{"id":992321,"date":"2025-11-03T00:45:01","date_gmt":"2025-11-02T21:45:01","guid":{"rendered":"https:\/\/gpss.ro\/threat-intelligence\/cyber-brief-25-08-july-2025\/"},"modified":"2025-11-03T00:45:01","modified_gmt":"2025-11-02T21:45:01","slug":"cyber-brief-25-08-july-2025","status":"publish","type":"threat_intelligence","link":"https:\/\/delve.ro\/ro\/threat-intelligence\/cyber-brief-25-08-july-2025\/","title":{"rendered":"Cyber Brief 25-08 &#8211; July 2025"},"content":{"rendered":"\n        <div class=\"gpss-language-switcher\" style=\"margin-bottom: 20px; padding: 15px; background: #f0f9ff; border-left: 4px solid #3b82f6; border-radius: 8px;\">\n            <div style=\"display: flex; align-items: center; justify-content: space-between; flex-wrap: wrap; gap: 10px;\">\n                <div style=\"display: flex; align-items: center; gap: 10px;\">\n                    <span style=\"font-weight: 600; color: #1e40af;\">\ud83c\udf0d Limb\u0103 \/ Language:<\/span>\n                    <button onclick=\"switchLanguage('en')\" id=\"btn-lang-en\" class=\"lang-btn lang-btn-active\" style=\"padding: 8px 16px; background: #3b82f6; color: white; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddec\ud83c\udde7 English (Original)\n                    <\/button>\n                    <button onclick=\"switchLanguage('ro')\" id=\"btn-lang-ro\" class=\"lang-btn\" style=\"padding: 8px 16px; background: #e5e7eb; color: #374151; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103\n                    <\/button>\n                <\/div>\n                <small style=\"color: #6b7280; font-style: italic;\">Traducere automat\u0103 \/ Automatic translation<\/small>\n            <\/div>\n        <\/div>\n\n        <div id=\"content-en\" class=\"lang-content\" style=\"display: block;\">\n            <div class=\"article-content\"><h2 id=\"cyber-brief-july-2025\">Cyber Brief (July 2025)<\/h2><p>August 4, 2025 - Version: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Executive summary<\/h2><ul><li><p>We analysed 287 open source reports for this Cyber Brief<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p>Relating to <strong>cyber policy and law enforcement<\/strong>, the EU, UK, and US have imposed sanctions on Russian entities due to their involvement in cyberattacks and disinformation campaigns. Additionally, two more EU countries have banned DeepSeek AI citing security concerns.<\/p><\/li><li><p>On the <strong>cyberespionage<\/strong> front, China-linked threat actors have been identified as being behind the ToolShell campaign, which exploits vulnerabilities in SharePoint. Meanwhile, the Russia-linked Turla threat actor has targeted diplomats in Moscow.<\/p><\/li><li><p>Relating to <strong>cybercrime<\/strong>, researchers have discovered malware in trusted Chrome and Edge extensions that have been installed by approximately 2.3 million users while researchers identified a surge in Akira ransomware attacks exploiting SonicWall SSL\u202fVPN.<\/p><\/li><li><p>There were <strong>disruptive<\/strong> incidents causing operational disruptions at two EU-based telecommunications companies. Furthermore, Russia's Aeroflot canceled flights after pro-Ukrainian hackers claimed responsibility for a cyberattack. <\/p><\/li><li><p>As regards <strong>data exposure and leaks<\/strong> incidents, in Europe, an unsecured server exposed years' worth of data belonging to Swedish citizens. The Swiss healthcare giant AMEOS reported a data breach affecting patients, staff, and partners. Globally, Dell confirmed a breach by an extortion group, and leaked datasets revealed ties between Chinese cyber contractors and the government.<\/p><\/li><li><p>Relating to <strong>information operations<\/strong>, at least four Russian operations targeting European countries have been identified, highlighting ongoing efforts in information manipulation and disinformation.<\/p><\/li><\/ul><h2 id=\"europe\">Europe<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Cyber policy and law enforcement<\/h3><p><strong>EU targets Russian disinformation networks and electronic warfare operations in new sanctions<\/strong><br> On July 15, the EU Council sanctioned nine individuals and six entities, including media groups, think tanks, and a GRU officer linked to Unit 74455, for spreading pro-Russia disinformation and conducting electronic warfare that disrupted civilian aviation. These sanctions reinforce the EU\u2019s commitment to counter Russian hybrid threats amid the ongoing Russia-Ukraine war. <code>russia<\/code> <code>sanctions<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.consilium.europa.eu\/en\/press\/press-releases\/2025\/07\/15\/russian-hybrid-threats-eu-lists-nine-individuals-and-six-entities-responsible-for-destabilising-actions-in-the-eu-and-ukraine\/\">link<\/a> <\/p><p><strong>UK sanctions Russian GRU units and operatives for cyberattacks and disinformation<\/strong><br> On July 18, the UK sanctioned three Russian GRU military units, 18 individuals, and a disinformation outlet for cyberespionage, information operations, and support for Russia\u2019s war in Ukraine, including targeting Yulia Skripal in 2013 and aiding strikes on Ukrainian civilians. <code>russia<\/code> <code>sanctions<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.gov.uk\/government\/news\/uk-sanctions-russian-spies-at-the-heart-of-putins-malicious-regime\">link<\/a> <\/p><p><strong>Germany requests removal of DeepSeek AI from app stores<\/strong><br> On June 27, Germany\u2019s data protection commissioner asked Apple and Google to remove DeepSeek AI from German app stores, citing unauthorised transfer of personal data to China without EU-standard safeguards. The move follows similar actions by Italy and the Netherlands. DeepSeek has not demonstrated compliance with GDPR or the Digital Services Act. Apple and Google are currently reviewing the request. <code>ban<\/code> <code>artificial intelligence<\/code> <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.datenschutz-berlin.de\/pressemitteilung\/berliner-datenschutzbeauftragte-meldet-ki-app-deepseek-in-deutschland-bei-apple-und-google-als-rechtswidrigen-inhalt\/\">link<\/a> <\/p><p><strong>Czech Republic bans DeepSeek AI over data security concerns<\/strong><br> On July 9, the Czech government prohibited the use of Chinese AI startup DeepSeek in public administration, citing data security risks and concerns over Chinese government access to stored information. The move follows similar restrictions in Germany, Italy, and the Netherlands. <code>ban<\/code> <code>artificial intelligence<\/code> <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/world\/china\/czech-government-bans-deepseek-usage-public-administration-2025-07-09\/\">link<\/a> <\/p><p><strong>Denmark introduces copyright law to combat Deepfake misuse<\/strong><br> On June 26, the Danish government announced new copyright legislation to protect citizens from AI-generated deepfakes, allowing individuals to object to the unauthorised use of their bodies, faces, or voices and demand content removal from online platforms. This pioneering law in Europe comes amid a sharp rise in deepfake fraud, which increased by over 1.300% in 2024 and now drives nearly half of global fraud attempts. <code>regulation<\/code> <code>artificial intelligence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.theguardian.com\/technology\/2025\/jun\/27\/deepfakes-denmark-copyright-law-artificial-intelligence\">link<\/a> <\/p><p><strong>Chinese hacker tied to Silk Typhoon group arrested in Italy<\/strong><br> On July 3, a Chinese national, Xu Zewei, was arrested in Milan on a US warrant for alleged ties to the state-backed Silk Typhoon group. He is accused of cyberattacks targeting US organisations, including 2020 campaigns aimed at stealing COVID-19 vaccine research and public health data. <code>china<\/code> <code>arrest<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ansa.it\/english\/newswire\/english_service\/2025\/07\/07\/ansachinese-spy-arrested-in-italy-on-us-warrant_9f5bbfe6-74ef-4f78-bb1e-fcf01f755652.html\">link<\/a> <\/p><p><strong>Europol and Eurojust coordinate takedown of NoName057(16) hacktivist group<\/strong><br> On July 15, Europol and Eurojust coordinated a multinational operation that dismantled the pro-Russia hacktivist group NoName057(16), which conducted DDoS attacks against European infrastructure. Over 100 servers were seized, seven arrest warrants issued, and 4.000 supporters identified. The group\u2019s leaders are believed to reside in the Russian Federation. <code>russia<\/code> <code>takedown<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.eurojust.europa.eu\/news\/hacktivist-group-responsible-cyberattacks-critical-infrastructure-europe-taken-down\">link<\/a> <\/p><h3 id=\"cyberespionage-prepositioning\">Cyberespionage &amp; prepositioning<\/h3><p><strong>In September 2024 Houken exploited three Ivanti zero-days to intrude French governmental and telecommunications entities<\/strong><br> On July 1, ANSSI, the French National Cybersecurity Agency, publicly reported that in September 2024, a threat actor dubbed Houken sought to gain initial access through exploitation of zero-days on French entities. Houken specifically exploited three zero-day vulnerabilities on the Ivanti Cloud Service Appliance (CSA) devices of French entities in the governmental, telecommunications, media, finance, and transport sectors. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cert.ssi.gouv.fr\/uploads\/CERTFR-2025-CTI-009.pdf\">link<\/a> <\/p><p><strong>India-linked Patchwork uses Google Drive to target European foreign affairs ministry with spearphishing<\/strong><br> On July\u202f8, Trellix reported that India-linked Patchwork sent spearphishing e-mails impersonating defence officials to a southern European foreign affairs ministry. Victims clicked a Google Drive link delivering a malicious RAR archive that installed the \u201cLoptikMod\u201d backdoor via scheduled tasks, ensuring persistent access. While Patchwork typically targets government and defense entities in South Asia, this operation likely signals an expansion of interest toward European diplomatic entities. <code>diplomacy<\/code> <code>india<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trellix.com\/blogs\/research\/from-click-to-compromise-unveiling-the-sophisticated-attack-of-donot-apt-group-on-southern-european-government-entities\/\">link<\/a> <\/p><h3 id=\"cybercrime\">Cybercrime<\/h3><p><strong>North Korean IT experts infiltrate European tech firms under false identities<\/strong><br> On July 10, Le Monde reported on North Korean IT experts, using fake identities and nationalities, are infiltrating Western companies \u2014 initially in the US, now in France \u2014 to earn salaries that are funnelled back to the regime or used for extortion. One example is US crypto firm Iqlusion, which unknowingly hired such developers, later alerted by the FBI to their ties to North Korea. <code>north korea<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.lemonde.fr\/pixels\/article\/2025\/07\/10\/comment-la-coree-du-nord-infiltre-ses-experts-informatiques-au-c-ur-des-entreprises-occidentales_6620374_4408996.html\">link<\/a> <\/p><h3 id=\"disruption-destruction\">Disruption &amp; destruction<\/h3><p><strong>Dutch Prosecution service disconnected after Citrix breach, operations severely disrupted<\/strong><br> On July 18, the Dutch Public Prosecution Service (Openbaar Ministerie, OM) shut down all internet access after discovering that hackers likely exploited the Citrix Bleed 2 vulnerability, prompting a major operational disruption. The outage may last weeks, severely restricting remote access, e-mail, and digital file editing, raising concerns about the potential impact on ongoing legal proceedings and signalling a serious cybersecurity breach within a critical government institution. <code>justice<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.om.nl\/actueel\/nieuws\/2025\/07\/21\/werk-om-mogelijk-komende-weken-nog-verstoord\">link<\/a> <\/p><p><strong>Orange Group suffered a cyberattack impacting some services at France-based enterprises<\/strong><br> On July 25, Orange Group suffered a cyberattack causing service disruptions for some business and consumer clients, mainly located in France. No data breaches have been identified. Services are being progressively restored under enhanced monitoring. A formal complaint has been filed, and authorities are involved. <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/newsroom.orange.com\/le-groupe-orange-annonce-avoir-depose-plainte-lundi-28-juillet-pour-atteinte-a-un-de-ses-systemes-dinformation\/?lang=fra\">link<\/a> <\/p><p><strong>POST Luxembourg outage on July 23 traced to sophisticated cyberattack<\/strong><br> On\u202fJuly\u202f23, Luxembourg\u2019s POST suffered a nationwide four hour outage affecting mobile, fixed line and internet services\u2014including emergency numbers\u2014due to a targeted, exceptionally advanced and sophisticated cyberattack ground. According to POST and the government crisis unit, malicious actors exploited a software vulnerability to disrupt services. Internal systems weren\u2019t breached, no customer data was compromised, and services were restored by the evening\u2014with investigations ongoing. <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.luxtimes.lu\/luxembourg\/post-luxembourg-outage-caused-by-a-targeted-cyberattack-firm-confirms\/80019668.html\">link<\/a> <\/p><h3 id=\"information-operations\">Information operations<\/h3><p><strong>Russia exploited no-confidence vote to undermine EU unity<\/strong><br> On July 22, El Pa\u00eds reported that Russia exploited the recent no-confidence vote against European Commission President Ursula von der Leyen to polarise the EU, using pro-Kremlin disinformation networks to frame the motion as a rebellion against corruption. Analysts identified over 20.000 coordinated posts across platforms, revealing a broader effort by Russian-linked actors to distort European democratic processes and amplify anti-EU narratives during politically sensitive moments. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/english.elpais.com\/international\/2025-07-22\/russia-used-the-vote-of-no-confidence-against-von-der-leyen-to-stir-up-polarization-in-the-eu.html\">link<\/a> <\/p><p><strong>Russia-linked Storm-1516 impersonates journalists to spread disinformation across Europe<\/strong><br> On July\u00a07, the Gnida Project reported that Russia-linked network Storm-1516 has impersonated journalists since May to spread disinformation in Moldova, Armenia, France, and Germany. By hijacking real reporters\u2019 identities, the group seeks to boost the credibility of false narratives aligned with Russian interests\u2014such as undermining Western alliances and discrediting leaders\u2014while using fake media sites to amplify these messages. The Gnida Project tracks and analyses disinformation operations. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/gnidaproject.substack.com\/p\/disinformation-update-stolen-identities\">link<\/a> <\/p><p><strong>Russia-linked \"Matryoshka\" disinformation campaign intensifies focus on Moldova with evolving tactics<\/strong><br> On July 17, the Institute for Strategic Dialogue (ISD Global), a London-based non-profit countering disinformation, reported that Russia-linked operation \"Matryoshka\" intensified its focus on Moldova in Q2 2025. It impersonated media outlets and used AI personas to spread English content on TikTok and X. Despite evolving tactics and smear campaigns, the operation saw limited real engagement, as most content was removed by major platforms. <code>moldova<\/code> <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.isdglobal.org\/digital_dispatches\/operation-overloads-underwhelming-influence-and-evolving-tactics\/\">link<\/a> <\/p><p><strong>Russian disinformation campaign cloned British 999 call with AI<\/strong><br> On July 31, BBC Verify revealed that the voice of a British 999 emergency call handler was cloned using AI for a Russian-linked disinformation campaign. The synthetic voice, lifted from an NHS training video, was used to spread fear ahead of Poland\u2019s May 2025 presidential election. The real call handler, Aaron, was shocked by its realism. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bbc.com\/news\/live\/ce35ly75ppkt?post=asset%3Ac8d1c46f-1b14-49bc-83d7-7a8b20345eee#post\">link<\/a><\/p><p><strong>China spread disinformation to undermine French Rafale jet sales<\/strong><br> On July 6, French intelligence reported on China using its embassies to spread false claims about Rafale jet performance during India-Pakistan clashes, aiming to hurt French arms sales and promote Chinese alternatives, particularly targeting countries like Indonesia. <code>china<\/code> <code>defence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/apnews.com\/article\/france-china-pakistan-india-defense-rafale-64eec86b6e89718d6a49d8fdedf565f4\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks\">Data exposure and leaks<\/h3><p><strong>Unsecured server exposes years of Swedish citizens' data<\/strong><br> On July 24, Cybernews reported that an unsecured Elasticsearch server exposed over 100 million detailed records on Swedish citizens and companies, including names, ID numbers, tax data, debt history, and address logs from 2019 to 2024. Believed to originate from a third-party client of Nordic firm Risika, the leak offers a comprehensive behavioural and financial profile that poses serious risks for identity theft, phishing, and corporate espionage. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cybernews.com\/security\/risika-swedish-data-exposed\/\">link<\/a> <\/p><p><strong>Swiss healthcare giant AMEOS reports data breach affecting patients, staff, and partners<\/strong><br> On July 21, Swiss hospital group AMEOS announced a security breach affecting its IT systems, potentially exposing sensitive data of patients, employees, and partners across its network of over 100 healthcare facilities in Central Europe. While no evidence of data misuse has emerged yet, AMEOS has shut down systems, notified authorities, and launched a forensic investigation, warning affected individuals to remain alert to possible phishing or fraud attempts. <code>health<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ameos.eu\/datenschutz\/datenschutzvorfall-gem-art-34-dsgvo\/\">link<\/a> <\/p><p><strong>Threat actor threatens to leak 106GB of data allegedly belonging to Telef\u00f3nica<\/strong><br> On July 4, BleepingComputer reported about a threat actor, affiliated with the Hellcat ransomware group, threatening to leak 106GB of data allegedly stolen from Telef\u00f3nica Spanish telecommunications company. In fact, the threat actor alleges they breached the company through a Jira misconfiguration, similar to the January cyberattack. However, there are currently no indications that the leaked data is recent, and the company is denying the threat actor\u2019s claims. <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hacker-leaks-telef-nica-data-allegedly-stolen-in-a-new-breach\/\">link<\/a> <\/p><h2 id=\"world\">World<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Cyber policy and law enforcement<\/h3><p><strong>Microsoft used China-based engineers to support the US Department of Defense<\/strong><br> On July 25, the non-profit investigative journalism organisation ProPublica revealed that Microsoft had relied on engineers based in China to support US Department of Defense and other federal systems, supervised by US-based \u201cdigital escorts,\u201d who reportedly, often lacked technical expertise. In response, Microsoft announced it will no longer use China-based engineering teams for support of US government cloud services\u2014a practice now ceased amid mounting US national security scrutiny. <code>china<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.propublica.org\/article\/microsoft-tech-support-government-cybersecurity-china-doj-treasury\">link<\/a> <\/p><p><strong>US sanctions Russian hosting company Aeza Group for aiding cybercrime and disinformation<\/strong><br> On July 1, the US Department of the Treasury sanctioned Russian hosting company Aeza Group and four of its operators for providing bulletproof hosting services to cybercriminals, including ransomware gangs, infostealer platforms, and darknet drug markets. The sanctions target Aeza\u2019s involvement with groups like BianLian and RedLine, its role in Russian disinformation campaigns, and bar US entities from doing business with the group or its affiliates. <code>russia<\/code> <code>sanctions<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/home.treasury.gov\/news\/press-releases\/sb0185\">link<\/a> <\/p><p><strong>Interpol\u2019s Operation Secure disrupts major infostealer networks across Asia-Pacific<\/strong><br> On June 11, Interpol announced that Operation Secure, a coordinated effort with 26 Asia-Pacific nations, dismantled over 20.000 malicious assets and seized 41 servers used by infostealer networks, uncovering more than 200.000 victims. Despite these successes, including multiple arrests and the takedown of 79% of identified infrastructure, officials warn that cybercriminals are likely to rebuild operations using alternative platforms due to the continued profitability of corporate fraud and stolen data. <code>arrests<\/code> <code>seizure<\/code> <code>takedown<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.interpol.int\/News-and-Events\/News\/2025\/20-000-malicious-IPs-and-domains-taken-down-in-INTERPOL-infostealer-crackdown\">link<\/a> <\/p><h3 id=\"cyberespionage-prepositioning-2\">Cyberespionage &amp; prepositioning<\/h3><p><strong>Microsoft links China-linked APTs to ToolShell campaign exploiting SharePoint vulnerabilities<\/strong><br> On July 22, Microsoft confirmed that a portion of malicious activity exploiting SharePoint vulnerabilities in the ToolShell campaign has been attributed to China-linked groups APT27 (Linen Typhoon), APT31 (Violet Typhoon), and Storm-2603. APT27 and APT31 focused on espionage and data theft, while Storm-2603 deployed ransomware using the same vulnerabilities. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/\">link<\/a> <\/p><p><strong>China-linked hackers escalate cyberattacks on Taiwan\u2019s semiconductor sector amid US-China tensions<\/strong><br> On July 16, Proofpoint revealed that at least three China-linked hacking groups have intensified cyberespionage campaigns targeting 15\u201320 Taiwanese semiconductor firms and financial analysts, including those at a US-headquartered bank, between March and June 2025. The campaigns, ranging from phishing e-mails to malware-laced PDFs, coincide with US-China tensions over chip exports and highlight China\u2019s persistent interest in disrupting and exploiting Taiwan\u2019s semiconductor supply chain and supporting industries. <code>china<\/code> <code>semiconductor industry<\/code> <code>taiwan<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\">link<\/a> <\/p><p><strong>Chinese state-backed hackers breach US Nuclear Agency via Microsoft SharePoint zero-day<\/strong><br> On July 23, the US National Nuclear Security Administration (NNSA) confirmed it was breached through a Microsoft SharePoint zero-day vulnerability chain, in a widespread cyberattack attributed to Chinese state-sponsored actors. While the Department of Energy reported minimal disruption and no classified data exposure, the incident is part of a broader campaign affecting over 400 servers and 148 global organisations. <code>china<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/us-nuclear-weapons-agency-hacked-in-microsoft-sharepoint-attacks\/\">link<\/a> <\/p><p><strong>China-linked campaign infiltrated US National Guard network for nine months<\/strong><br> On July 15, US authorities confirmed that the cyberespionage group Salt Typhoon infiltrated a US state's Army National Guard network from March to December 2024. The campaign accessed network diagrams, geographic data, and personal data of service members, raising concerns about further compromise of state-level cybersecurity partners and law enforcement fusion centres. <code>china<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.documentcloud.org\/documents\/25998809-20250611-dhs-salt-typhoon\/\">link<\/a> <\/p><p><strong>Russia-linked threat actor Turla conducts adversary-in-the-middle campaign targeting diplomats in Moscow<\/strong><br> On July 31, Microsoft Threat Intelligence reported on a cyberespionage campaign by the Russia-linked threat actor Secret Blizzard, also known as Turla. This campaign targets embassies located in Moscow using an adversary-in-the-middle (AiTM) position to deploy their custom ApolloShadow malware. ApolloShadow installs a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Turla to maintain persistence on diplomatic devices, likely for intelligence collection. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/31\/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats\/\">link<\/a><\/p><p><strong>North Korea-linked threat actor delivers XORIndex malware via 67 npm packages<\/strong><br> On July 15, researchers revealed that North Korean actors uploaded 67 malicious packages to the npm repository, delivering the new XORIndex loader to developer systems. The campaign, linked to the Contagious Interview operation, used postinstall scripts to deploy payloads like BeaverTail and InvisibleFerret. Over 17.000 downloads were recorded before takedown reports were filed. <code>north korea<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/north-korean-xorindex-malware-hidden-in-67-malicious-npm-packages\/\">link<\/a> <\/p><h3 id=\"cybercrime-2\">Cybercrime<\/h3><p><strong>Hackers exploit leaked Shellter Elite tool to spread infostealers as vendor responds with secured update<\/strong><br> On July 3, Elastic Security Labs revealed that hackers have been abusing a leaked copy of Shellter Elite v11.0, a red team AV\/EDR evasion tool, to deploy infostealers like Rhadamanthys and Lumma via phishing e-mails and YouTube comments. Shellter confirmed the misuse stemmed from a recently licensed customer, criticised Elastic for delayed disclosure, and released a secured v11.1 update, restricting future access to vetted clients only. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.elastic.co\/security-labs\/taking-shellter\">link<\/a> <\/p><p><strong>Researchers uncover malware in trusted Chrome and Edge extensions installed by 2,3 million users<\/strong><br> On July 8, KOI security researchers reported a widespread malware campaign named \u201cRedDirection,\u201d involving 18 malicious extensions on Google Chrome and Microsoft Edge. Trusted by both companies and installed by over\u202f2,3\u202fmillion users, the extensions secretly hijacked browser traffic, harvested URLs, and redirected users via command-and-control servers\u2014often long after installation and store verification. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.koi.security\/google-and-microsoft-trusted-them-2-3-million-users-installed-them-they-were-malware-fb4ed4f40ff5\">link<\/a> <\/p><p><strong>Cybercrime threat actor UNC3944 pivots to vSphere for stealthy ransomware deployment<\/strong><br> On July 23, a Google report detailed a campaign conducted by cybercrime threat actor UNC3944 (a.k.a Scattered Spider) targeting retail, airline and transportation organisations in the US using social engineering to access VMware vSphere via compromised Active Directory accounts. The threat actor hijacked vCenter, exfiltrated data from domain controllers using hypervisor-level disk swaps, sabotaged backups, and deployed ransomware from ESXi hosts. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/defending-vsphere-from-unc3944\">link<\/a> <\/p><p><strong>Fake Cloudflare verification screen used to deliver undetected malware<\/strong><br> On July 4, unknown threat actors launched a malware campaign using fake Cloudflare CAPTCHA screens to deceive users into running malicious PowerShell commands. The page injected code via the clipboard and contacted a Command and Control server using embedded webhooks. It fetched payloads from pastesio[.]com and axiomsniper[.]info, with evasion checks for virtual machines. The final BAT file showed zero detections on VirusTotal at the time of discovery. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cybersecuritynews.com\/hackers-use-fake-cloudflare-verification-screen\/\">link<\/a> <\/p><p><strong>Akira ransomware exploits SonicWall SSL VPN in July 2025 surge<\/strong><br> In July 2025, Arctic\u202fWolf observed a surge in Akira ransomware attacks exploiting SonicWall SSL\u202fVPN connections for initial access, including on fully patched devices\u2014suggesting a likely zero\u2011day vulnerability. These breaches began around 15 July, often leading to rapid encryption following VPN logins, sometimes within hours. Credential-based attacks (e.g. brute force) remain possible vectors per Arctic\u202fWolf\u2019s ongoing investigation. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/arcticwolf.com\/resources\/blog\/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn\/\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks-2\">Data exposure and leaks<\/h3><p><strong>Dell confirms breach of demo platform by World Leaks extortion group, no sensitive data exposed<\/strong><br> On July 21, Dell confirmed that the World Leaks extortion group, formerly Hunters International, breached its Customer Solution Centers, a test environment isolated from core systems, stealing mostly synthetic and non-sensitive data. Although 1.3 TB of data was leaked, Dell states no sensitive customer or corporate data was involved, while World Leaks continues its shift toward data extortion over ransomware, citing profitability and risk concerns. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/dell-confirms-breach-of-test-lab-platform-by-world-leaks-extortion-group\/\">link<\/a> <\/p><p><strong>Leaked datasets expose Chinese cyber contractors\u2019 government ties<\/strong><br> On July 1, SpyCloud reported that leaked data from VenusTech and Salt Typhoon, posted in May on DarkForums, expose their offensive cybersecurity work for Chinese state entities. The samples reveal intelligence targets across Asia and Europe, and link three Chinese companies to Salt Typhoon operations, highlighting China\u2019s expanding offensive cyber contractor ecosystem. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/spycloud.com\/blog\/state-secrets-for-sale-chinese-hacking\/\">link<\/a> <\/p><h3 id=\"disruption-destruction-2\">Disruption &amp; destruction<\/h3><p><strong>Russia's Aeroflot cancels flights after pro-Ukrainian hackers claim cyberattack<\/strong><br> On July\u202f28, Russia\u2019s flag carrier Aeroflot had to cancel around 42\u201350 flights from Moscow\u2019s Sheremetyevo due to a massive cyberattack on its IT systems. The pro\u2011Ukraine hacker groups \u201cSilent\u202fCrow\u201d and \u201cCyber\u202fPartisans\u202fBY\u201d claimed responsibility, saying they infiltrated and destroyed about 7.000 servers, dumping flight databases and communications data. Russian prosecutors have since launched a criminal investigation into the breach. Flying and booking services remain disrupted while recovery efforts continue. <code>russia<\/code> <code>ukraine<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.theguardian.com\/business\/2025\/jul\/28\/russia-aeroflot-cancels-flights-pro-ukraine-hackers-cyber-attack\">link<\/a> <\/p><h4 id=\"opportunistic\">Opportunistic<\/h4><p><strong>Patches available for critical vulnerabilities in SharePoint exploited in global ToolShell campaign<\/strong><br> On July\u202f20, Microsoft published guidance for CVE\u20112025\u201153770, a critical deserialisation vulnerability in on\u2011premise SharePoint Server rated 9.8\/10. Eye Security reported large\u2011scale exploitation beginning July\u202f18 via a chain dubbed ToolShell, enabling remote code execution and cryptographic key theft. Proof\u2011of\u2011concept exploits and active campaign exploiting the ToolShell chain have been confirmed. Emergency patches for Subscription Edition, Server\u202f2019, and Server\u202f2016 are now available. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\">link<\/a> <\/p><p><strong>CrushFTP vulnerability exploited to gain unauthorised administrative access<\/strong><br> On July 18, CrushFTP observed exploitation of a previously patched vulnerability affecting versions below 10.8.5 and 11.3.4_23. Activity likely began on July 17, following possible reverse engineering of code changes. The flaw enabled unauthenticated administrative access via HTTP(S). Indicators include modified user.XML files and unauthorised admin accounts. Unpatched systems remain exposed to compromise. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.crushftp.com\/crush11wiki\/Wiki.jsp?page=CompromiseJuly2025\">link<\/a> <\/p><p><strong>Cisco Identity Services Engine vulnerabilities exploited in the wild<\/strong><br> On July 21, Cisco updated an advisory related to critical vulnerabilities affecting its Identity Services Engine, for which they have observed exploit attempts in the wild. The vulnerabilities (CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337) allow for remote code execution by an unauthenticated attacker, issuing commands as root user. Patches have been released for the affected products (versions 3.3 and 3.4). <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-ise-unauth-rce-ZAd2GnJ6\">link<\/a> <\/p><p><strong>Google fixes Chrome zero-day exploited for sandbox escape<\/strong><br> On July 15, Google released a patch for CVE-2025-6558, a high-severity vulnerability actively exploited to escape Chrome\u2019s sandbox. The flaw, caused by insufficient input validation in ANGLE and GPU components, allowed remote code execution via crafted HTML pages. Users are urged to update Chrome to version 138.0.7204.157 or later. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/chromereleases.googleblog.com\/2025\/07\/stable-channel-update-for-desktop_15.html\">link<\/a> <\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Conclusions or attributions made in this document merely reflect what publicly available sources report. They do not reflect our stance.&#160;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <div id=\"content-ro\" class=\"lang-content\" style=\"display: none;\">\n            <div class=\"article-content\"><?xml encoding=\"UTF-8\"><h2 id=\"cyber-brief-july-2025\">Cyber &#8203;&#8203;Brief (iulie 2025)<\/h2><p>4 august 2025 - Versiunea: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Rezumat<\/h2><ul><li><p>Am analizat 287 de rapoarte open source pentru acest Cyber &#8203;&#8203;Brief<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p>Referitor la<strong>politica cibernetic&#259; &#537;i aplicarea legii<\/strong>, UE, Marea Britanie &#537;i SUA au impus sanc&#539;iuni entit&#259;&#539;ilor ruse din cauza implic&#259;rii lor &icirc;n atacuri cibernetice &#537;i campanii de dezinformare. &Icirc;n plus, &icirc;nc&#259; dou&#259; &#539;&#259;ri UE au interzis DeepSeek AI, invoc&acirc;nd preocup&#259;ri de securitate.<\/p><\/li><li><p>Pe<strong>ciberspionaj<\/strong>&Icirc;n primul r&acirc;nd, actorii amenin&#539;&#259;rilor lega&#539;i de China au fost identifica&#539;i ca fiind &icirc;n spatele campaniei ToolShell, care exploateaz&#259; vulnerabilit&#259;&#539;ile din SharePoint. &Icirc;ntre timp, actorul de amenin&#539;are Turla, legat de Rusia, a vizat diploma&#539;ii de la Moscova.<\/p><\/li><li><p>Referitor la<strong>criminalitatea cibernetic&#259;<\/strong>, cercet&#259;torii au descoperit malware &icirc;n extensiile de &icirc;ncredere Chrome &#537;i Edge care au fost instalate de aproximativ 2,3 milioane de utilizatori, &icirc;n timp ce cercet&#259;torii au identificat o cre&#537;tere a atacurilor Akira ransomware care exploateaz&#259; SonicWall SSLVPN.<\/p><\/li><li><p>Au fost<strong>perturbator<\/strong>incidente care cauzeaz&#259; &icirc;ntreruperi opera&#539;ionale la dou&#259; companii de telecomunica&#539;ii din UE. &Icirc;n plus, Aeroflot din Rusia a anulat zborurile dup&#259; ce hackerii pro-ucraineni &#537;i-au revendicat responsabilitatea pentru un atac cibernetic.<\/p><\/li><li><p>&Icirc;n ceea ce prive&#537;te<strong>expunerea datelor &#537;i scurgerile<\/strong>incidente, &icirc;n Europa, un server nesecurizat a expus date de ani de zile apar&#539;in&acirc;nd cet&#259;&#539;enilor suedezi. Gigantul elve&#539;ian de asisten&#539;&#259; medical&#259; AMEOS a raportat o &icirc;nc&#259;lcare a datelor care afecteaz&#259; pacien&#539;ii, personalul &#537;i partenerii. La nivel global, Dell a confirmat o &icirc;nc&#259;lcare a unui grup de extorcare, iar seturile de date scurse au dezv&#259;luit leg&#259;turi dintre contractan&#539;ii cibernetici chinezi &#537;i guvern.<\/p><\/li><li><p>Referitor la<strong>opera&#539;iuni de informare<\/strong>, au fost identificate cel pu&#539;in patru opera&#539;iuni ruse&#537;ti care vizeaz&#259; &#539;&#259;rile europene, eviden&#539;iind eforturile &icirc;n curs de manipulare &#537;i dezinformare a informa&#539;iilor.<\/p><\/li><\/ul><h2 id=\"europe\">Europa<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>UE vizeaz&#259; re&#539;elele ruse&#537;ti de dezinformare &#537;i opera&#539;iunile de r&#259;zboi electronic prin noi sanc&#539;iuni<\/strong><br>Pe 15 iulie, Consiliul UE a sanc&#539;ionat nou&#259; persoane &#537;i &#537;ase entit&#259;&#539;i, inclusiv grupuri media, think tank-uri &#537;i un ofi&#539;er GRU legat de Unitatea 74455, pentru r&#259;sp&acirc;ndirea dezinformarii pro-Rusia &#537;i desf&#259;&#537;urarea unui r&#259;zboi electronic care a perturbat avia&#539;ia civil&#259;. Aceste sanc&#539;iuni &icirc;nt&#259;resc angajamentul UE de a contracara amenin&#539;&#259;rile hibride ruse&#537;ti pe fondul r&#259;zboiului &icirc;n curs de desf&#259;&#537;urare &icirc;ntre Rusia &#537;i Ucraina.<code>rusia<\/code> <code>sanc&#539;iuni<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.consilium.europa.eu\/en\/press\/press-releases\/2025\/07\/15\/russian-hybrid-threats-eu-lists-nine-individuals-and-six-entities-responsible-for-destabilising-actions-in-the-eu-and-ukraine\/\">link<\/a> <\/p><p><strong>Marea Britanie sanc&#539;ioneaz&#259; unit&#259;&#539;ile &#537;i agen&#539;ii GRU din Rusia pentru atacuri cibernetice &#537;i dezinformare<\/strong><br>Pe 18 iulie, Regatul Unit a sanc&#539;ionat trei unit&#259;&#539;i militare ruse GRU, 18 persoane &#537;i un punct de dezinformare pentru spionaj cibernetic, opera&#539;iuni de informare &#537;i sprijin pentru r&#259;zboiul Rusiei &icirc;n Ucraina, inclusiv &#539;intirea Iuliei Skripal &icirc;n 2013 &#537;i sprijinirea atacurilor &icirc;mpotriva civililor ucraineni.<code>rusia<\/code> <code>sanc&#539;iuni<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.gov.uk\/government\/news\/uk-sanctions-russian-spies-at-the-heart-of-putins-malicious-regime\">link<\/a> <\/p><p><strong>Germania solicit&#259; eliminarea DeepSeek AI din magazinele de aplica&#539;ii<\/strong><br>Pe 27 iunie, comisarul german pentru protec&#539;ia datelor a cerut Apple &#537;i Google s&#259; elimine DeepSeek AI din magazinele de aplica&#539;ii germane, invoc&acirc;nd transferul neautorizat de date cu caracter personal &icirc;n China f&#259;r&#259; garan&#539;ii standard ale UE. Mi&#537;carea vine dup&#259; ac&#539;iuni similare ale Italiei &#537;i &#538;&#259;rilor de Jos. DeepSeek nu a demonstrat conformitatea cu GDPR sau Digital Services Act. Apple &#537;i Google examineaz&#259; &icirc;n prezent cererea.<code>ban<\/code> <code>inteligen&#539;&#259; artificial&#259;<\/code> <code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.datenschutz-berlin.de\/pressemitteilung\/berliner-datenschutzbeauftragte-meldet-ki-app-deepseek-in-deutschland-bei-apple-und-google-als-rechtswidrigen-inhalt\/\">link<\/a> <\/p><p><strong>Republica Ceh&#259; interzice DeepSeek AI din cauza problemelor de securitate a datelor<\/strong><br>Pe 9 iulie, guvernul ceh a interzis utilizarea startup-ului chinez de IA DeepSeek &icirc;n administra&#539;ia public&#259;, invoc&acirc;nd riscuri de securitate a datelor &#537;i preocup&#259;ri cu privire la accesul guvernului chinez la informa&#539;iile stocate. Mi&#537;carea urmeaz&#259; restric&#539;ii similare din Germania, Italia &#537;i &#538;&#259;rile de Jos.<code>ban<\/code> <code>inteligen&#539;&#259; artificial&#259;<\/code> <code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/world\/china\/czech-government-bans-deepseek-usage-public-administration-2025-07-09\/\">link<\/a> <\/p><p><strong>Danemarca introduce legea drepturilor de autor pentru a combate utilizarea abuziv&#259; a Deepfake<\/strong><br>Pe 26 iunie, guvernul danez a anun&#539;at o nou&#259; legisla&#539;ie privind drepturile de autor pentru a proteja cet&#259;&#539;enii de deepfake-urile generate de IA, permi&#539;&acirc;nd persoanelor s&#259; se opun&#259; utiliz&#259;rii neautorizate a corpului, fe&#539;elor sau vocilor lor &#537;i s&#259; solicite eliminarea con&#539;inutului de pe platformele online. Aceast&#259; lege de pionierat &icirc;n Europa vine pe fondul unei cre&#537;teri puternice a fraudei false, care a crescut cu peste 1,300% &icirc;n 2024 &#537;i acum conduce aproape jum&#259;tate din tentativele de fraud&#259; la nivel mondial.<code>regulament<\/code> <code>inteligen&#539;&#259; artificial&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.theguardian.com\/technology\/2025\/jun\/27\/deepfakes-denmark-copyright-law-artificial-intelligence\">link<\/a> <\/p><p><strong>Un hacker chinez legat de grupul Silk Typhoon a fost arestat &icirc;n Italia<\/strong><br>Pe 3 iulie, un cet&#259;&#539;ean chinez, Xu Zewei, a fost arestat la Milano &icirc;n baza unui mandat american pentru presupuse leg&#259;turi cu grupul Silk Typhoon, sus&#539;inut de stat. El este acuzat de atacuri cibernetice care vizeaz&#259; organiza&#539;ii din SUA, inclusiv campanii din 2020 care vizeaz&#259; furtul cercet&#259;rilor privind vaccinul COVID-19 &#537;i a datelor de s&#259;n&#259;tate public&#259;.<code>China<\/code> <code>arestare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ansa.it\/english\/newswire\/english_service\/2025\/07\/07\/ansachinese-spy-arrested-in-italy-on-us-warrant_9f5bbfe6-74ef-4f78-bb1e-fcf01f755652.html\">link<\/a> <\/p><p><strong>Europol &#537;i Eurojust coordoneaz&#259; eliminarea grupului hacktivist NoName057(16)<\/strong><br>La 15 iulie, Europol &#537;i Eurojust au coordonat o opera&#539;iune multina&#539;ional&#259; care a desfiin&#539;at grupul hacktivist pro-rus NoName057(16), care a condus atacuri DDoS &icirc;mpotriva infrastructurii europene. Peste 100 de servere au fost confiscate, &#537;apte mandate de arestare emise &#537;i 4.000 de sus&#539;in&#259;tori identifica&#539;i. Se crede c&#259; liderii grupului locuiesc &icirc;n Federa&#539;ia Rus&#259;.<code>rusia<\/code> <code>eliminare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.eurojust.europa.eu\/news\/hacktivist-group-responsible-cyberattacks-critical-infrastructure-europe-taken-down\">link<\/a> <\/p><h3 id=\"cyberespionage-prepositioning\">Spionaj cibernetic &#537;i prepozi&#539;ionare<\/h3><p><strong>&Icirc;n septembrie 2024, Houken a exploatat trei Ivanti zero-days pentru a p&#259;trunde entit&#259;&#539;ile guvernamentale &#537;i de telecomunica&#539;ii franceze<\/strong><br>La 1 iulie, ANSSI, Agen&#539;ia Na&#539;ional&#259; de Securitate Cibernetic&#259; Francez&#259;, a raportat public c&#259;, &icirc;n septembrie 2024, un actor de amenin&#539;are numit Houken a c&#259;utat s&#259; ob&#539;in&#259; acces ini&#539;ial prin exploatarea zilelor zero asupra entit&#259;&#539;ilor franceze. Houken a exploatat &icirc;n mod special trei vulnerabilit&#259;&#539;i zero-day pe dispozitivele Ivanti Cloud Service Appliance (CSA) ale entit&#259;&#539;ilor franceze din sectoarele guvernamentale, telecomunica&#539;ii, media, finan&#539;e &#537;i transport.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cert.ssi.gouv.fr\/uploads\/CERTFR-2025-CTI-009.pdf\">link<\/a> <\/p><p><strong>Patchwork, legat de India, folose&#537;te Google Drive pentru a viza ministerul european de externe cu phishing<\/strong><br>Pe 8 iulie, Trellix a raportat c&#259; Patchwork, legat de India, a trimis e-mail-uri de tip spearphishing, usur&acirc;ndu-se oficialii ap&#259;r&#259;rii c&#259;tre un minister de externe din sudul Europei. Victimele au f&#259;cut clic pe un link Google Drive, oferind o arhiv&#259; RAR r&#259;u inten&#539;ionat&#259; care a instalat u&#537;a &bdquo;LoptikMod&rdquo; prin intermediul sarcinilor programate, asigur&acirc;nd acces persistent. &Icirc;n timp ce Patchwork vizeaz&#259; de obicei entit&#259;&#539;ile guvernamentale &#537;i de ap&#259;rare din Asia de Sud, aceast&#259; opera&#539;iune semnaleaz&#259; probabil o extindere a interesului fa&#539;&#259; de entit&#259;&#539;ile diplomatice europene.<code>diploma&#539;ie<\/code> <code>India<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trellix.com\/blogs\/research\/from-click-to-compromise-unveiling-the-sophisticated-attack-of-donot-apt-group-on-southern-european-government-entities\/\">link<\/a> <\/p><h3 id=\"cybercrime\">Crima cibernetic&#259;<\/h3><p><strong>Exper&#539;ii IT din Coreea de Nord se infiltreaz&#259; &icirc;n firmele europene de tehnologie sub identit&#259;&#539;i false<\/strong><br>Pe 10 iulie, Le Monde a raportat c&#259; exper&#539;ii nord-coreeni &icirc;n IT, folosind identit&#259;&#539;i &#537;i na&#539;ionalit&#259;&#539;i false, se infiltreaz&#259; &icirc;n companii occidentale &ndash; ini&#539;ial &icirc;n SUA, acum &icirc;n Fran&#539;a &ndash; pentru a c&acirc;&#537;tiga salarii care sunt redirec&#539;ionate c&#259;tre regim sau folosite pentru extorcare. Un exemplu este firma cripto american&#259; Iqlusion, care a angajat f&#259;r&#259; s&#259; &#537;tie astfel de dezvoltatori, alerta&#539;i ulterior de FBI despre leg&#259;turile lor cu Coreea de Nord.<code>coreea de nord<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.lemonde.fr\/pixels\/article\/2025\/07\/10\/comment-la-coree-du-nord-infiltre-ses-experts-informatiques-au-c-ur-des-entreprises-occidentales_6620374_4408996.html\">link<\/a> <\/p><h3 id=\"disruption-destruction\">Perturbare &#537;i distrugere<\/h3><p><strong>Parchetul olandez a fost deconectat dup&#259; &icirc;nc&#259;lcarea Citrix, opera&#539;iunile au fost grav perturbate<\/strong><br>Pe 18 iulie, Parchetul Olandez (Openbaar Ministerie, OM) a &icirc;nchis tot accesul la internet dup&#259; ce a descoperit c&#259; hackerii au exploatat probabil vulnerabilitatea Citrix Bleed 2, provoc&acirc;nd o &icirc;ntrerupere major&#259; a opera&#539;iunii. &Icirc;ntreruperea poate dura s&#259;pt&#259;m&acirc;ni, limit&acirc;nd sever accesul la distan&#539;&#259;, e-mailul &#537;i editarea fi&#537;ierelor digitale, ridic&acirc;nd &icirc;ngrijor&#259;ri cu privire la impactul poten&#539;ial asupra procedurilor legale &icirc;n curs &#537;i semnal&acirc;nd o &icirc;nc&#259;lcare grav&#259; a securit&#259;&#539;ii cibernetice &icirc;ntr-o institu&#539;ie guvernamental&#259; critic&#259;.<code>dreptate<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.om.nl\/actueel\/nieuws\/2025\/07\/21\/werk-om-mogelijk-komende-weken-nog-verstoord\">link<\/a> <\/p><p><strong>Orange Group a suferit un atac cibernetic care a afectat unele servicii la &icirc;ntreprinderile din Fran&#539;a<\/strong><br>Pe 25 iulie, Orange Group a suferit un atac cibernetic care a cauzat &icirc;ntreruperi ale serviciilor unor clien&#539;i de afaceri &#537;i consumatori, localiza&#539;i &icirc;n principal &icirc;n Fran&#539;a. Nu au fost identificate &icirc;nc&#259;lc&#259;ri ale datelor. Serviciile sunt restabilite progresiv sub monitorizare &icirc;mbun&#259;t&#259;&#539;it&#259;. A fost depus&#259; o pl&acirc;ngere oficial&#259;, iar autorit&#259;&#539;ile sunt implicate.<code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/newsroom.orange.com\/le-groupe-orange-annonce-avoir-depose-plainte-lundi-28-juillet-pour-atteinte-a-un-de-ses-systemes-dinformation\/?lang=fra\">link<\/a> <\/p><p><strong>&Icirc;ntreruperea POST din Luxemburg din 23 iulie a fost cauzat&#259; de un atac cibernetic sofisticat<\/strong><br>Pe 23 iulie, POST din Luxemburg a suferit o &icirc;ntrerupere la nivel na&#539;ional de patru ore care a afectat serviciile mobile, fixe &#537;i de internet &mdash; inclusiv numerele de urgen&#539;&#259; &mdash; din cauza unui teren de atac cibernetic &#539;intit, excep&#539;ional de avansat &#537;i sofisticat. Potrivit POST &#537;i a unit&#259;&#539;ii guvernamentale de criz&#259;, actorii r&#259;u inten&#539;iona&#539;i au exploatat o vulnerabilitate software pentru a &icirc;ntrerupe serviciile. Sistemele interne nu au fost &icirc;nc&#259;lcate, nicio dat&#259; a clien&#539;ilor nu a fost compromis&#259;, iar serviciile au fost restabilite p&acirc;n&#259; seara, cu investiga&#539;ii &icirc;n curs.<code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.luxtimes.lu\/luxembourg\/post-luxembourg-outage-caused-by-a-targeted-cyberattack-firm-confirms\/80019668.html\">link<\/a> <\/p><h3 id=\"information-operations\">Opera&#539;iuni de informare<\/h3><p><strong>Rusia a exploatat votul de ne&icirc;ncredere pentru a submina unitatea UE<\/strong><br>Pe 22 iulie, El Pa&iacute;s a raportat c&#259; Rusia a exploatat recentul vot de cenzur&#259; &icirc;mpotriva pre&#537;edintelui Comisiei Europene, Ursula von der Leyen, pentru a polariza UE, folosind re&#539;ele de dezinformare pro-Kremlin pentru a &icirc;ncadra mo&#539;iunea drept o rebeliune &icirc;mpotriva corup&#539;iei. Anali&#537;tii au identificat peste 20.000 de post&#259;ri coordonate pe platforme, dezv&#259;luind un efort mai amplu al actorilor lega&#539;i de Rusia de a distorsiona procesele democratice europene &#537;i de a amplifica nara&#539;iunile anti-UE &icirc;n momentele sensibile din punct de vedere politic.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/english.elpais.com\/international\/2025-07-22\/russia-used-the-vote-of-no-confidence-against-von-der-leyen-to-stir-up-polarization-in-the-eu.html\">link<\/a> <\/p><p><strong>Furtuna-1516, legat&#259; de Rusia, se uit&#259; la jurnali&#351;ti pentru a r&#259;sp&acirc;ndi dezinformarea &icirc;n toat&#259; Europa<\/strong><br>Pe 7 iulie, Proiectul Gnida a raportat c&#259; re&#539;eaua Storm-1516, legat&#259; de Rusia, &#537;i-a uzurpat identitatea jurnali&#537;tilor din mai pentru a r&#259;sp&acirc;ndi dezinformarea &icirc;n Moldova, Armenia, Fran&#539;a &#537;i Germania. Prin deturnarea identit&#259;&#539;ilor reale ale reporterilor, grupul &icirc;ncearc&#259; s&#259; sporeasc&#259; credibilitatea nara&#539;iunilor false aliniate intereselor ruse &ndash; cum ar fi subminarea alian&#539;elor occidentale &#537;i discreditarea liderilor &ndash; &icirc;n timp ce folose&#537;te site-uri media false pentru a amplifica aceste mesaje. Proiectul Gnida urm&#259;re&#537;te &#537;i analizeaz&#259; opera&#539;iunile de dezinformare.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/gnidaproject.substack.com\/p\/disinformation-update-stolen-identities\">link<\/a> <\/p><p><strong>Campania de dezinformare &bdquo;Matryoshka&rdquo; legat&#259; de Rusia intensific&#259; concentrarea asupra Moldovei cu tactici &icirc;n evolu&#539;ie<\/strong><br>Pe 17 iulie, Institutul pentru Dialog Strategic (ISD Global), o organiza&#539;ie non-profit cu sediul la Londra, care combate dezinformarea, a raportat c&#259; opera&#539;iunea &bdquo;Matryoshka&rdquo; legat&#259; de Rusia &#537;i-a intensificat concentrarea asupra Moldovei &icirc;n T2 2025. S-a uzurpat institu&#539;iile media &#537;i a folosit AI pentru a r&#259;sp&acirc;ndi con&#539;inut &icirc;n limba englez&#259; pe TikTok &#537;i X. platforme majore.<code>moldova<\/code> <code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.isdglobal.org\/digital_dispatches\/operation-overloads-underwhelming-influence-and-evolving-tactics\/\">link<\/a> <\/p><p><strong>Campania rus&#259; de dezinformare a clonat apelul britanic 999 cu AI<\/strong><br>Pe 31 iulie, BBC Verify a dezv&#259;luit c&#259; vocea unui handler britanic de apeluri de urgen&#539;&#259; 999 a fost clonat&#259; folosind AI pentru o campanie de dezinformare legat&#259; de Rusia. Vocea sintetic&#259;, preluat&#259; dintr-un videoclip de antrenament al NHS, a fost folosit&#259; pentru a r&#259;sp&acirc;ndi frica &icirc;naintea alegerilor preziden&#539;iale din mai 2025 din Polonia. Adev&#259;ratul administrator de apeluri, Aaron, a fost &#537;ocat de realismul s&#259;u.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bbc.com\/news\/live\/ce35ly75ppkt?post=asset%3Ac8d1c46f-1b14-49bc-83d7-7a8b20345eee#post\">link<\/a><\/p><p><strong>China a r&#259;sp&acirc;ndit dezinformarea pentru a submina v&acirc;nz&#259;rile de avioane Rafale franceze<\/strong><br>Pe 6 iulie, serviciile de informa&#539;ii franceze au raportat c&#259; China &#537;i-a folosit ambasadele pentru a r&#259;sp&acirc;ndi afirma&#539;ii false cu privire la performan&#539;a avioanelor Rafale &icirc;n timpul ciocnirilor India-Pakistan, cu scopul de a afecta v&acirc;nz&#259;rile de arme franceze &#537;i de a promova alternative chineze, viz&acirc;nd &icirc;n special &#539;&#259;ri precum Indonezia.<code>China<\/code> <code>ap&#259;rare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/apnews.com\/article\/france-china-pakistan-india-defense-rafale-64eec86b6e89718d6a49d8fdedf565f4\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks\">Expunerea datelor &#537;i scurgerile<\/h3><p><strong>Serverul nesecurizat expune ani de date ale cet&#259;&#539;enilor suedezi<\/strong><br>Pe 24 iulie, Cybernews a raportat c&#259; un server Elasticsearch nesecurizat a expus peste 100 de milioane de &icirc;nregistr&#259;ri detaliate despre cet&#259;&#539;eni &#537;i companii suedeze, inclusiv nume, numere de identitate, date fiscale, istoricul datoriilor &#537;i jurnalele de adrese din 2019 p&acirc;n&#259; &icirc;n 2024. Se crede c&#259; provine de la un client ter&#539;&#259; parte al companiei nordice Risika, scurgerea de informa&#539;ii prezint&#259; un risc de identitate &#537;i un profil financiar serios pentru identitate phishing &#537;i spionaj corporativ.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cybernews.com\/security\/risika-swedish-data-exposed\/\">link<\/a> <\/p><p><strong>Gigantul elve&#539;ian din domeniul s&#259;n&#259;t&#259;&#539;ii AMEOS raporteaz&#259; o &icirc;nc&#259;lcare a datelor care afecteaz&#259; pacien&#539;ii, personalul &#537;i partenerii<\/strong><br>Pe 21 iulie, grupul spitalicesc elve&#539;ian AMEOS a anun&#539;at o &icirc;nc&#259;lcare a securit&#259;&#539;ii care &icirc;i afecteaz&#259; sistemele IT, expun&acirc;nd poten&#539;ial date sensibile ale pacien&#539;ilor, angaja&#539;ilor &#537;i partenerilor din re&#539;eaua sa de peste 100 de unit&#259;&#539;i de asisten&#539;&#259; medical&#259; din Europa Central&#259;. De&#537;i nu a ap&#259;rut &icirc;nc&#259; nicio dovad&#259; a utiliz&#259;rii abuzive a datelor, AMEOS a oprit sistemele, a notificat autorit&#259;&#539;ile &#537;i a lansat o investiga&#539;ie criminalistic&#259;, avertiz&acirc;nd persoanele afectate s&#259; r&#259;m&acirc;n&#259; aten&#539;i la posibile tentative de phishing sau fraud&#259;.<code>s&#259;n&#259;tate<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ameos.eu\/datenschutz\/datenschutzvorfall-gem-art-34-dsgvo\/\">link<\/a> <\/p><p><strong>Actorul amenin&#539;&#259;tor amenin&#539;&#259; c&#259; va scurge 106 GB de date care ar fi apar&#539;in&acirc;nd Telef&oacute;nica<\/strong><br>Pe 4 iulie, BleepingComputer a raportat despre un actor de amenin&#539;&#259;ri, afiliat grupului de ransomware Hellcat, care amenin&#539;a c&#259; va scurge 106 GB de date presupuse furate de la compania spaniol&#259; de telecomunica&#539;ii Telef&oacute;nica. De fapt, actorul amenin&#539;&#259;rii sus&#539;ine c&#259; a &icirc;nc&#259;lcat compania printr-o configura&#539;ie gre&#537;it&#259; Jira, similar&#259; atacului cibernetic din ianuarie. Cu toate acestea, &icirc;n prezent nu exist&#259; indicii c&#259; datele scurse sunt recente, iar compania neag&#259; afirma&#539;iile actorului amenin&#539;&#259;rii.<code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/hacker-leaks-telef-nica-data-allegedly-stolen-in-a-new-breach\/\">link<\/a> <\/p><h2 id=\"world\">Lumea<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>Microsoft a folosit ingineri din China pentru a sprijini Departamentul de Ap&#259;rare al SUA<\/strong><br>Pe 25 iulie, organiza&#539;ia non-profit de jurnalism de investiga&#539;ie ProPublica a dezv&#259;luit c&#259; Microsoft s-a bazat pe inginerii din China pentru a sprijini Departamentul Ap&#259;r&#259;rii al SUA &#537;i alte sisteme federale, supravegheate de &bdquo;escorte digitale&rdquo; din SUA, c&#259;rora se spune c&#259; deseori nu aveau expertiz&#259; tehnic&#259;. Ca r&#259;spuns, Microsoft a anun&#539;at c&#259; nu va mai folosi echipele de inginerie din China pentru a sus&#539;ine serviciile cloud guvernamentale americane &ndash; o practic&#259; care a &icirc;ncetat acum pe fondul controlului &icirc;n cre&#537;tere al securit&#259;&#539;ii na&#539;ionale a SUA.<code>China<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.propublica.org\/article\/microsoft-tech-support-government-cybersecurity-china-doj-treasury\">link<\/a> <\/p><p><strong>SUA sanc&#539;ioneaz&#259; compania rus&#259; de g&#259;zduire Aeza Group pentru sprijinirea crimei cibernetice &#537;i a dezinformarii<\/strong><br>La 1 iulie, Departamentul Trezoreriei din SUA a sanc&#539;ionat compania rus&#259; de g&#259;zduire Aeza Group &#537;i patru dintre operatorii s&#259;i pentru furnizarea de servicii de g&#259;zduire antiglon&#539; infractorilor cibernetici, inclusiv bande de ransomware, platforme de furt de informa&#539;ii &#537;i pie&#539;ele de droguri darknet. Sanc&#539;iunile vizeaz&#259; implicarea Aeza &icirc;n grupuri precum BianLian &#537;i RedLine, rolul s&#259;u &icirc;n campaniile ruse&#537;ti de dezinformare &#537;i interzic entit&#259;&#539;ilor americane s&#259; fac&#259; afaceri cu grupul sau afilia&#539;ii s&#259;i.<code>rusia<\/code> <code>sanc&#539;iuni<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/home.treasury.gov\/news\/press-releases\/sb0185\">link<\/a> <\/p><p><strong>Opera&#539;iunea Secure a Interpolului perturb&#259; re&#539;elele majore de furturi de informa&#539;ii din Asia-Pacific<\/strong><br>Pe 11 iunie, Interpol a anun&#539;at c&#259; Opera&#539;iunea Secure, un efort coordonat cu 26 de &#539;&#259;ri din Asia-Pacific, a demontat peste 20.000 de active r&#259;u inten&#539;ionate &#537;i a confiscat 41 de servere utilizate de re&#539;elele de infostealer, descoperind peste 200.000 de victime. &Icirc;n ciuda acestor succese, inclusiv a arest&#259;rilor multiple &#537;i a distrugerii a 79% din infrastructura identificat&#259;, oficialii avertizeaz&#259; c&#259; este posibil ca infractorii cibernetici s&#259; reconstruiasc&#259; opera&#539;iunile folosind platforme alternative din cauza profitabilit&#259;&#539;ii continue a fraudei corporative &#537;i a datelor furate.<code>arest&#259;ri<\/code> <code>sechestru<\/code> <code>eliminare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.interpol.int\/News-and-Events\/News\/2025\/20-000-malicious-IPs-and-domains-taken-down-in-INTERPOL-infostealer-crackdown\">link<\/a> <\/p><h3 id=\"cyberespionage-prepositioning-2\">Spionaj cibernetic &#537;i prepozi&#539;ionare<\/h3><p><strong>Microsoft leag&#259; APT-urile legate de China de campania ToolShell care exploateaz&#259; vulnerabilit&#259;&#539;ile SharePoint<\/strong><br>Pe 22 iulie, Microsoft a confirmat c&#259; o parte a activit&#259;&#539;ii r&#259;u inten&#539;ionate care exploateaz&#259; vulnerabilit&#259;&#539;ile SharePoint din campania ToolShell a fost atribuit&#259; grupurilor legate de China APT27 (Linen Typhoon), APT31 (Violet Typhoon) &#537;i Storm-2603. APT27 &#537;i APT31 s-au concentrat pe spionaj &#537;i furtul de date, &icirc;n timp ce Storm-2603 a implementat ransomware folosind acelea&#537;i vulnerabilit&#259;&#539;i.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/22\/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities\/\">link<\/a> <\/p><p><strong>Hackerii lega&#539;i de China intensific&#259; atacurile cibernetice asupra sectorului semiconductorilor din Taiwan, pe fondul tensiunilor dintre SUA &#537;i China<\/strong><br>Pe 16 iulie, Proofpoint a dezv&#259;luit c&#259; cel pu&#539;in trei grupuri de hacking legate de China au intensificat campaniile de spionaj cibernetic care vizeaz&#259; 15-20 de firme de semiconductori din Taiwan &#537;i anali&#537;ti financiari, inclusiv pe cei de la o banc&#259; cu sediul central &icirc;n SUA, &icirc;ntre martie &#537;i iunie 2025. interes persistent &icirc;n perturbarea &#537;i exploatarea lan&#539;ului de aprovizionare cu semiconductori din Taiwan &#537;i a industriilor de sprijin.<code>China<\/code> <code>industria semiconductoarelor<\/code> <code>Taiwan<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/phish-china-aligned-espionage-actors-ramp-up-taiwan-semiconductor-targeting\">link<\/a> <\/p><p><strong>Hackerii chinezi sus&#539;inu&#539;i de stat &icirc;ncalc&#259; Agen&#539;ia Nuclear&#259; a SUA prin Microsoft SharePoint zero-day<\/strong><br>Pe 23 iulie, Administra&#539;ia Na&#539;ional&#259; de Securitate Nuclear&#259; a SUA (NNSA) a confirmat c&#259; a fost &icirc;nc&#259;lcat&#259; printr-un lan&#539; de vulnerabilitate zero-day Microsoft SharePoint, &icirc;ntr-un atac cibernetic pe scar&#259; larg&#259; atribuit unor actori sponsoriza&#539;i de stat chinezi. &Icirc;n timp ce Departamentul de Energie a raportat &icirc;ntreruperi minime &#537;i nicio expunere la date clasificate, incidentul face parte dintr-o campanie mai ampl&#259; care afecteaz&#259; peste 400 de servere &#537;i 148 de organiza&#539;ii globale.<code>China<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/us-nuclear-weapons-agency-hacked-in-microsoft-sharepoint-attacks\/\">link<\/a> <\/p><p><strong>Campania legat&#259; de China s-a infiltrat &icirc;n re&#539;eaua G&#259;rzii Na&#539;ionale a SUA timp de nou&#259; luni<\/strong><br>Pe 15 iulie, autorit&#259;&#539;ile americane au confirmat c&#259; grupul de spionaj cibernetic Salt Typhoon s-a infiltrat &icirc;n re&#539;eaua G&#259;rzii Na&#539;ionale a Armatei unui stat american din martie p&acirc;n&#259; &icirc;n decembrie 2024. Campania a accesat diagrame de re&#539;ea, date geografice &#537;i date personale ale membrilor serviciului, ridic&acirc;nd &icirc;ngrijor&#259;ri cu privire la compromisul suplimentar al partenerilor de securitate cibernetic&#259; la nivel de stat &#537;i al centrelor de fuziune ale for&#539;elor de ordine.<code>China<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.documentcloud.org\/documents\/25998809-20250611-dhs-salt-typhoon\/\">link<\/a> <\/p><p><strong>Actorul de amenin&#539;&#259;ri legat de Rusia, Turla, desf&#259;&#537;oar&#259; o campanie de adversar la mijloc care vizeaz&#259; diploma&#539;ii de la Moscova<\/strong><br>Pe 31 iulie, Microsoft Threat Intelligence a raportat despre o campanie de spionaj cibernetic a actorului de amenin&#539;&#259;ri, legat de Rusia, Secret Blizzard, cunoscut &#537;i sub numele de Turla. Aceast&#259; campanie vizeaz&#259; ambasadele situate &icirc;n Moscova care utilizeaz&#259; o pozi&#539;ie de adversar &icirc;n mijloc (AiTM) pentru a implementa programul malware personalizat ApolloShadow. ApolloShadow instaleaz&#259; un certificat r&#259;d&#259;cin&#259; de &icirc;ncredere pentru a p&#259;c&#259;li dispozitivele &icirc;n site-uri r&#259;u inten&#539;ionate controlate de actori, permi&#539;&acirc;nd Turla s&#259; men&#539;in&#259; persisten&#539;a pe dispozitivele diplomatice, probabil pentru colectarea informa&#539;iilor.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/07\/31\/frozen-in-transit-secret-blizzards-aitm-campaign-against-diplomats\/\">link<\/a><\/p><p><strong>Un actor de amenin&#539;&#259;ri legat de Coreea de Nord furnizeaz&#259; malware XORIndex prin pachete de 67 npm<\/strong><br>Pe 15 iulie, cercet&#259;torii au dezv&#259;luit c&#259; actorii nord-coreeni au &icirc;nc&#259;rcat 67 de pachete r&#259;u inten&#539;ionate &icirc;n depozitul npm, livr&acirc;nd noul &icirc;nc&#259;rc&#259;tor XORIndex sistemelor de dezvoltare. Campania, legat&#259; de opera&#539;iunea Contagious Interview, a folosit scripturi postinstalare pentru a implementa &icirc;nc&#259;rc&#259;turi utile precum BeaverTail &#537;i InvisibleFerret. Peste 17.000 de desc&#259;rc&#259;ri au fost &icirc;nregistrate &icirc;nainte de depunerea rapoartelor de eliminare.<code>coreea de nord<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/north-korean-xorindex-malware-hidden-in-67-malicious-npm-packages\/\">link<\/a> <\/p><h3 id=\"cybercrime-2\">Crima cibernetic&#259;<\/h3><p><strong>Hackerii exploateaz&#259; instrumentul Shellter Elite scurs pentru a r&#259;sp&acirc;ndi furatorii de informa&#539;ii pe m&#259;sur&#259; ce furnizorul r&#259;spunde cu o actualizare securizat&#259;<\/strong><br>Pe 3 iulie, Elastic Security Labs a dezv&#259;luit c&#259; hackerii au abuzat de o copie scurs&#259; a Shellter Elite v11.0, un instrument de evaziune AV\/EDR pentru echipa ro&#537;ie, pentru a implementa furori de informa&#539;ii precum Rhadamanthys &#537;i Lumma prin e-mail-uri de phishing &#537;i comentarii YouTube. Shellter a confirmat c&#259; utilizarea gre&#537;it&#259; a provenit de la un client recent licen&#539;iat, a criticat Elastic pentru dezv&#259;luirea &icirc;nt&acirc;rziat&#259; &#537;i a lansat o actualizare securizat&#259; v11.1, restric&#539;ion&acirc;nd accesul viitor doar clien&#539;ilor verifica&#539;i.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.elastic.co\/security-labs\/taking-shellter\">link<\/a> <\/p><p><strong>Cercet&#259;torii descoper&#259; malware &icirc;n extensiile de &icirc;ncredere Chrome &#537;i Edge instalate de 2,3 milioane de utilizatori<\/strong><br>Pe 8 iulie, cercet&#259;torii de securitate KOI au raportat o campanie de malware pe scar&#259; larg&#259; numit&#259; &bdquo;RedDirection&rdquo;, care implic&#259; 18 extensii r&#259;u inten&#539;ionate pe Google Chrome &#537;i Microsoft Edge. De &icirc;ncredere de ambele companii &#537;i instalate de peste 2,3 milioane de utilizatori, extensiile au deturnat &icirc;n secret traficul browserului, au colectat URL-uri &#537;i au redirec&#539;ionat utilizatorii prin servere de comand&#259; &#537;i control - adesea mult timp dup&#259; instalare &#537;i verificarea magazinului.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.koi.security\/google-and-microsoft-trusted-them-2-3-million-users-installed-them-they-were-malware-fb4ed4f40ff5\">link<\/a> <\/p><p><strong>Actorul de amenin&#539;are a criminalit&#259;&#539;ii cibernetice UNC3944 se transform&#259; &icirc;n vSphere pentru implementarea furtunoas&#259; a ransomware<\/strong><br>Pe 23 iulie, un raport Google a detaliat o campanie desf&#259;&#537;urat&#259; de actorul de amenin&#539;are a criminalit&#259;&#539;ii cibernetice UNC3944 (alias Scattered Spider) care vizeaz&#259; organiza&#539;iile de comer&#539; cu am&#259;nuntul, companii aeriene &#537;i de transport din SUA, folosind inginerie social&#259; pentru a accesa VMware vSphere prin conturi Active Directory compromise. Actorul amenin&#539;&#259;rilor a deturnat vCenter, a exfiltrat date de la controlerele de domeniu folosind schimburi de disc la nivel de hypervisor, a sabotat backup-uri &#537;i a implementat ransomware de la gazdele ESXi.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/defending-vsphere-from-unc3944\">link<\/a> <\/p><p><strong>Ecran fals de verificare Cloudflare folosit pentru a furniza malware nedetectat<\/strong><br>Pe 4 iulie, actori necunoscu&#539;i de amenin&#539;&#259;ri au lansat o campanie de malware folosind ecrane CAPTCHA Cloudflare false pentru a &icirc;n&#537;ela utilizatorii s&#259; execute comenzi PowerShell r&#259;u inten&#539;ionate. Pagina a injectat cod prin clipboard &#537;i a contactat un server de comand&#259; &#537;i control folosind webhook-uri &icirc;ncorporate. A preluat &icirc;nc&#259;rc&#259;turi utile de la pastesio[.]com &#537;i axiomsniper[.]info, cu verific&#259;ri de evaziune pentru ma&#537;inile virtuale. Fi&#537;ierul final BAT nu a ar&#259;tat nicio detec&#539;ie pe VirusTotal &icirc;n momentul descoperirii.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cybersecuritynews.com\/hackers-use-fake-cloudflare-verification-screen\/\">link<\/a> <\/p><p><strong>Ransomware-ul Akira exploateaz&#259; SonicWall SSL VPN &icirc;n explozia din iulie 2025<\/strong><br>&Icirc;n iulie 2025, ArcticWolf a observat o cre&#537;tere a atacurilor de tip ransomware Akira care exploateaz&#259; conexiunile SonicWall SSLVPN pentru accesul ini&#539;ial, inclusiv pe dispozitivele complet corelate &ndash; suger&acirc;nd o probabil&#259; vulnerabilitate zero-day. Aceste &icirc;nc&#259;lc&#259;ri au &icirc;nceput &icirc;n jurul datei de 15 iulie, duc&acirc;nd adesea la criptare rapid&#259; &icirc;n urma conect&#259;rilor VPN, uneori &icirc;n c&acirc;teva ore. Atacurile bazate pe acredit&#259;ri (de exemplu, for&#539;a brut&#259;) r&#259;m&acirc;n vectori posibili conform investiga&#539;iei &icirc;n curs de desf&#259;&#537;urare a ArcticWolf.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/arcticwolf.com\/resources\/blog\/arctic-wolf-observes-july-2025-uptick-in-akira-ransomware-activity-targeting-sonicwall-ssl-vpn\/\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks-2\">Expunerea datelor &#537;i scurgerile<\/h3><p><strong>Dell confirm&#259; &icirc;nc&#259;lcarea platformei demonstrative de c&#259;tre grupul de extorcare World Leaks, f&#259;r&#259; date sensibile expuse<\/strong><br>Pe 21 iulie, Dell a confirmat c&#259; grupul de extorcare World Leaks, fost Hunters International, a &icirc;nc&#259;lcat centrele sale de solu&#539;ii pentru clien&#539;i, un mediu de testare izolat de sistemele de baz&#259;, fur&acirc;nd &icirc;n mare parte date sintetice &#537;i nesensibile. De&#537;i s-au scurs 1,3 TB de date, Dell afirm&#259; c&#259; nu au fost implicate date sensibile ale clien&#539;ilor sau ale companiei, &icirc;n timp ce World Leaks &icirc;&#537;i continu&#259; schimbarea c&#259;tre extorcarea de date din cauza ransomware-ului, invoc&acirc;nd probleme de profitabilitate &#537;i riscuri.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/dell-confirms-breach-of-test-lab-platform-by-world-leaks-extortion-group\/\">link<\/a> <\/p><p><strong>Seturile de date scurse dezv&#259;luie leg&#259;turile guvernamentale ale contractorilor cibernetici chinezi<\/strong><br>La 1 iulie, SpyCloud a raportat c&#259; datele scurse de la VenusTech &#537;i Salt Typhoon, postate &icirc;n mai pe DarkForums, expun activitatea lor ofensiv&#259; de securitate cibernetic&#259; pentru entit&#259;&#539;ile de stat chineze. Mostrele dezv&#259;luie &#539;inte de informa&#539;ii din Asia &#537;i Europa &#537;i leag&#259; trei companii chineze de opera&#539;iunile Salt Typhoon, eviden&#539;iind extinderea ecosistemului ofensiv al contractan&#539;ilor cibernetici din China.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/spycloud.com\/blog\/state-secrets-for-sale-chinese-hacking\/\">link<\/a> <\/p><h3 id=\"disruption-destruction-2\">Perturbare &#537;i distrugere<\/h3><p><strong>Aeroflot din Rusia anuleaz&#259; zborurile dup&#259; ce hackerii pro-ucraineni sus&#539;in atacul cibernetic<\/strong><br>Pe 28 iulie, transportatorul rusesc Aeroflot a fost nevoit s&#259; anuleze aproximativ 42-50 de zboruri de la Sheremetyevo din Moscova din cauza unui atac cibernetic masiv asupra sistemelor sale IT. Grupurile de hackeri pro-Ucrainei &bdquo;SilentCrow&rdquo; &#537;i &bdquo;CyberPartisansBY&rdquo; &#537;i-au revendicat responsabilitatea, spun&acirc;nd c&#259; s-au infiltrat &#537;i au distrus aproximativ 7.000 de servere, arunc&acirc;nd baze de date de zbor &#537;i date de comunica&#539;ii. De atunci, procurorii ru&#537;i au declan&#537;at o anchet&#259; penal&#259; &icirc;n aceast&#259; &icirc;nc&#259;lcare. Serviciile de zbor &#537;i rezervare r&#259;m&acirc;n &icirc;ntrerupte &icirc;n timp ce eforturile de recuperare continu&#259;.<code>rusia<\/code> <code>Ucraina<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.theguardian.com\/business\/2025\/jul\/28\/russia-aeroflot-cancels-flights-pro-ukraine-hackers-cyber-attack\">link<\/a> <\/p><h4 id=\"opportunistic\">Oportunist&#259;<\/h4><p><strong>Patch-uri disponibile pentru vulnerabilit&#259;&#539;i critice din SharePoint exploatate &icirc;n campania global&#259; ToolShell<\/strong><br>Pe 20 iulie, Microsoft a publicat &icirc;ndrum&#259;ri pentru CVE-2025-53770, o vulnerabilitate critic&#259; de deserializare a serverului SharePoint on-premise evaluat 9,8\/10. Eye Security a raportat exploatare pe scar&#259; larg&#259; &icirc;ncep&acirc;nd cu 18 iulie printr-un lan&#539; numit ToolShell, permi&#539;&acirc;nd executarea de cod de la distan&#539;&#259; &#537;i furtul de chei criptografice. Au fost confirmate exploat&#259;rile cu dovad&#259; de concept &#537;i campania activ&#259; care exploateaz&#259; lan&#539;ul ToolShell. Patch-urile de urgen&#539;&#259; pentru Subscription Edition, Server2019 &#537;i Server2016 sunt acum disponibile.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/msrc.microsoft.com\/blog\/2025\/07\/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770\/\">link<\/a> <\/p><p><strong>Vulnerabilitatea CrushFTP exploatat&#259; pentru a ob&#539;ine acces administrativ neautorizat<\/strong><br>Pe 18 iulie, CrushFTP a observat exploatarea unei vulnerabilit&#259;&#539;i corectate anterior, care afecteaz&#259; versiunile sub 10.8.5 &#537;i 11.3.4_23. Activitatea a &icirc;nceput probabil pe 17 iulie, &icirc;n urma unei posibile inginerie invers&#259; a modific&#259;rilor codului. Defectul a permis accesul administrativ neautentificat prin HTTP(S). Indicatorii includ fi&#537;iere user.XML modificate &#537;i conturi de administrator neautorizate. Sistemele nepatchate r&#259;m&acirc;n expuse compromisurilor.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.crushftp.com\/crush11wiki\/Wiki.jsp?page=CompromiseJuly2025\">link<\/a> <\/p><p><strong>Vulnerabilit&#259;&#539;i Cisco Identity Services Engine exploatate &icirc;n s&#259;lb&#259;ticie<\/strong><br>Pe 21 iulie, Cisco a actualizat un avertisment legat de vulnerabilit&#259;&#539;ile critice care &icirc;i afecteaz&#259; Identity Services Engine, pentru care au observat &icirc;ncerc&#259;ri de exploatare &icirc;n s&#259;lb&#259;ticie. Vulnerabilit&#259;&#539;ile (CVE-2025-20281, CVE-2025-20282 &#537;i CVE-2025-20337) permit executarea codului de la distan&#539;&#259; de c&#259;tre un atacator neautentificat, emit&acirc;nd comenzi ca utilizator root. Au fost lansate corec&#539;ii pentru produsele afectate (versiunile 3.3 &#537;i 3.4).<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/sec.cloudapps.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-ise-unauth-rce-ZAd2GnJ6\">link<\/a> <\/p><p><strong>Google remediaz&#259; Chrome zero-day exploatat pentru evadarea sandbox<\/strong><br>Pe 15 iulie, Google a lansat un patch pentru CVE-2025-6558, o vulnerabilitate de mare severitate exploatat&#259; &icirc;n mod activ pentru a sc&#259;pa de sandbox-ul Chrome. Defectul, cauzat de validarea insuficient&#259; a intr&#259;rii &icirc;n componentele ANGLE &#537;i GPU, a permis executarea de la distan&#539;&#259; a codului prin pagini HTML create. Utilizatorii sunt &icirc;ndemna&#539;i s&#259; actualizeze Chrome la versiunea 138.0.7204.157 sau o versiune ulterioar&#259;.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/chromereleases.googleblog.com\/2025\/07\/stable-channel-update-for-desktop_15.html\">link<\/a> <\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Concluziile sau atribu&#539;iile f&#259;cute &icirc;n acest document reflect&#259; doar ceea ce raporteaz&#259; sursele disponibile public. Ele nu reflect&#259; pozi&#539;ia noastr&#259;.&nbsp;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <script>\n        function switchLanguage(lang) {\n            \/\/ Ascunde ambele versiuni\n            document.getElementById(\"content-ro\").style.display = \"none\";\n            document.getElementById(\"content-en\").style.display = \"none\";\n\n            \/\/ Reseteaz\u0103 stilurile butoanelor\n            document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n                btn.style.background = \"#e5e7eb\";\n                btn.style.color = \"#374151\";\n                btn.classList.remove(\"lang-btn-active\");\n            });\n\n            \/\/ Afi\u0219eaz\u0103 versiunea selectat\u0103\n            if (lang === \"ro\") {\n                document.getElementById(\"content-ro\").style.display = \"block\";\n                document.getElementById(\"btn-lang-ro\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-ro\").style.color = \"white\";\n                document.getElementById(\"btn-lang-ro\").classList.add(\"lang-btn-active\");\n            } else {\n                document.getElementById(\"content-en\").style.display = \"block\";\n                document.getElementById(\"btn-lang-en\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-en\").style.color = \"white\";\n                document.getElementById(\"btn-lang-en\").classList.add(\"lang-btn-active\");\n            }\n\n            \/\/ Salveaz\u0103 preferin\u021ba \u00een localStorage\n            localStorage.setItem(\"gpss_preferred_language\", lang);\n        }\n\n        \/\/ Restaureaz\u0103 preferin\u021ba utilizatorului la \u00eenc\u0103rcare\n        document.addEventListener(\"DOMContentLoaded\", function() {\n            var preferredLang = localStorage.getItem(\"gpss_preferred_language\") || \"ro\";\n            switchLanguage(preferredLang);\n        });\n\n        \/\/ Hover effects pentru butoane\n        document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n            btn.addEventListener(\"mouseenter\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#bfdbfe\";\n                    this.style.color = \"#1e40af\";\n                }\n            });\n            btn.addEventListener(\"mouseleave\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#e5e7eb\";\n                    this.style.color = \"#374151\";\n                }\n            });\n        });\n        <\/script>\n\n        <style>\n        .lang-btn:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.3);\n        }\n        .lang-btn-active {\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.4);\n        }\n        <\/style>\n        ","protected":false},"excerpt":{"rendered":"<p>\ud83c\udf0d Limb\u0103 \/ Language: \ud83c\uddec\ud83c\udde7 English (Original) \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103 Traducere automat\u0103 \/ Automatic translation Cyber Brief (July 2025)August 4, 2025 &#8211; Version: 1TLP:CLEARExecutive summaryWe analysed 287 open source reports for this Cyber Brief1.Relating to cyber policy and law enforcement, the EU, UK, and US have imposed sanctions on Russian entities due to their involvement in [&hellip;]<\/p>\n","protected":false},"featured_media":0,"template":"","meta":{"footnotes":""},"ti_category":[198],"ti_source":[172],"ti_severity":[187],"class_list":["post-992321","threat_intelligence","type-threat_intelligence","status-publish","hentry","ti_category-threat-actor","ti_source-cert-eu","ti_severity-critical"],"_links":{"self":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence\/992321","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence"}],"about":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/types\/threat_intelligence"}],"version-history":[{"count":0,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence\/992321\/revisions"}],"wp:attachment":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/media?parent=992321"}],"wp:term":[{"taxonomy":"ti_category","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_category?post=992321"},{"taxonomy":"ti_source","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_source?post=992321"},{"taxonomy":"ti_severity","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_severity?post=992321"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}