with the majority being in the US, Australia, Germany and the Netherlands. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-warns-of-n-able-n-central-flaws-exploited-in-zero-day-attacks\/\">link<\/a> <\/p><p><strong>Threat actors leveraging AI to replicate official government websites<\/strong><br> On August 5, cybersecurity company Zscaler ThreatLabz published their findings on a campaign that uses generative AI tools to create malicious replicas of Brazilian governmental websites. In fact, researchers have observed threat actors using AI tools like DeepSite AI and BlackBox AI to produce phishing templates mimicking the official websites. This is symptomatic of how AI tools are being increasingly leveraged by threat actors. <code>artificial intelligence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/genai-used-phishing-websites-impersonating-brazil-s-government\">link<\/a> <\/p><p><strong>Trend Micro enterprise products face active exploitation (CVE-2025-54948 and CVE-2025-54987)<\/strong><br> On August 6, Trend Micro disclosed command injection flaws (CVE-2025-54948, CVE-2025-54987) in its enterprise endpoint security management console. A threat actor has already exploited CVE-2025-54948. Trend Micro mitigated the issues in cloud-based products on July 31. On-premise users should apply the Fixtool immediately and await a critical patch expected mid-August. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.jpcert.or.jp\/english\/at\/2025\/at250016.html\">link<\/a> <\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Conclusions or attributions made in this document merely reflect what publicly available sources report. They do not reflect our stance.&#160;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <div id=\"content-ro\" class=\"lang-content\" style=\"display: none;\">\n            <div class=\"article-content\"><?xml encoding=\"UTF-8\"><h2 id=\"cyber-brief-august-2025\">Cyber &#8203;&#8203;Brief (august 2025)<\/h2><p>2 septembrie 2025 - Versiunea: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Rezumat<\/h2><ul><li><p>Am analizat 321 de rapoarte open source pentru acest Cyber &#8203;&#8203;Brief<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p>Referitor la<strong>politica cibernetic&#259; &#537;i aplicarea legii<\/strong>, Ucraina, Rom&acirc;nia &#537;i Moldova &#537;i-au unit for&#539;ele &#537;i au creat o alian&#539;&#259; cibernetic&#259; regional&#259;, iar Rom&acirc;nia a creat un CSIRT pentru sectorul energetic. Rusia a efectuat teste pentru a bloca WhatsApp &#537;i Telegram &#537;i a ordonat ca aplica&#539;ia de mesagerie MAX, sus&#539;inut&#259; de stat, s&#259; fie preinstalat&#259; pe telefoane &#537;i mese.<\/p><\/li><li><p>Pe<strong>ciberspionaj<\/strong>&Icirc;n fa&#539;a, actorii amenin&#539;&#259;rilor au &icirc;nc&#259;lcat organiza&#539;iile critice din &#538;&#259;rile de Jos printr-o vulnerabilitate Citrix, un actor de amenin&#539;are legat de Iran &icirc;l vizeaz&#259; pe senatorul de justi&#539;ie de la Berlin &#537;i mai multe &#539;&#259;ri ofer&#259; consiliere cu privire la actorii de amenin&#539;&#259;ri chinezi care vizeaz&#259; telecomunica&#539;iile.<\/p><\/li><li><p>Referitor la<strong>criminalitatea cibernetic&#259;<\/strong>, Kitul de phishing Salty 2FA vizeaz&#259; industriile globale, ransomware-ul Akira a fost &icirc;n prim-planul &#537;tirilor, iar macOS a fost vizat &icirc;n campania de phishing &#537;i malvertisement.<\/p><\/li><li><p>Au fost<strong>perturbator<\/strong>atacuri &icirc;n Moldova &#537;i Norvegia, care afecteaz&#259; guvernarea &#537;i sistemele de ap&#259;. Mai mult, presupu&#537;ii hacktivi&#537;ti pro-ucraineni preiau televiziunea rus&#259; de Ziua Independen&#539;ei UA.<\/p><\/li><li><p>&Icirc;n ceea ce prive&#537;te<strong>expunerea datelor &#537;i scurgerile<\/strong>incidente, Orange Belgium, Bouygues Telecom, Air France &#537;i KLM au dezv&#259;luit &icirc;nc&#259;lc&#259;ri ale datelor, &icirc;n timp ce &icirc;nc&#259;lcarea furnizorului de servicii Salesforce CRM a expus datele clien&#539;ilor la scar&#259;. Ucraina a condus o opera&#539;iune cibernetic&#259; care dezv&#259;luie secretele noului submarin nuclear al Rusiei. Kimsuky, legat de Coreea de Nord, sufer&#259; o &icirc;nc&#259;lcare a datelor.<\/p><\/li><\/ul><h2 id=\"europe\">Europa<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>Alian&#539;a Cibernetic&#259; Regional&#259; format&#259; din Ucraina, Rom&acirc;nia &#537;i Moldova<\/strong><br>La 1 august, Consiliul Na&#539;ional de Securitate &#537;i Ap&#259;rare al Ucrainei a anun&#539;at crearea unei alian&#539;e cibernetice regionale care s&#259; implice Ucraina, Rom&acirc;nia &#537;i Moldova, &icirc;n urma consult&#259;rilor din 30 iulie la Cern&#259;u&#539;i. Obiectivele sale: &icirc;mbun&#259;t&#259;&#539;irea cooper&#259;rii &icirc;mpotriva amenin&#539;&#259;rilor cibernetice &#537;i hibride, detectarea amenin&#539;&#259;rilor bazat&#259; pe inteligen&#539;&#259; artificial&#259;, instruire comun&#259; &#537;i consolidarea rezilien&#539;ei infrastructurii &#537;i a institu&#539;iilor democratice. Alian&#539;a este deschis&#259; noilor parteneri democratici &#537;i &icirc;&#537;i propune s&#259; consolideze ap&#259;rarea cibernetic&#259; colectiv&#259;, &icirc;n special &icirc;mpotriva amenin&#539;&#259;rilor din partea Rusiei.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.rnbo.gov.ua\/ua\/Diialnist\/7250.html\">link<\/a> <\/p><p><strong>Rom&acirc;nia &icirc;nfiin&#539;eaz&#259; un centru de securitate cibernetic&#259; energetic&#259; pentru a sprijini Ucraina &#537;i Moldova<\/strong><br>Pe 18 august, Ministerul Energiei din Rom&acirc;nia a emis o ordonan&#539;&#259; de &icirc;nfiin&#539;are a CSIRT pentru sectorul energetic. Acesta citeaz&#259; amenin&#539;&#259;rile cibernetice &icirc;n cre&#537;tere alimentate de liberalizarea pie&#539;ei &#537;i de r&#259;zboiul Rusiei &icirc;n Ucraina, subliniind rolul Rom&acirc;niei ca furnizor cheie de energie electric&#259; at&acirc;t pentru Ucraina, c&acirc;t &#537;i pentru Moldova &#537;i datoria sa de a sus&#539;ine securitatea energetic&#259; regional&#259;. Direc&#539;ia Na&#539;ional&#259; de Securitate Cibernetic&#259; a Rom&acirc;niei a intensificat deja coordonarea cu omologii ucraineni &#537;i moldoveni.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.romania-insider.com\/romania-cybersecurity-incident-response-center-energy-2025\">link<\/a> <\/p><h3 id=\"cyberespionage-prepositioning\">Spionaj cibernetic &#537;i prepozi&#539;ionare<\/h3><p><strong>Un actor de amenin&#539;are legat de Iran &icirc;l vizeaz&#259; pe senatorul de justi&#539;ie de la Berlin<\/strong><br>Pe 19 august, Tagesschau a raportat c&#259; senatorul de justi&#539;ie al Berlinului, Felor Badenberg, a fost victima unui atac cibernetic direc&#539;ionat, probabil al unui grup legat de Iran. Actorii amenin&#539;&#259;rilor i-au accesat datele personale, e-mailurile &#537;i calendarul digital, dezv&#259;luind mi&#537;c&#259;rile &#537;i adresele ei de acas&#259;. Atacul a provenit dintr-un e-mail r&#259;u inten&#539;ionat deghizat &icirc;n Consiliul Central al Evreilor. Autorit&#259;&#539;ile au izolat rapid computerul afectat, iar investiga&#539;iile sunt &icirc;n desf&#259;&#537;urare.<code>iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.tagesschau.de\/inland\/regional\/berlin\/hacker-erbeuten-persoenliche-daten-von-justizsenatorin-badenberg-100.html\">link<\/a> <\/p><p><strong>Centrul Na&#539;ional de Securitate Cibernetic&#259; Olandez&#259; spune c&#259; actorii amenin&#539;&#259;rilor au &icirc;nc&#259;lcat cu succes organiza&#539;ii critice prin vulnerabilitatea Citrix<\/strong><br>Pe 11 august, Centrul Na&#539;ional de Securitate Cibernetic&#259; (NCSC) din &#538;&#259;rile de Jos a actualizat un avertisment legat de exploatarea vulnerabilit&#259;&#539;ii Citrix Netscaler CVE-2025-6543. Ei men&#539;ioneaz&#259; c&#259; mai multe organiza&#539;ii critice au c&#259;zut victime ale atacurilor de succes &#537;i c&#259; actorii amenin&#539;&#259;rilor &#537;i-au &#537;ters &icirc;n mod activ urmele pentru a ascunde compromisul, d&acirc;nd dovad&#259; de un nivel de sofisticare &icirc;n aceste atacuri.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ncsc.nl\/actueel\/nieuws\/2025\/07\/22\/casus-citrix-kwetsbaarheid\">link<\/a> <\/p><p><strong>Curly COMrades, actorul de amenin&#539;&#259;ri legat de Rusia, vizeaz&#259; Georgia &#537;i Moldova<\/strong><br>Pe 12 august, Bitdefender a raportat c&#259; Curly COMrades, un actor de amenin&#539;are de spionaj cibernetic activ de la jum&#259;tatea anului 2024, a vizat organele guvernamentale &#537;i judiciare din Georgia &#537;i firmele energetice din Republica Moldova cu u&#537;a din spate personalizat&#259; &icirc;n trei etape MucorAgent. Grupul a folosit instrumente de deturnare COM, persisten&#539;&#259; ascuns&#259;, furt de acredit&#259;ri &#537;i instrumente de via&#539;&#259; din teren pentru a alinia opera&#539;iunile cu interesele ruse&#537;ti, combin&acirc;nd &icirc;n acela&#537;i timp traficul r&#259;u inten&#539;ionat cu activitatea legitim&#259;.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bitdefender.com\/en-us\/blog\/businessinsights\/curly-comrades-new-threat-actor-targeting-geopolitical-hotbeds\">link<\/a> <\/p><h3 id=\"cybercrime\">Crima cibernetic&#259;<\/h3><p><strong>Colt Technology Services vizeaz&#259; ransomware-ul Warlock<\/strong><br>Pe 12 august, Colt Technology Services a suferit un atac cibernetic care a perturbat platformele de g&#259;zduire, portare, Colt Online &#537;i Voice API. Firma a confirmat c&#259; sistemele de asisten&#539;&#259;, nu re&#539;eaua sa de baz&#259;, au fost afectate &#537;i a raportat incidentul autorit&#259;&#539;ilor. WarLock &#537;i-a revendicat responsabilitatea, oferind spre v&acirc;nzare date presupuse furate. Cercet&#259;torii &icirc;n domeniul securit&#259;&#539;ii sugereaz&#259; un defect Microsoft SharePoint (CVE-2025-53770) a permis accesul, cu sute de gigaocte&#539;i de fi&#537;iere exfiltrate.<code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/colt-telecom-attack-claimed-by-warlock-ransomware-data-up-for-sale\/\">link<\/a> <\/p><p><strong>Atacul cibernetic al furnizorilor de sisteme IT afecteaz&#259; 200 de municipalit&#259;&#539;i din Suedia<\/strong><br>Pe 27 august, un atac cibernetic asupra Milj&ouml;data &ndash; un furnizor de sistem IT folosit de aproximativ 80 % din administra&#539;iile municipale din Suedia &ndash; a &icirc;ntrerupt accesul &icirc;n peste 200 de municipalit&#259;&#539;i &#537;i a ridicat &icirc;ngrijor&#259;ri cu privire la furtul de date sensibile, atacatorii cer&acirc;nd o r&#259;scump&#259;rare de 1,5 BTC (aproximativ 146.000 de euro pentru a evita scurgerea de date).<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/it-system-supplier-cyberattack-impacts-200-municipalities-in-sweden\/\">link<\/a> <\/p><p><strong>Kitul de phishing Salty 2FA vizeaz&#259; industriile globale<\/strong><br>Pe 19 august, ANY.RUN a publicat un raport despre Salty 2FA, un nou cadru de phishing care love&#537;te organiza&#539;iile din SUA &#537;i Europa. Acesta vizeaz&#259; &icirc;n primul r&acirc;nd utilizatorii Microsoft 365 din sectorul financiar, telecomunica&#539;ii, energie, logistic&#259;, asisten&#539;&#259; medical&#259;, consultan&#539;&#259;, educa&#539;ie &#537;i guvern. Victimele se &icirc;ntind &icirc;n mai multe regiuni, inclusiv SUA, Regatul Unit, Germania, Spania, Italia, Elve&#539;ia, Canada &#537;i Grecia, cu atrac&#539;ii tematice despre mesageria vocal&#259;, salarizare, facturi &#537;i cereri de propuneri.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/any.run\/cybersecurity-blog\/salty2fa-technical-analysis\">link<\/a> <\/p><h3 id=\"disruption-destruction\">Perturbare &#537;i distrugere<\/h3><p><strong>Sistemele guvernamentale ale Moldovei vizate de atacuri cibernetice coordonate<\/strong><br>Pe 12 august, Serviciul de Tehnologia Informa&#539;iei &#537;i Securitatea Cibernetic&#259; (STISC) din Moldova a anun&#539;at c&#259; sistemele sale guvernamentale au fost victimele unui atac organizat de mare amploare de securitate cibernetic&#259;. Ei au evaluat c&#259; actorii amenin&#539;&#259;rilor sunt str&#259;ini, &icirc;ncerc&acirc;nd s&#259; deterioreze sistemele cibernetice cheie care ajut&#259; la gestionarea serviciilor de stat importante. Ei au mai divulgat c&#259; b&#259;nuiesc c&#259; au fost implica&#539;i ni&#537;te angaja&#539;i guvernamentali.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/newsinterpretation.com\/major-cyber-attack-disrupts-moldovas-government-systems-amid-employee-suspicion\/\">link<\/a> <\/p><p><strong>Presupusi hacktivi&#537;ti pro-rusi au leg&#259;tur&#259; cu sabotarea barajului norvegian<\/strong><br>Pe 13 august, autorit&#259;&#539;ile norvegiene au legat oficial un incident de sabotaj cibernetic din aprilie cu presupu&#537;ii hacktivi&#537;ti pro-rusi. Pe 7 aprilie, atacatorii au deschis de la distan&#539;&#259; o poart&#259; de inunda&#539;ie la barajul Bremanger &ndash; folosit pentru piscicultur&#259; &ndash; eliber&acirc;nd aproximativ 500 de litri\/sec timp de patru ore &icirc;nainte de a fi opri&#539;i. Nu au avut loc r&#259;ni, dar oficialii au avertizat c&#259; actul a fost menit s&#259; insufle fric&#259;, nu s&#259; provoace daune fizice.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.vg.no\/nyheter\/i\/mPJaE4\/pst-sjefen-mener-pro-russiske-hackere-sto-bak-cyberangrepet-mot-damanlegget-i-bremanger\">link<\/a><\/p><p><strong>Rusia suspectat&#259; c&#259; a bruiat semnalul GPS al avionului pre&#537;edintelui Comisiei Europene, Ursula von der Leyen<\/strong><br>Pe 31 august, avionul pre&#537;edintelui Comisiei Europene, Ursula von der Leyen, a fost lovit cu GPS blocat &icirc;n ziua precedent&#259;, &icirc;n timp ce ateriza &icirc;n Bulgaria. Comisia European&#259; suspecteaz&#259; Rusia c&#259; ar fi condus atacul. &Icirc;n ciuda interferen&#539;elor, avionul a aterizat cu succes &#537;i nu au existat consecin&#539;e reale ale ac&#539;iunilor. Pre&#537;edintele Comisiei a fost &icirc;ntr-un turneu &icirc;n &#539;&#259;rile europene care sunt &bdquo;state de front&rdquo; ale Rusiei.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politico.eu\/article\/ursula-von-der-leyen-plane-hit-by-gps-jamming-russia\/\">link<\/a><\/p><h3 id=\"information-operations\">Opera&#539;iuni de informare<\/h3><p><strong>Autorit&#259;&#539;ile moldovene&#537;ti avertizeaz&#259; cu privire la campania rus&#259; de dezinformare care vizeaz&#259; aleg&#259;torii din diaspora<\/strong><br>Pe 4 august, Politico a publicat un articol despre opera&#539;iunile de dezinformare din Rusia care vizeaz&#259; moldovenii care locuiesc &icirc;n Europa, &icirc;naintea alegerilor preziden&#539;iale din septembrie. De altfel, potrivit consilierului pentru securitate na&#539;ional&#259; Stanislav Secrieru, scopul campaniei este de a-i &icirc;ncuraja s&#259; nu voteze sau de a-i &icirc;ncuraja pe cei care o fac s&#259; sus&#539;in&#259; o for&#539;&#259; fals&#259; pro-UE. Ei fac acest lucru prin imitarea institu&#539;iilor de &#537;tiri europene legitime.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politico.eu\/article\/russia-moldova-voting-elections-candidates-west-kremlin\/\">link<\/a> <\/p><p><strong>Campania rus&#259; de dezinformare a clonat apelul britanic 999 cu AI<\/strong><br>Pe 31 iulie, BBC Verify a dezv&#259;luit c&#259; vocea unui handler britanic de apeluri de urgen&#539;&#259; 999 a fost clonat&#259; folosind AI pentru o campanie de dezinformare legat&#259; de Rusia. Vocea sintetic&#259;, preluat&#259; dintr-un videoclip de antrenament al NHS, a fost folosit&#259; pentru a r&#259;sp&acirc;ndi frica &icirc;naintea alegerilor preziden&#539;iale din mai 2025 din Polonia. Adev&#259;ratul administrator de apeluri, Aaron, a fost &#537;ocat de realismul s&#259;u.<code>inteligen&#539;&#259; artificial&#259;<\/code> <code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bbc.com\/news\/live\/ce35ly75ppkt?post=asset%3Ac8d1c46f-1b14-49bc-83d7-7a8b20345eee#post\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks\">Expunerea datelor &#537;i scurgerile<\/h3><p><strong>Orange Belgium dezv&#259;luie &icirc;nc&#259;lcarea datelor care afecteaz&#259; 850.000 de clien&#539;i<\/strong><br>La sf&acirc;r&#537;itul lunii iulie, Orange Belgium a detectat un atac cibernetic care a afectat aproximativ 850.000 de conturi de clien&#539;i. &Icirc;nc&#259;lcarea a expus nume, numere de telefon, numere de cartel&#259; SIM, coduri PUK &#537;i planuri tarifare, dar nu a inclus parole, adrese de e-mail, date financiare sau adrese de domiciliu. Orange a blocat imediat accesul. Utilizatorii afecta&#539;i au fost anun&#539;a&#539;i prin e-mail sau SMS &#537;i au fost &icirc;ndemna&#539;i s&#259; r&#259;m&acirc;n&#259; vigilen&#539;i &icirc;mpotriva tentativelor de phishing.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/corporate.orange.be\/en\/node\/57971\">link<\/a> <\/p><p><strong>Bouygues Telecom confirm&#259; &icirc;nc&#259;lcarea &icirc;nregistr&#259;rilor a 6,4 milioane de clien&#539;i<\/strong><br>Pe 4 august, Bouygues Telecom a dezv&#259;luit un atac cibernetic care a expus datele personale &#537;i contractuale a 6,4 milioane de clien&#539;i, inclusiv IBAN-uri. Operatorul a raportat incidentul la CNIL &#537;i oamenii legii, preciz&acirc;nd c&#259; acesta a fost rezolvat cu promptitudine. &Icirc;nc&#259;lcarea cre&#537;te riscul de phishing &#537;i escrocherii bancare. Compania nu a &icirc;mp&#259;rt&#259;&#537;it detalii tehnice, iar metoda de intruziune r&#259;m&acirc;ne necunoscut&#259;.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.lemondeinformatique.fr\/actualites\/lire-apres-un-piratage-6-4-millons-de-comptes-clients-bouygues-telecom-compromis-97604.html\">link<\/a> <\/p><p><strong>AirFrance &#537;i KLM dezv&#259;luie &icirc;nc&#259;lcarea datelor<\/strong><br>Pe 7 august, AirFrance &#537;i KLM au dezv&#259;luit c&#259; atacatorii au &icirc;nc&#259;lcat o platform&#259; de servicii pentru clien&#539;i ter&#539;&#259; parte, expun&acirc;nd un num&#259;r nedezv&#259;luit de &icirc;nregistr&#259;ri ale clien&#539;ilor. Datele afectate includ nume, detalii de contact, informa&#539;ii despre contul FlyingBlue &#537;i subiecte ale biletelor de asisten&#539;&#259;, dar exclud detaliile personale sau financiare sensibile, cum ar fi parole, date de c&#259;l&#259;torie, mile, pa&#537;apoarte sau informa&#539;ii despre cardul de credit. Companiile aeriene au &icirc;ntrerupt accesul, au notificat autorit&#259;&#539;ile de reglementare &#537;i au informat clien&#539;ii s&#259; r&#259;m&acirc;n&#259; vigilen&#539;i la &icirc;ncerc&#259;rile de phishing.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/nieuws.klm.com\/klm-informeert-klanten-over-incident-met-persoonsgegevens\/#\">link<\/a> <\/p><p><strong>Opera&#539;iunea cibernetic&#259; HUR dezv&#259;luie secretele noului submarin nuclear al Rusiei<\/strong><br>Pe 4 august, serviciile de informa&#539;ii militare ale Ucrainei (HUR) au publicat documente presupuse ob&#539;inute prin opera&#539;iuni cibernetice, care dezv&#259;luie planuri detaliate, liste de echipaj &#537;i vulnerabilit&#259;&#539;i ale noului submarin nuclear rusesc din clasa Borei, K-555 Prin&#539;ul Dmitri Pojarski. Scurgerea, care expune sistemele interne &#537;i datele personale ale &icirc;ntregului echipaj, este v&#259;zut&#259; de anali&#537;ti ca o lovitur&#259; major&#259; de informa&#539;ii cu implica&#539;ii grave pentru securitatea naval&#259; a Rusiei.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.kyivpost.com\/post\/57506\">link<\/a> <\/p><h2 id=\"world\">Lumea<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>Rusia efectueaz&#259; teste pentru a bloca WhatsApp &#537;i Telegram<\/strong><br>Pe 11 august, The Kyiv Independent a publicat un articol despre Rusia care ar fi efectuat teste pentru a bloca WhatsApp &#537;i Telegram. De fapt, aplica&#539;iile ar avea apelurile vocale &#537;i video blocate. Aceste ac&#539;iuni vin pe fondul &icirc;ntreruperilor recurente ale internetului &#537;i semn&#259;rii unei noi legi pe 24 iunie pentru crearea unei platforme digitale na&#539;ionale. Scopul lor este s&#259; &icirc;ncerce s&#259; &icirc;nlocuiasc&#259; serviciile externe cu cele interne.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/kyivindependent.com\/russia-tests-blocking-telegram-whatsapp-calls\/\">link<\/a> <\/p><p><strong>Rusia comand&#259; aplica&#539;ia de mesagerie MAX sus&#539;inut&#259; de stat, un rival WhatsApp, preinstalat&#259; pe telefoane &#537;i tablete<\/strong><br>Pe 21 august, guvernul rus a anun&#539;at c&#259; de la 1 septembrie 2025, toate telefoanele mobile &#537;i tabletele v&acirc;ndute &icirc;n Rusia trebuie s&#259; fie preinstalate cu MAX, un rival WhatsApp sus&#539;inut de stat, integrat cu serviciile guvernamentale. Mandatul include &#537;i preinstalarea magazinului autohton de aplica&#539;ii RuStore pe dispozitivele Apple &#537;i, de la 1 ianuarie 2026, LIME HD TV pe televizoarele inteligente. Criticii avertizeaz&#259; asupra riscurilor de supraveghere.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/technology\/russia-orders-state-backed-max-messenger-app-whatsapp-rival-pre-installed-phones-2025-08-21\/\">link<\/a><\/p><p><strong>Pre&#537;edintele FTC avertizeaz&#259; firmele de tehnologie &icirc;mpotriva sl&#259;birii securit&#259;&#539;ii datelor sau cenzur&#259;rii americanilor &icirc;n temeiul legilor str&#259;ine<\/strong><br>Pe 21 august, pre&#537;edintele FTC, Andrew N. Ferguson, a trimis scrisori c&#259;tre 13 firme tehnologice majore, inclusiv Apple, Amazon, Meta, Microsoft &#537;i Alphabet, avertiz&acirc;ndu-le s&#259; nu sl&#259;beasc&#259; securitatea datelor sau s&#259; cenzureze utilizatorii americani sub presiunea unor legi str&#259;ine, cum ar fi Legea privind serviciile digitale a UE sau Actul privind competen&#539;ele de investigare &#537;i siguran&#539;a online din Marea Britanie. El a avertizat c&#259; acest lucru ar putea &icirc;nc&#259;lca legea SUA.<code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ftc.gov\/news-events\/news\/press-releases\/2025\/08\/ftc-chairman-ferguson-warns-companies-against-censoring-or-weakening-data-security-americans-behest\">link<\/a> <\/p><p><strong>Microsoft reduce accesul Chinei la sistemul cibernetic de avertizare timpurie<\/strong><br>Pe 21 august, Reuters a raportat c&#259; Microsoft a redus accesul anumitor firme chineze la sistemul s&#259;u de avertizare timpurie de securitate cibernetic&#259;, ca urmare a suspiciunilor c&#259; actorii lega&#539;i de Beijing au exploatat Programul Microsoft Active Protections (MAPP) pentru a facilita o campanie de hacking care vizeaz&#259; serverele SharePoint la sf&acirc;r&#537;itul lunii iunie &#537;i &icirc;nceputul lunii iulie. Ca m&#259;sur&#259; de precau&#539;ie, Microsoft re&#539;ine codul de dovad&#259; a conceptului acestor firme &#537;i &#537;i-a reafirmat angajamentul de a revizui &#537;i elimina partenerii care &icirc;&#537;i &icirc;ncalc&#259; contractele.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/sustainability\/boards-policy-regulation\/microsoft-scales-back-chinese-access-cyber-early-warning-system-2025-08-20\/\">link<\/a> <\/p><p><strong>Opera&#539;iunea masiv&#259; INTERPOL aresteaz&#259; 1.209 infractori cibernetici din Africa<\/strong><br>&Icirc;ntre iunie &#537;i august 2025, opera&#539;iunea Serengeti 2.0 condus&#259; de INTERPOL a dus la 1.209 arest&#259;ri de criminali cibernetici &icirc;n 18 na&#539;iuni africane &#537;i &icirc;n Regatul Unit. Viz&acirc;nd ransomware, escrocherii online &#537;i compromisuri de e-mail de afaceri, opera&#539;iunea a confiscat 97,4 milioane de dolari SUA &#537;i a demontat 11.432 de infrastructuri r&#259;u inten&#539;ionate, impact&acirc;nd aproape 88.000 de victime la nivel global.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.interpol.int\/News-and-Events\/News\/2025\/African-authorities-dismantle-massive-cybercrime-and-fraud-networks-recover-millions\">link<\/a> <\/p><h3 id=\"cyberespionage-prepositioning-2\">Spionaj cibernetic &#537;i prepozi&#539;ionare<\/h3><p><strong>Mai multe &#539;&#259;ri ofer&#259; consiliere cu privire la actorii de amenin&#539;&#259;ri chinezi care vizeaz&#259; telecomunica&#539;iile<\/strong><br>Pe 27 august, 13 &#539;&#259;ri, &#537;i anume &#537;apte &#539;&#259;ri ale Uniunii Europene, cei cinci ochi &#537;i Japonia, au emis un avertisment consultativ cu privire la actorii amenin&#539;&#259;rilor de spionaj cibernetic lega&#539;i de China. Ace&#537;tia se concentreaz&#259; pe cei care vizeaz&#259; re&#539;elele din &icirc;ntreaga lume, &icirc;n special &icirc;n telecomunica&#539;ii &#537;i guvern, &#537;i men&#539;ioneaz&#259; &icirc;n mod specific Salt Typhoon. Actorul principal al amenin&#539;&#259;rilor &icirc;l reprezint&#259; routerele marilor furnizori de telecomunica&#539;ii, precum &#537;i routerele edge, dispozitivele compromise &#537;i conexiunile de &icirc;ncredere.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa25-239a\">link<\/a> <\/p><p><strong>Un actor de amenin&#539;&#259;ri legat de China desf&#259;&#537;oar&#259; o campanie de 10 luni care se infiltreaz&#259; &icirc;n telecomunica&#539;iile din Asia de Sud-Vest<\/strong><br>Pe 29 iulie, Unit42 &#537;i-a publicat concluziile despre o campanie de 10 luni condus&#259; de un actor de amenin&#539;&#259;ri legat de China, care vizeaz&#259; telecomunica&#539;iile din Asia de Sud-Vest. Din februarie p&acirc;n&#259; &icirc;n noiembrie 2024, au g&#259;sit indicatori de compromis &icirc;n companiile de telecomunica&#539;ii din mai multe &#539;&#259;ri, utiliz&acirc;nd re&#539;elele de roaming mobil interconectate. Cu toate acestea, ei nu au g&#259;sit dovezi clare de colectare sau exfiltrare a datelor. Campania, denumit&#259; CL-STA-0969, a fost extrem de sofisticat&#259; &#537;i se suprapune foarte mult cu Liminal Panda.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/unit42.paloaltonetworks.com\/infiltration-of-global-telecom-networks\/\">link<\/a> <\/p><p><strong>Actorul de amenin&#539;&#259;ri legat de Rusia, Turla, desf&#259;&#537;oar&#259; o campanie de adversar la mijloc care vizeaz&#259; diploma&#539;ii de la Moscova<\/strong><br>Pe 31 iulie, Microsoft Threat Intelligence a raportat despre o campanie de spionaj cibernetic a actorului de amenin&#539;&#259;ri Turla, cunoscut &#537;i sub numele de Secret Blizzard. Aceast&#259; campanie vizeaz&#259; ambasadele situate &icirc;n Moscova care utilizeaz&#259; o pozi&#539;ie de adversar &icirc;n mijloc (AiTM) pentru a implementa programul malware personalizat ApolloShadow. ApolloShadow instaleaz&#259; un certificat r&#259;d&#259;cin&#259; de &icirc;ncredere pentru a p&#259;c&#259;li dispozitivele &icirc;n site-uri r&#259;u inten&#539;ionate controlate de actori, permi&#539;&acirc;nd Turla s&#259; men&#539;in&#259; persisten&#539;a pe dispozitivele diplomatice, probabil pentru colectarea informa&#539;iilor.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/31\/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats\/\">link<\/a> <\/p><p><strong>Static Tundra exploat&acirc;nd dispozitivele Cisco &icirc;n campanie de spionaj cibernetic de lung&#259; durat&#259;<\/strong><br>Pe 20 august, Cisco a raportat c&#259; grupul rus de spionaj cibernetic, sponsorizat de stat, Static Tundra a exploatat CVE-2018-0171 &icirc;n Cisco IOS Smart Install pentru a compromite dispozitivele de re&#539;ea nepatchate, aflate la sf&acirc;r&#537;itul vie&#539;ii. Grupul este legat de unitatea Center 16 a FSB &#537;i func&#539;ioneaz&#259; ca un sub-cluster al grupului mai larg Energetic Bear. Scopul lor principal este colectarea de informa&#539;ii, viz&acirc;nd sectoare precum telecomunica&#539;iile, &icirc;nv&#259;&#539;&#259;m&acirc;ntul superior &#537;i produc&#539;ia de pe mai multe continente. Produs CERT-EU &icirc;nrudit: TA 25-134.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.talosintelligence.com\/static-tundra\/\">leg&#259;tur&#259;<\/a> <\/p><p><strong>Cre&#537;terea activit&#259;&#539;ii de for&#539;&#259; brut&#259; Fortinet poate semnala un risc zero-day<\/strong><br>Pe 3 august, GreyNoise a observat o cre&#537;tere brusc&#259; a &icirc;ncerc&#259;rilor de for&#539;&#259; brut&#259; &icirc;mpotriva VPN-urilor Fortinet SSL, urmat&#259; de activitatea din 5 august care vizeaz&#259; FortiManager. Astfel de v&acirc;rfuri preced noile dezv&#259;luiri de vulnerabilit&#259;&#539;i &icirc;n 80% din cazuri. Campania adaptativ&#259; a actorului r&#259;u inten&#539;ionat folose&#537;te IP-uri specifice pentru testare &#537;i intruziune. Principalele regiuni vizate sunt Brazilia &#537;i Hong Kong. Ap&#259;r&#259;torii ar trebui s&#259; blocheze IP-urile enumerate, s&#259; &icirc;nt&#259;reasc&#259; controalele de conectare &#537;i s&#259; restric&#539;ioneze accesul extern.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.greynoise.io\/blog\/vulnerability-fortinet-vpn-bruteforce-spike\">link<\/a> <\/p><p><strong>Urm&#259;rirea programului spion DevilsTongue al lui Candiru &icirc;n mai multe &#539;&#259;ri<\/strong><br>Pe 5 august, Recorded Future a publicat un raport despre infrastructura spyware a lui Candiru. Ei au descoperit opt &#8203;&#8203;clustere opera&#539;ionale legate de programul spion DevilsTongue al lui Candiru. Infrastructura variaz&#259; &icirc;n design, unii utiliz&acirc;nd intermediari sau Tor. Cinci grupuri sunt probabil &icirc;nc&#259; active - printre ele, Ungaria &#537;i Arabia Saudit&#259;. Un cluster legat de Indonezia a fost activ p&acirc;n&#259; &icirc;n noiembrie 2024, &icirc;n timp ce dou&#259; clustere din Azerbaidjan r&#259;m&acirc;n cu statut incert.<code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/assets.recordedfuture.com\/content\/dam\/insikt-report-pdfs\/2025\/cta-2025-0805.pdf\">link<\/a> <\/p><p><strong>&Icirc;nc&#259;lcarea Camerei Comunelor din Canada este probabil legat&#259; de defectul Microsoft SharePoint ToolShell<\/strong><br>La mijlocul lunii august, Camera Comunelor din Canada a &icirc;nceput s&#259; investigheze un atac cibernetic care a avut loc pe 8 august. Atacatorii au exploatat Microsoft SharePoint Toolshell (CVE-2025-53770) pentru a accesa o baz&#259; de date cu detaliile angaja&#539;ilor utilizate pentru gestionarea computerelor &#537;i dispozitivelor mobile. Datele furate includ numele personalului, adresele de e-mail, titlurile posturilor, loca&#539;iile birourilor &#537;i informa&#539;iile despre dispozitiv.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cbc.ca\/news\/politics\/house-of-commons-data-breach-1.7608061\">link<\/a> <\/p><p><strong>Re&#539;eaua proxy DSLRoot conectat&#259; la Belarus instaleaz&#259; hardware &icirc;n re&#537;edin&#539;e din SUA, inclusiv &icirc;n casele militare<\/strong><br>Pe 8 august, Infrawatch &#537;i KrebsOnSecurity au descoperit DSLRoot, o re&#539;ea proxy reziden&#539;ial&#259; administrat&#259; de Belarus, care opereaz&#259; &icirc;n peste 20 de state din SUA. Re&#539;eaua exploateaz&#259; modemurile consumatorilor &#537;i dispozitivele Android, f&#259;r&#259; autentificare, pentru a oferi proxy SOCKS5 rotativi. Ancheta a scos la iveal&#259; locuin&#539;e compromise, inclusiv una legat&#259; de armat&#259;, eviden&#539;iind riscurile infrastructurii proxy operate de str&#259;ini &icirc;n interiorul SUA.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/infrawatch.app\/blog\/dslroot-us-proxy-investigation\">link<\/a> <\/p><p><strong>Apple emite patch-uri de urgen&#539;&#259; pentru CVE-2025-43300 zero-day exploatate activ &icirc;n atacuri direc&#539;ionate<\/strong><br>Pe 20 august, Apple a lansat actualiz&#259;ri de urgen&#539;&#259; pentru a remedia CVE-2025-43300, un defect de scriere &icirc;n afara limitelor &icirc;n Image I\/O exploatat &icirc;n mod activ &icirc;n atacuri sofisticate. Patch-ul se aplic&#259; pentru iOS 18.6.2, iPadOS 18.6.2, 17.7.10 &#537;i macOS Sequoia 15.6.1, Sonoma 14.7.8, Ventura 13.7.8. Aceasta este a &#537;asea zi zero exploatat&#259; &icirc;n 2025, ceea ce face ca instalarea imediat&#259; a acestor actualiz&#259;ri s&#259; fie critic&#259;.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/support.apple.com\/en-us\/124925\">link<\/a> <\/p><h3 id=\"cybercrime-2\">Crima cibernetic&#259;<\/h3><p><strong>RomCom legat de Rusia exploateaz&#259; WinRAR CVE-2025-8088 exploatat ca zero-day &icirc;n atacurile de phishing<\/strong><br>Pe 8 august, cercet&#259;torii ESET au raportat c&#259; actorul de amenin&#539;&#259;ri legat de Rusia, RomCom, a exploatat WinRAR CVE-2025-8088 ca o zi zero &icirc;n atacurile spearphishing pentru a desf&#259;&#537;ura diferite u&#537;i din spate. Defectul de traversare a directorului, remediat &icirc;n versiunea 7.13, a permis arhivelor create s&#259; plaseze executabile &icirc;n c&#259;ile de executare automat&#259; pentru executarea codului de la distan&#539;&#259;. Utilizatorii trebuie s&#259; actualizeze manual WinRAR, care nu are actualizarea automat&#259;.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/winrar-zero-day-flaw-exploited-by-romcom-hackers-in-phishing-attacks\/\">link<\/a> <\/p><p><strong>Akira afilia&#539;i &#537;oferii abuza&#539;i pentru tactici de evaziune<\/strong><br>Pe 5 august, GuidePoint a raportat c&#259; activitatea ransomware Akira a implicat abuzuri repetate a dou&#259; drivere Windows&mdash;<code>rwdrv.sys<\/code> and <code>hlpdrv.sys<\/code>. Grupul a folosit probabil<code>rwdrv.sys<\/code>pentru a ob&#539;ine acces la nivel de kernel &#537;i pentru a activa<code>hlpdrv.sys<\/code>, care dezactiveaz&#259; Windows Defender prin modific&#259;ri de registry. Aceast&#259; tehnic&#259; Bring Your Own Vulnerable Driver (BYOVD) a ap&#259;rut &icirc;n mai multe cazuri &#537;i serve&#537;te ca un indicator puternic de detectare pentru ap&#259;r&#259;tori.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.guidepointsecurity.com\/blog\/gritrep-akira-sonicwall\/\">link<\/a> <\/p><p><strong>Campania de phishing ClickFix vizeaz&#259; macOS cu furtul de acredit&#259;ri bazat pe AppleScript<\/strong><br>Pe 7 august, Forcepoint a raportat o campanie de phishing ClickFix care vizeaz&#259; utilizatorii macOS cu o pagin&#259; CAPTCHA fals&#259; care furnizeaz&#259; malware-ul Odyssey Stealer. AppleScript r&#259;u inten&#539;ionat fur&#259; acredit&#259;ri, date criptomonede, cookie-uri &#537;i fi&#537;iere, apoi le exfiltreaz&#259; printr-o arhiv&#259; ZIP. Actorul amenin&#539;&#259;rii folose&#537;te instruc&#539;iuni specifice sistemului de operare &#537;i ofuscarea pentru a evita detectarea &#537;i &#537;terge urmele dup&#259; exfiltrare.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.forcepoint.com\/blog\/x-labs\/odyssey-stealer-attacks-macos-users\">link<\/a> <\/p><p><strong>Campanie de publicitate malware Cookie Spider care ofer&#259; malware Shamos pentru macOS<\/strong><br>Pe 20 august, CrowdStrike a raportat despre campania de malware Shamos de la Cookie Spider, care vizeaz&#259; peste 300 de medii macOS &icirc;ntre iunie &#537;i august 2025. Grupul de criminalitate cibernetic&#259; a folosit publicitate malware &#537;i site-uri de ajutor false pentru a p&#259;c&#259;li utilizatorii s&#259; execute o comand&#259; r&#259;u inten&#539;ionat&#259; pe o singur&#259; linie care a ocolit verific&#259;rile de securitate Gatekeeper &#537;i a instalat Shamos, care a furat date, acredit&#259;ri &#537;i persisten&#539;&#259; criptomonede. CrowdStrike a observat reclame falsificate, depozite GitHub &#537;i module botnet &icirc;n aceast&#259; activitate.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.crowdstrike.com\/en-us\/blog\/falcon-prevents-cookie-spider-shamos-delivery-macos\/\">link<\/a> <\/p><p><strong>Storm-2460 folose&#537;te aplica&#539;ia Windows Zero-day &#537;i fals&#259; ChatGPT pentru a furniza malware<\/strong><br>Pe 18 august, Microsoft a raportat despre o campanie de malware care folose&#537;te o versiune troianizat&#259; a aplica&#539;iei desktop ChatGPT cu surs&#259; deschis&#259; pentru a distribui o nou&#259; u&#537;&#259; din spate modular&#259; numit&#259; PipeMagic, care ofer&#259; un cadru pentru rularea opera&#539;iunilor ransomware. Storm-2460, grupul motivat financiar din spatele PipeMagic, a folosit o vulnerabilitate Windows zero-day (CVE-2025-29824) &icirc;n Common Log File System (CLFS).<code>finante<\/code> <code>tehnologie<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/08\/18\/dissecting-pipemagic-inside-the-architecture-of-a-modular-backdoor-framework\/\">link<\/a> <\/p><p><strong>Extensia SpyVPN Chrome capteaz&#259; &icirc;n secret activitatea utilizatorilor &#537;i exfiltreaz&#259; datele<\/strong><br>Pe 19 august, Koi Security a dezv&#259;luit c&#259; o extensie VPN cu caracteristic&#259; Chrome, numit&#259; FreeVPN.One, cunoscut&#259; &#537;i sub numele de SpyVPN, cu peste 100.000 de instal&#259;ri, f&#259;cea &icirc;n secret capturi de ecran cu tot ceea ce vizitau utilizatorii (bancare, Foi de calcul Google, fotografii personale) &#537;i le trimitea la un server la distan&#539;&#259; f&#259;r&#259; consim&#539;&#259;m&acirc;nt sau orice indica&#539;ie vizibil&#259;.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.koi.security\/blog\/spyvpn-the-vpn-that-secretly-captures-your-screen\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks-2\">Expunerea datelor &#537;i scurgerile<\/h3><p><strong>Google confirm&#259; &icirc;nc&#259;lcarea datelor Salesforce CRM<\/strong><br>Pe 5 august, Google a actualizat un raport din iunie care confirm&#259; c&#259; Salesforce CRM a fost &icirc;nc&#259;lcat printr-un atac vishing legat de UNC6040 (ShinyHunters), un actor de amenin&#539;&#259;ri motivat financiar. Atacatorii au accesat date limitate de contact de afaceri &icirc;nainte ca accesul s&#259; fie t&#259;iat. Incidentul face parte dintr-o campanie mai ampl&#259; care utilizeaz&#259; aplica&#539;ii OAuth r&#259;u inten&#539;ionate &#537;i inginerie social&#259;, care vizeaz&#259; firme importante. Salesforce sus&#539;ine c&#259; platforma sa de baz&#259; r&#259;m&acirc;ne sigur&#259;.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks\/\">link<\/a> <\/p><p><strong>Furtul de date pe scar&#259; larg&#259; vizeaz&#259; instan&#539;e Salesforce prin Salesloft Drift<\/strong><br>Pe 26 august, Google a raportat c&#259; un actor necunoscut de amenin&#539;are numit UNC6395 a abuzat de jetoane OAuth din aplica&#539;ia Drift de la Salesloft pentru a exfiltra date din instan&#539;e Salesforce ale firmelor de tehnologie, finan&#539;e &#537;i asisten&#539;&#259; medical&#259;. &Icirc;ntre 8 &#537;i 18 august, atacatorii au automat furtul de chei, parole &#537;i jetoane Snowflake AWS. Salesforce &#537;i Salesloft au revocat jetoanele pe 20 august &#537;i au eliminat Drift din AppExchange. Organiza&#539;iile afectate au fost anun&#539;ate.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/data-theft-salesforce-instances-via-salesloft-drift?hl=en\">link<\/a> <\/p><p><strong>Kimsuky, legat de Coreea de Nord, sufer&#259; o &icirc;nc&#259;lcare a datelor<\/strong><br>Pe 11 august, doi actori de amenin&#539;&#259;ri neafilia&#539;i, numi&#539;i Sabre &#537;i cyb0rg, au scurs &icirc;n mod public date de la grupul Kimsuky, legat de Coreea de Nord. Ei men&#539;ioneaz&#259; motivele morale ale scurgerii, &#537;i anume spun&acirc;nd c&#259; Kimsuky sunt perverti&#539;i din punct de vedere moral pentru c&#259; fur&#259; pentru a-&#537;i &icirc;mbog&#259;&#539;i liderii &#537;i pentru a-&#537;i &icirc;ndeplini agenda politic&#259;. Dump-ul se ridic&#259; la 8,9 GB de date &#537;i include jurnalele de phishing de la entit&#259;&#539;i guvernamentale &#537;i site-uri web vizate din Coreea de Sud, programe malware, printre altele.<code>coreea de nord<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/north-korean-kimsuky-hackers-exposed-in-alleged-data-breach\/\">link<\/a> <\/p><h3 id=\"information-operations-2\">Opera&#539;iuni de informare<\/h3><p><strong>GoLaxy din China folose&#537;te sistemul de propagand&#259; bazat pe inteligen&#539;&#259; artificial&#259; GoPro pentru a influen&#539;a opinia public&#259;<\/strong><br>Pe 6 august, un articol din New York Times a raportat c&#259; documente interne scurse, ob&#539;inute de cercet&#259;torii Universit&#259;&#539;ii Vanderbilt, dezv&#259;luie modul &icirc;n care firma chinez&#259; GoLaxy folose&#537;te sistemul s&#259;u inteligent de propagand&#259; GoPro pentru a monitoriza &#537;i modela opinia public&#259; din Hong Kong, Taiwan &#537;i China &#537;i pentru a colecta date despre politicienii americani. De&#537;i nu este confirmat&#259; nicio &#539;intire a alegerilor din SUA, GoPro poate produce &icirc;n mas&#259; propagand&#259; personalizat&#259;, &icirc;nt&#259;rind influen&#539;a Chinei pe m&#259;sur&#259; ce contram&#259;surile americane scad.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.nytimes.com\/2025\/08\/06\/us\/politics\/china-artificial-intelligence-information-warfare.html?searchResultPosition=1\">link<\/a> <\/p><h3 id=\"disruption-destruction-2\">Perturbare &#537;i distrugere<\/h3><p><strong>Pachetele npm r&#259;u inten&#539;ionate care vizeaz&#259; dezvoltatorii WhatsApp con&#539;in comutator de oprire la distan&#539;&#259;<\/strong><br>Pe 6 august, echipa de cercetare a amenin&#539;&#259;rilor de la Socket a dezv&#259;luit dou&#259; pachete npm r&#259;u inten&#539;ionate &mdash; naya-flore &#537;i nvlore-hsc &mdash; mascandu-se drept biblioteci de integrare WhatsApp. Aceste pachete includ un comutator de ucidere de la distan&#539;&#259; care preia o list&#259; alb&#259; codificat&#259; &icirc;n baz&#259; 64 de numere de telefon; dac&#259; num&#259;rul unui dezvoltator nu este listat, codul execut&#259; un rm &ndash;rf * distructiv pentru a-&#537;i &#537;terge sistemul. &Icirc;n ciuda faptului c&#259; au peste 1110 desc&#259;rc&#259;ri, ambele pachete r&#259;m&acirc;n active pe npm.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/socket.dev\/blog\/malicious-npm-packages-target-whatsapp-developers-with-remote-kill-switch\">link<\/a> <\/p><p><strong>Presupu&#537;ii hacktivi&#537;ti pro-ucraineni preiau televiziunea rus&#259; de Ziua Independen&#539;ei UA<\/strong><br>Pe 24 august, Ziua Independen&#539;ei Ucrainei, presupu&#537;ii hacktivi&#537;ti pro-ucraineni &ndash; probabil partizani cibernetici din Belarus &ndash; au deturnat al treilea furnizor de televiziune al Rusiei, difuz&acirc;nd mesaje despre pierderile &#537;i lipsurile de r&#259;zboi timp de trei ore pe 116 canale, ajung&acirc;nd la 50.000 de gospod&#259;rii. Informa&#539;iile ucrainene i-au numit &bdquo;partizani cibernetici locali&rdquo;; niciun grup nu &#537;i-a revendicat responsabilitatea.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cybernews.com\/cyber-war\/pro-ukrainian-cyber-partisans-hack-russian-tv-independence-day\/\">link<\/a> <\/p><h3 id=\"opportunistic\">Oportunist&#259;<\/h3><p><strong>Vulnerabilit&#259;&#539;i N-centrale exploatate &icirc;n s&#259;lb&#259;ticie<\/strong><br>Pe 13 august, CISA a avertizat c&#259; actorii amenin&#539;&#259;rilor exploateaz&#259; dou&#259; vulnerabilit&#259;&#539;i N-centrale cu capacitate N - CVE-2025-8875 &#537;i CVE-2025-8876 - care permit executarea &#537;i injectarea comenzii. N-able le-a corectat &icirc;n versiunea 2025.3.1 &#537;i a cerut actualiz&#259;ri imediate. Potrivit lui Shodan, exist&#259; aproximativ 2000 de cazuri expuse online, majoritatea fiind &icirc;n SUA, Australia, Germania &#537;i &#538;&#259;rile de Jos.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/cisa-warns-of-n-able-n-central-flaws-exploited-in-zero-day-attacks\/\">link<\/a> <\/p><p><strong>Amenin&#539;&#259;&#539;i actorii care folosesc inteligen&#539;a artificial&#259; pentru a reproduce site-urile web oficiale ale guvernului<\/strong><br>Pe 5 august, compania de securitate cibernetic&#259; Zscaler ThreatLabz &#537;i-a publicat concluziile cu privire la o campanie care folose&#537;te instrumente AI generative pentru a crea replici r&#259;u inten&#539;ionate ale site-urilor web guvernamentale braziliene. De fapt, cercet&#259;torii au observat amenin&#539;&#259;ri care folosesc instrumente AI precum DeepSite AI &#537;i BlackBox AI pentru a produce &#537;abloane de phishing care imit site-urile oficiale. Acest lucru este simptomatic al modului &icirc;n care instrumentele AI sunt din ce &icirc;n ce mai mult valorificate de actorii amenin&#539;&#259;rilor.<code>inteligen&#539;&#259; artificial&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/genai-used-phishing-websites-impersonating-brazil-s-government\">link<\/a> <\/p><p><strong>Produsele Trend Micro enterprise se confrunt&#259; cu exploatare activ&#259; (CVE-2025-54948 &#537;i CVE-2025-54987)<\/strong><br>Pe 6 august, Trend Micro a dezv&#259;luit defecte de injectare a comenzilor (CVE-2025-54948, CVE-2025-54987) &icirc;n consola sa de gestionare a securit&#259;&#539;ii punctelor finale ale &icirc;ntreprinderii. Un actor de amenin&#539;are a exploatat deja CVE-2025-54948. Trend Micro a atenuat problemele din produsele bazate pe cloud pe 31 iulie. Utilizatorii on-premise ar trebui s&#259; aplice Fixtool imediat &#537;i s&#259; a&#537;tepte un patch critic a&#537;teptat la mijlocul lunii august.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.jpcert.or.jp\/english\/at\/2025\/at250016.html\">link<\/a> <\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Concluziile sau atribu&#539;iile f&#259;cute &icirc;n acest document reflect&#259; doar ceea ce raporteaz&#259; sursele disponibile public. Ele nu reflect&#259; pozi&#539;ia noastr&#259;.&nbsp;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <script>\n        function switchLanguage(lang) {\n            \/\/ Ascunde ambele versiuni\n            document.getElementById(\"content-ro\").style.display = \"none\";\n            document.getElementById(\"content-en\").style.display = \"none\";\n\n            \/\/ Reseteaz\u0103 stilurile butoanelor\n            document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n                btn.style.background = \"#e5e7eb\";\n                btn.style.color = \"#374151\";\n                btn.classList.remove(\"lang-btn-active\");\n            });\n\n            \/\/ Afi\u0219eaz\u0103 versiunea selectat\u0103\n            if (lang === \"ro\") {\n                document.getElementById(\"content-ro\").style.display = \"block\";\n                document.getElementById(\"btn-lang-ro\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-ro\").style.color = \"white\";\n                document.getElementById(\"btn-lang-ro\").classList.add(\"lang-btn-active\");\n            } else {\n                document.getElementById(\"content-en\").style.display = \"block\";\n                document.getElementById(\"btn-lang-en\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-en\").style.color = \"white\";\n                document.getElementById(\"btn-lang-en\").classList.add(\"lang-btn-active\");\n            }\n\n            \/\/ Salveaz\u0103 preferin\u021ba \u00een localStorage\n            localStorage.setItem(\"gpss_preferred_language\", lang);\n        }\n\n        \/\/ Restaureaz\u0103 preferin\u021ba utilizatorului la \u00eenc\u0103rcare\n        document.addEventListener(\"DOMContentLoaded\", function() {\n            var preferredLang = localStorage.getItem(\"gpss_preferred_language\") || \"ro\";\n            switchLanguage(preferredLang);\n        });\n\n        \/\/ Hover effects pentru butoane\n        document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n            btn.addEventListener(\"mouseenter\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#bfdbfe\";\n                    this.style.color = \"#1e40af\";\n                }\n            });\n            btn.addEventListener(\"mouseleave\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#e5e7eb\";\n                    this.style.color = \"#374151\";\n                }\n            });\n        });\n        <\/script>\n\n        <style>\n        .lang-btn:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.3);\n        }\n        .lang-btn-active {\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.4);\n        }\n        <\/style>","protected":false},"excerpt":{"rendered":"<p>\ud83c\udf0d Limb\u0103 \/ Language: \ud83c\uddec\ud83c\udde7 English (Original) \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103 Traducere automat\u0103 \/ Automatic translation Cyber Brief (August 2025)September 2, 2025 &#8211; Version: 1TLP:CLEARExecutive summaryWe analysed 321 open source reports for this Cyber Brief1.Relating to cyber policy and law enforcement, Ukraine, Romania, and Moldova joined forces and created a regional cyber alliance, and Romania created a [&hellip;]<\/p>\n","protected":false},"featured_media":0,"template":"","meta":{"footnotes":""},"ti_category":[198],"ti_source":[172],"ti_severity":[187],"class_list":["post-992320","threat_intelligence","type-threat_intelligence","status-publish","hentry","ti_category-threat-actor","ti_source-cert-eu","ti_severity-critical"],"_links":{"self":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence\/992320","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence"}],"about":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/types\/threat_intelligence"}],"version-history":[{"count":0,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence\/992320\/revisions"}],"wp:attachment":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/media?parent=992320"}],"wp:term":[{"taxonomy":"ti_category","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_category?post=992320"},{"taxonomy":"ti_source","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_source?post=992320"},{"taxonomy":"ti_severity","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_severity?post=992320"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}