{"id":992322,"date":"2025-11-03T00:45:12","date_gmt":"2025-11-02T21:45:12","guid":{"rendered":"https:\/\/gpss.ro\/threat-intelligence\/cyber-brief-25-07-june-2025\/"},"modified":"2025-11-03T00:45:12","modified_gmt":"2025-11-02T21:45:12","slug":"cyber-brief-25-07-june-2025","status":"publish","type":"threat_intelligence","link":"https:\/\/delve.ro\/ro\/threat-intelligence\/cyber-brief-25-07-june-2025\/","title":{"rendered":"Cyber Brief 25-07 &#8211; June 2025"},"content":{"rendered":"\n        <div class=\"gpss-language-switcher\" style=\"margin-bottom: 20px; padding: 15px; background: #f0f9ff; border-left: 4px solid #3b82f6; border-radius: 8px;\">\n            <div style=\"display: flex; align-items: center; justify-content: space-between; flex-wrap: wrap; gap: 10px;\">\n                <div style=\"display: flex; align-items: center; gap: 10px;\">\n                    <span style=\"font-weight: 600; color: #1e40af;\">\ud83c\udf0d Limb\u0103 \/ Language:<\/span>\n                    <button onclick=\"switchLanguage('en')\" id=\"btn-lang-en\" class=\"lang-btn lang-btn-active\" style=\"padding: 8px 16px; background: #3b82f6; color: white; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddec\ud83c\udde7 English (Original)\n                    <\/button>\n                    <button onclick=\"switchLanguage('ro')\" id=\"btn-lang-ro\" class=\"lang-btn\" style=\"padding: 8px 16px; background: #e5e7eb; color: #374151; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103\n                    <\/button>\n                <\/div>\n                <small style=\"color: #6b7280; font-style: italic;\">Traducere automat\u0103 \/ Automatic translation<\/small>\n            <\/div>\n        <\/div>\n\n        <div id=\"content-en\" class=\"lang-content\" style=\"display: block;\">\n            <div class=\"article-content\"><h2 id=\"cyber-brief-june-2025\">Cyber Brief (June 2025)<\/h2><p>July 1, 2025 - Version: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Executive summary<\/h2><ul><li><p>We analysed 277 open source reports for this Cyber Brief<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p>Relating to <strong>cyber policy and law enforcement<\/strong>, the EU adopted a blueprint to better manage European cyber crises. The US warned of Iranian cyber threats to US critical infrastructure and is preparing to ban federal agencies from using AI tools from \"foreign adversaries.\" BreachForums operators were arrested in France.<\/p><\/li><li><p>On the <strong>cyberespionage<\/strong> front, in Europe, a Dutch minister warned of rising Chinese espionage on high-tech sectors ; Paragon's Graphite spyware targeted journalists. Elsewhere, a Canadian telecom provider and satellite company Viasat revealed being hacked by China-linked Salt Typhoon, a Russia-linked threat actor targeted prominent academics, while North Korean-linked Contagious Interview continued targeting developers with supply-chain attacks. Related to Israel\/Iran war, Iranian operatives impersonated a journalist to target Israeli officers with spyware.<\/p><\/li><li><p>Relating to <strong>cybercrime<\/strong>, several supply-chain attacks aimed at developers using npm packages, while threat actors targeted SonicWall and ConnectWise products, still in supply-chain attacks.<\/p><\/li><li><p>There were <strong>disruptive<\/strong> incidents, Iran shut down internet amid Israeli strikes, and a likely Iranian wiper was observed in Albania.<\/p><\/li><li><p>As regards <strong>data exposure and leaks<\/strong> incidents, a repackaged leak, drawn from 30 different datasets, exposed billions of old stolen credentials online.<\/p><\/li><li><p>Relating to <strong>information operations<\/strong>, a pro-Russia disinformation campaign targeted Moldova using fake Euronews accounts, while Israel warned of fake messages urging Israelis to avoid going into shelters.<\/p><\/li><li><p>On the <strong>hacktivism<\/strong> front, NoName057(16) targeted NATO Summit with DDoS attacks and hint at Dutch rail sabotage while Israeli-linked supposed hacktivist claimed to have breached an Iranian cryptocurrency platform.<\/p><\/li><\/ul><h2 id=\"europe\">Europe<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Cyber policy and law enforcement<\/h3><p><strong>EU adopts a blueprint to better manage European cyber crises and incidents<\/strong><br> On June 6, the EU adopted a new blueprint to improve management of large-scale cyber crises. It defines member states\u2019 roles in detection, response, and recovery, strengthens cooperation across technical and political levels, and integrates recent laws like NIS2. The framework also promotes civilian-military cooperation and coordination with NATO to enhance Europe\u2019s cyber resilience. <code>policy<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.consilium.europa.eu\/en\/press\/press-releases\/2025\/06\/06\/eu-adopts-blueprint-to-better-manage-european-cyber-crises-and-incidents\/\">link<\/a><\/p><p><strong>UK Strategic Defence Review 2025: Enhancing offensive cyber capabilities and NATO integration<\/strong><br> On June 2, the UK Ministry of Defence published its Strategic Defence Review, highlighting key shifts such as new cyber investments, the launch of a Cyber and Electromagnetic (CyberEM) Command by end-2025, and deeper cyber integration with NATO. The Defence Secretary emphasised a proactive stance, including offensive cyber operations targeting Russia and China. <code>offensive capabilities<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/assets.publishing.service.gov.uk\/media\/683d89f181deb72cce2680a5\/The_Strategic_Defence_Review_2025_-_Making_Britain_Safer_-_secure_at_home__strong_abroad.pdf\">link<\/a><\/p><p><strong>BreachForums operators arrested in France in major cybercrime raid<\/strong><br> On June\u202f25, Le\u202fParisien reported that French police arrested five operators of the BreachForums cyber crime forum. Simultaneous raids in Hauts de Seine, Seine-Maritime and R\u00e9union netted \u201cShinyHunters,\u201d \u201cHollow,\u201d \u201cNoct,\u201d and \u201cDepressed,\u201d while IntelBroker was previously arrested in February\u202f2025. The forum, used to trade stolen data and breach corporate systems\u2014including France\u2019s national unemployment agency affecting 43\u202fmillion people\u2014has since gone offline. <code>arrest<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.leparisien.fr\/high-tech\/la-police-interpelle-cinq-hackers-francais-de-haut-vol-derriere-un-celebre-forum-de-vol-de-donnees-25-06-2025-QJTPFTDPQZAP7B25MF24YLHU6E.php\">link<\/a><\/p><h3 id=\"cyberespionage-prepositioning\">Cyberespionage &amp; prepositioning<\/h3><p><strong>Dutch Minister warns of rising Chinese espionage on high-tech sectors<\/strong><br> On May 31, the Dutch Defence Minister warned that Chinese cyberespionage targeting Dutch industries, particularly the semiconductor sector, is intensifying, with intellectual property theft as the key motive. He cited intelligence reports identifying China as the Netherlands\u2019 top cyber threat and stressed the need to reduce European dependence on China for critical raw materials, as Beijing increasingly leverages its economic position for geopolitical influence and pressure. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/business\/aerospace-defense\/chinese-spying-dutch-industries-intensifying-dutch-defence-minister-2025-05-31\/\">link<\/a><\/p><p><strong>APT28 targeted Ukrainian government agency with Beardshell backdoor and Covenant framework<\/strong><br> On June 21, CERT-UA reported on the Russia-linked APT28 compromising a Ukrainian government instance with the Beardshell backdoor. The threat actor sent a Signal message to the target with a <code>.doc<\/code> file containing a macro. When activated, the macro triggered a complex infection chain installing the Covenant framework in memory which was used to launch the backdoor, using the cloud storage services Icedrive and Koofr as control channels. <code>public administration<\/code> <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cert.gov.ua\/article\/6284080\">link<\/a> <\/p><p><strong>Ukraine says it breached Russian warplane maker Tupolev, exposing strategic aviation data<\/strong><br> On June 4, Ukraine's military intelligence (HUR) claimed it hacked Russian warplane maker Tupolev, stealing 4.4GB of sensitive data including personnel records, internal communications, and design documents. The HUR said the breach, part of broader cyber operations targeting Russia\u2019s defence sector, exposed critical details of Russia\u2019s strategic aviation programs and followed the defacement of Tupolev\u2019s website and earlier cyberattacks on multiple Russian government agencies and military-linked organisations. <code>defence<\/code> <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.kyivpost.com\/post\/53946\">link<\/a> <\/p><p><strong>UNC1151 targets Polish users via Roundcube exploit in credential theft campaign<\/strong><br> On June 5, CERT Polska reported that pro-Belarusian group UNC1151 exploited the Roundcube vulnerability CVE-2024-42009 in a spearphishing campaign targeting Polish entities to steal user credentials using JavaScript and malicious Service Workers. Though no exploitation of a newly discovered Roundcube vulnerability (CVE-2025-49113) has been observed, its potential use in future attacks heightens concerns about full server compromise through credential theft and phishing. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cert.pl\/en\/posts\/2025\/06\/unc1151-campaign-roundcube\/\">link<\/a> <\/p><p><strong>Possible iPhone spyware campaign detected targeting US and EU high-profile users<\/strong><br> On June 5, iVerify reported possible evidence of an iPhone spyware campaign targeting individuals in the US and EU, including government officials, political campaign members, and media personnel, via a now-patched iOS \"Nickname\" bug. While Apple denies any active exploitation, iVerify points to circumstantial signs, such as device crashes and Apple threat alerts, as warranting further investigation into potential high-level targeting linked to past Chinese surveillance activity. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.axios.com\/2025\/06\/05\/spyware-iphones-apple-iverify\">link<\/a> <\/p><p><strong>Paragon's Graphite spyware targets journalists via iOS zero-click exploit<\/strong><br> On June 12, The Citizen Lab reported forensic confirmation that Italian journalist Ciro Pellegrino and a prominent European journalist were targeted with Paragon\u2019s Graphite spyware via a zero-click iMessage exploit, CVE-2025-43200. Both cases link to the same threat actor. The findings highlight a wider cyberespionage effort against <code>Fanpage[.]it<\/code> and ongoing threats to journalists in Europe. <code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/citizenlab.ca\/2025\/06\/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted\/\">link<\/a> <\/p><h3 id=\"cybercrime\">Cybercrime<\/h3><h3 id=\"disruption-destruction\">Disruption &amp; destruction<\/h3><p><strong>Swedish public service television SVT targeted with DDoS attacks<\/strong><br> From June 8 to June 11, an unknown threat actor launched DDoS attacks against the Swedish public service television company SVT, causing temporary downtime. This follows previous temporary disruptions in other widely used digital services, such as applications for eID and money transfers. Swedish Prime Minister Kristersson acknowledged continuous cyber threats targeting both state entities and critical firms. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/swedenherald.com\/article\/svt-and-swedish-parliament-websites-hit-by-overload-attacks\">link<\/a> <\/p><p><strong>Likely Iranian wiper observed targeting in Albania<\/strong><br> On June 20, Symantec reported a wiper attack targeting organisations in Albania by the Iranian Druidfly group. The Iranian cyber group Druidfly is known for its destructive attacks and espionage operations. Druidfly targets countries hostile to Iran, including Albania and Israel. \u200bThe group employs social engineering tactics, custom backdoors and ransomware like DarkBit, often serving as a cover for their devastating attacks. <code>iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/threatintel\/status\/1936049254432231444\">link<\/a> <\/p><h3 id=\"information-operations\">Information operations<\/h3><p><strong>Pro-Russian disinformation targets Moldova using fake Euronews accounts<\/strong><br> On June 3, Euronews reported a coordinated disinformation campaign by pro-Russian threat actors using AI-generated profiles to impersonate its staff on TikTok and X, spreading fake videos alleging criminality and instability in Moldova. Aimed at the EU, NATO, and Ukrainian audiences, the operation mirrors tactics linked to \u201cOperation Overload,\u201d with content aligned to Russia\u2019s influence objectives and intended to undermine Western alliances. Euronews is actively removing the false material. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.euronews.com\/my-europe\/2025\/06\/03\/euronews-targeted-by-anti-moldova-disinformation-campaign\">link<\/a> <\/p><p><strong>Israel is using YouTube paid ads to justify its actions in Iran<\/strong><br> On June 18, an online news outlet reported that YouTube users are constantly seeing Israeli propaganda advertisements justifying its air strikes on Iran. They appear to target European countries, namely Germany, Italy, France, and the United Kingdom. Similar reports had been made since October 2023 in regard to Israel justifying its strikes on Gaza. <code>israel<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.fudzilla.com\/news\/61216-iran-shores-up-cyber-defences\">link<\/a> <\/p><h3 id=\"hacktivism\">Hacktivism<\/h3><p><strong>NoName057(16) targets NATO Summit with DDoS attacks and hints at Dutch rail sabotage<\/strong><br> On June 23\u201324, pro-Russia hacktivist group NoName057(16) launched DDoS attacks on Dutch and NATO websites, coinciding with NATO\u2019s 2025 summit. On June 24, they hinted at involvement in a Dutch train cable outage, suggesting it could be \u201cblamed\u201d on them and the DDoSia project. The Dutch Justice Ministry reported that the incident\u2014a fire damaging around 30 cables\u2014may be linked to sabotage. <code>russia<\/code> <\/p><p><strong>Killnet claims breach of Ukrainian airspace app following major drone attack<\/strong><br> On June 2, Killnet claimed responsibility for breaching a Ukrainian airspace-monitoring app and launched a Telegram channel sharing drone firmware, likely in response to Ukraine\u2019s June 1 \"Operation Spider Web,\" which damaged dozens of Russian military aircraft. Since reemerging in May 2025, Killnet has intensified efforts to regain notoriety by targeting Ukraine\u2019s drone operations, though the actual impact of its claimed hacks remains unclear. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/t.me\/WeAreKillnet_Channel\/16\">link<\/a> <\/p><h2 id=\"world\">World<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Cyber policy and law enforcement<\/h3><p><strong>US bill seeks to ban federal agencies from using DeepSeek, AI tools from \"foreign adversaries\"<\/strong><br> On June\u202f26, senators Rick\u202fScott and Gary\u202fPeters introduced the bipartisan No Adversarial AI Act, banning federal agencies from using AI tools from \u201cforeign adversaries\u201d\u2014China, Russia, Iran, and North Korea\u2014specifically citing concerns around China\u2019s DeepSeek, which may supply data to military\/intelligence sectors. The bill mandates a Federal Acquisition Security Council registry updated every 180\u202fdays and allows limited exemptions for vetted research and testing. <code>ban<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/bipartisan-bill-ban-deepseek-federal\">link<\/a> <\/p><p><strong>WhatsApp banned on US House staffers' devices<\/strong><br> On June 23, Axios reported that WhatsApp has been banned for use on government devices among House congressional staffers. The ban is in response to cybersecurity concerns for users, due to the lack of transparency in how it protects user data, absence of stored data encryption, and potential security risks involved with its use. <code>ban<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.axios.com\/2025\/06\/23\/whatsapp-house-congress-staffers-messaging-app\">link<\/a> <\/p><p><strong>US agencies warn of Iranian cyber threats to US critical infrastructure<\/strong><br> On June\u202f30, US agencies jointly issued an advisory alerting that Iranian-affiliated hackers and hacktivist groups may conduct malicious cyber activity\u2014despite a declared ceasefire and ongoing negotiations towards a permanent solution. They highlighted risks to critical infrastructure including energy, water, healthcare, transportation, and defence-linked networks, referencing past intrusions such as the 2023 Pennsylvania water facility breach. <code>united states<\/code> <code>iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2025-06\/joint-fact-sheet-Iranian-cyber-actors-may-target-vulnerable-US-networks-and-entities-of-interest-508c-1.pdf\">link<\/a><\/p><p><strong>ISACs warn US critical sectors of possible Iranian cyberattacks amid Israel tensions<\/strong><br> On June\u202f17, US critical infrastructure providers \u2014 especially in energy, water, transportation, communications, food &amp; agriculture, and IT \u2014 were urged to strengthen cybersecurity amid escalating Iran\u2013Israel tensions. The Food and Ag\u2011ISAC and IT\u2011ISAC issued joint alerts, warning of potential spillover from Iranian cyber operations targeting Israel, while Electricity, Aviation, Financial Services, and Water ISACs also heightened vigilance. <code>iran<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politico.com\/news\/2025\/06\/17\/us-critical-networks-iran-israel-cyber-attack-00411799\">link<\/a> <\/p><p><strong>US offers reward for information on Iran-linked Cyber Av3ngers<\/strong><br> Cyber Av3ngers, a threat actor known for targeting Israeli-made ICS and IoT devices, increased social media activity after recent Israel-Iran kinetic activity. On June 12, the US State Department\u2019s Rewards for Justice offered 10 million US dollars for information on Cyber Av3ngers, Mr Soul, or affiliates. The US government links the group to Iran\u2019s IRGC-CEC and attributes cyberattacks on US critical infrastructure to the threat actor. <code>iran<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/RFJ_USA\/status\/1933237876470280354\">link<\/a> <\/p><p><strong>China offers bounties for information on Taiwanese military cyber operatives<\/strong><br> On June 5, China offered cash rewards for clues leading to the arrest of 20 individuals it claims are Taiwanese military cyber operatives. It accused them of targeting Chinese sectors and collaborating with US intelligence. Taiwan rejected the claims, calling them fabricated and highlighting global concerns about Chinese cyber activities and disinformation. <code>china<\/code> <code>taiwan<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.straitstimes.com\/asia\/east-asia\/chinese-authorities-issue-bounty-for-hackers-said-to-be-linked-to-taiwan\">link<\/a> <\/p><p><strong>US charges British individual behind the cybercrime identity IntelBroker<\/strong><br> On June 25, the US Department of Justice reported that they charged a British national with operating the IntelBroker online identity. According to the charges, IntelBroker infiltrated victim computer networks, stole data, sold the stolen data and caused millions of US dollars in damages to dozens of victims around the world. <code>united states<\/code> <code>charges<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.justice.gov\/usao-sdny\/pr\/serial-hacker-intelbroker-charged-causing-25-million-damages-victims\">link<\/a> <\/p><p><strong>Interpol dismantles infostealer networks across 26 countries<\/strong><br> On June 11, Interpol announced the results of Operation Secure, a cybercrime crackdown from January to April 2025. Authorities in 26 countries dismantled infostealer infrastructure, arresting 32 suspects and seizing 41 servers. They took down over 20.000 malicious IPs\/domains and notified 216.000 victims. The action, supported by Group-IB, Kaspersky, and Trend Micro, disrupted major cybercrime actors, especially in Vietnam, Sri Lanka, Nauru, and Hong Kong. <code>takedown<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.interpol.int\/News-and-Events\/News\/2025\/20-000-malicious-IPs-and-domains-taken-down-in-INTERPOL-infostealer-crackdown\">link<\/a> <\/p><p><strong>AVCheck takedown disrupts key malware testing service in global cybercrime crackdown<\/strong><br> On May 27, international law enforcement seized AVCheck, a major counter-antivirus service used by cybercriminals to test and refine malware evasion, as part of Operation Endgame. The service's official domain at AVCheck now displays a seizure banner featuring the crests of the US Department of Justice, the FBI, the US Secret Service, and Dutch police (Politie), highlighting its role in supporting ransomware groups and aiding stealthy cyberattacks. <code>takedown<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.justice.gov\/usao-sdtx\/pr\/websites-selling-hacking-tools-cybercriminals-seized\">link<\/a> <\/p><h3 id=\"cyberespionage-prepositioning-2\">Cyberespionage &amp; prepositioning<\/h3><p><strong>Salt Typhoon exploited a Cisco flaw to hack Canadian telecom<\/strong><br> On June\u202f23, Canada\u2019s cybersecurity agency and the FBI revealed that the Chinese group Salt\u202fTyphoon infiltrated a Canadian telecom provider in February by exploiting the unpatched Cisco IOS\u202fXE vulnerability CVE 2023 20198, enabling account creation and network snooping via GRE tunnels. Despite the flaw being disclosed in October\u202f2023, at least one major firm hadn't applied the patch. Authorities warn the espionage campaign will persist and urge urgent patching of edge devices. <code>canada<\/code> <code>china<\/code> <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ic3.gov\/CSA\/2025\/250620.pdf\">link<\/a> <\/p><p><strong>Satellite company Viasat was among China-linked Salt Typhoon\u2019s campaign\u2019s victims<\/strong><br> On June 18, Viasat, a satellite company with a presence in Europe, confirmed that it was one of the victims of China-linked Salt Typhoon\u2019s cyberespionage operation targeting several sectors, namely telecommunications, worldwide, uncovered in 2024. <code>china<\/code> <code>space<\/code> <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.satellitetoday.com\/cybersecurity\/2025\/06\/18\/viasat-confirms-unauthorized-access-after-bloomberg-report-of-salt-typhoon-impact\/\">link<\/a> <\/p><p><strong>China-linked activity cluster PurpleHaze and ShadowPad target organisations worldwide<\/strong><br> On June 9, SentinelOne reported countering China-linked activity clusters PurpleHaze and ShadowPad, which included reconnaissance and intrusion attempts from July 2024 to March 2025. These targeted over 70 organisations, including a South Asian government and a European media outlet. The targeted sectors include manufacturing, media, cybersecurity, public administration and telecommunications. SentinelOne confirmed no compromise of its assets, highlighting the persistent interest of cyberespionage actors in cybersecurity vendors. <code>china<\/code> <code>public administration<\/code> <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.sentinelone.com\/labs\/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets\/\">link<\/a> <\/p><p><strong>Washington Post journalists targeted in cyberattack<\/strong><br> On June 15, The Wall Street Journal reported that several journalists from the Washington Post\u2019s e-mail accounts were compromised in a cyberattack. The targeted attacks were done towards journalists writing on national security and economic policy, as well as China. <code>china<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.wsj.com\/tech\/cybersecurity\/cyberattack-on-washington-post-compromises-email-accounts-of-journalists-70bf1300\">link<\/a> <\/p><p><strong>China warns of cyberespionage targeting state and research sectors<\/strong><br> On\u202fJune\u202f4, China\u2019s Ministry of State Security (MSS) warned of three recent cyberespionage incidents targeting government agencies, research institutes, and critical infrastructure. In one case, a lab employee stored classified files on a personal device and clicked a malicious e-mail attachment, allowing foreign operatives to steal data for three months. In another, a phishing link compromised a government agency. A third attack exploited outdated office software to infiltrate a research institution. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.globaltimes.cn\/page\/202506\/1335381.shtml\">link<\/a> <\/p><p><strong>Operation DRAGONCLONE: Chinese Telecommunication industry targeted via VELETRIX &amp; VShell malware<\/strong><br> On June\u202f6, Seqrite Labs, an India-based cybersecurity company, uncovered Operation\u202fDRAGONCLONE, a sophisticated cyber campaign targeting China Mobile\u202fTietong. It begins with a malicious ZIP exploiting DLL sideloading of Wondershare Repairit, deploying the VELETRIX loader with anti\u2011sandbox and \u201cIPFuscation\u201d techniques to launch VShell in memory. The campaign includes 44 implants, overlapping infrastructure linked to UNC5174 and Earth\u202fLamia, and employs Cobalt\u202fStrike, SuperShell, and the Asset Lighthouse System. <code>china<\/code> <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.seqrite.com\/blog\/operation-dragonclone-chinese-telecom-veletrix-vshell-malware\/\">link<\/a> <\/p><p><strong>Russia-linked threat actor UNC6293 leverages App-Specific Passwords to access academic e-mail accounts<\/strong><br> On June 18, The Citizen Lab and Google reported on Russia-linked threat actor UNC6293 activities targeting prominent academics and critics of Russia from at least April through early June. On May 22, UNC6293 deceived Keir Giles, a Russian information operations expert, into generating App-Specific Passwords (ASPs), bypassing Multifactor Authentication (MFA) and gaining persistent e-mail access. Google later disabled compromised accounts and linked the activity to APT29 with low confidence. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/citizenlab.ca\/2025\/06\/russian-government-linked-social-engineering-targets-app-specific-passwords\/\">link<\/a> <\/p><p><strong>Israeli government warns citizens of espionage through home security cameras<\/strong><br> On June 20, the Israel National Cyber Directorate (INCD) issued a warning to Israeli citizens regarding cyber threats to security cameras, urging users to change their access passwords. The alert emphasised that cameras that are improperly configured could present significant security risks, potentially exploited by Iran and its allies for real-time intelligence gathering. <code>Israel<\/code> <code>Iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.jpost.com\/israel-news\/article-858606\">link<\/a> <\/p><p><strong>Iranian operatives impersonated i24NEWS journalist to target Israeli officers with spyware<\/strong><br> On June 23, Israeli authorities exposed an Iranian cyber operation in which operatives posed as an i24NEWS journalist to target senior Israeli officers with spyware. The attackers used fake e-mail addresses and attempted to lure recipients into clicking malicious links. The operation was foiled when a targeted officer reported the suspicious message to the IDF\u2019s Information Security Directorate, prompting an investigation and coordinated response. <code>iran<\/code> <code>israel<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.i24news.tv\/en\/news\/israel\/defense\/artc-iranian-operatives-impersonated-i24news-journalist-to-target-israeli-officers-with-spyware#google_vignette\">link<\/a> <\/p><p><strong>North Korean Contagious Interview campaign drops 35 new malicious npm packages<\/strong><br> On June\u202f25, Socket, a US-based cybersecurity company, revealed that North Korean hackers behind the \u201cContagious Interview\u201d campaign published 35 malicious npm packages via 24 accounts, downloaded over 4\u202f000 times. These packages employ a stealth HexEval loader that fingerprints systems, delivers BeaverTail (an infostealer), InvisibleFerret backdoor, and, in one case, a cross-platform keylogger. Targets\u2014job-seeking developers\u2014are lured via fake recruiters on LinkedIn and pressured to run malware outside containers. <code>north korea<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/socket.dev\/blog\/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\">link<\/a> <\/p><p><strong>ICC detects and contains second cyber incident in recent years<\/strong><br> On June 30, the International Criminal Court reported that it detected and contained a sophisticated cyber security incident, marking the second of its kind in recent years. The Court is conducting an impact analysis and taking mitigation steps, while urging continued support from States Parties to uphold its justice and accountability mission. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.icc-cpi.int\/news\/icc-detects-and-contains-new-sophisticated-cyber-security-incident\">Link<\/a><\/p><h3 id=\"cybercrime-2\">Cybercrime<\/h3><p><strong>Adversaries exploit PyPI and npm name confusion to deliver cross-platform malware<\/strong><br> On May 28, a security researcher from Checkmarx Zero reported a supply-chain campaign that used typosquatting and cross-ecosystem name confusion to target Python and JavaScript developers. Malicious packages mimicking Colorama and Colorizr were uploaded to PyPI, delivering malware enabling remote access, data exfiltration, and persistence on Windows and Linux systems. The packages have been removed. <code>supply-chain attack<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/checkmarx.com\/zero-post\/python-pypi-supply-chain-attack-colorama\/\">link<\/a> <\/p><p><strong>Supply-chain attack targets popular React Native accessibility packages on npm<\/strong><br> On June\u202f6, attackers compromised Gluestack\u2019s @react-native-aria npm packages\u2014UI accessibility components for React Native apps\u2014by injecting a remote-access trojan into 17 of 20 modules. The malicious code allowed shell command execution and file transfers. These packages, with over 1.020.000 weekly downloads, were widely used in mobile app development. Gluestack revoked the compromised token and deprecated the affected versions to halt the supply-chain attack. <code>supply-chain attack<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/supply-chain-attack-hits-gluestack-npm-packages-with-960k-weekly-downloads\/\">link<\/a> <\/p><p><strong>Threat actors target VPN credentials with fake SonicWall NetExtender installer<\/strong><br> On June 23, SonicWall and Microsoft reported that threat actors launched a campaign using a trojanised SonicWall NetExtender VPN client to steal credentials. The attackers hosted the fake installer on spoofed websites and signed it with a legitimate-looking certificate. Once installed, the malware exfiltrated VPN usernames, passwords, and domain data via HTTP. <code>supply-chain attack<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.sonicwall.com\/blog\/threat-actors-modify-and-re-create-commercial-software-to-steal-users-information\">link<\/a> <\/p><p><strong>Threat actors build signed malware via ConnectWise ScreenConnect abuse<\/strong><br> On June 23, researchers at G DATA CyberDefense revealed that since March, threat actors have abused ConnectWise ScreenConnect\u2019s signed installers to build and spread modified software with malicious functions. They exploit authenticode stuffing to embed malicious settings, enabling fake Windows updates and hidden connections. ConnectWise\u2019s signing method lets adversaries alter behaviour without breaking the signature, and this undermines detection by security software. <code>supply-chain attack<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.gdatasoftware.com\/blog\/2025\/06\/38218-connectwise-abuse-malware\">link<\/a> <\/p><p><strong>TeamFiltration A.T.O. campaign hits Microsoft cloud accounts via Teams abuse<\/strong><br> On June\u202f11, Proofpoint\u2019s Threat Research Team revealed a global account\u2011takeover campaign dubbed UNK_SneakyStrike, exploiting the pentesting framework TeamFiltration via the Microsoft Teams API and AWS servers. Attackers used automated enumeration and password spraying to hijack Microsoft Entra ID accounts, targeting over 80.000 users across nearly 100 cloud tenants before pausing operations. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/attackers-unleash-teamfiltration-account-takeover-campaign\">link<\/a> <\/p><p><strong>Cybercrime group Water Curse weaponised GitHub repositories to deliver multistage stealer<\/strong><br> On June 16, Trend Micro security researchers reported on a campaign attributed to Water Curse where the threat actor weaponised at least 76 GitHub repositories, embedding malicious payloads into legitimate-looking dev tools. Payloads, hidden in Visual Studio build scripts, conduct multi-stage infection using VBS, PowerShell, and obfuscated binaries to steal credentials, browser\/session data, establish persistence, and exfiltrate information. <code>supply-chain attack<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/f\/water-curse.html\">link<\/a> <\/p><p><strong>FBI warns Play ransomware has hit 900 victims and remains a major threat to critical infrastructure<\/strong><br> On June 4, the FBI, in an updated joint advisory with CISA and the Australian Cyber Security Centre, revealed that the Play ransomware group had breached around 900 organisations globally by May 2025, triple the number reported in 2023. The threat actor, active since 2022, has increasingly targeted critical infrastructure using recompiled malware and novel exploits, pressuring victims with stolen data and phone threats to pay ransoms. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-352a\">link<\/a> <\/p><p><strong>Millions of off-brand IoT devices infected by BadBox 2.0 botnet<\/strong><br> On June 5, the FBI revealed that BadBox 2.0 has compromised millions of China-made IoT devices, gaining access either pre-purchase or via backdoored apps during setup. These devices, used as residential proxies, enable cybercrime activity. Indicators include non-certified Android devices, suspicious app stores, and unusual traffic. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ic3.gov\/PSA\/2025\/PSA250605\">link<\/a> <\/p><p><strong>Fake AI tool installers spread CyberLock and other malware<\/strong><br> On May 29, Cisco Talos revealed that threat actors are using fake AI tool installers to spread malware, including CyberLock ransomware, Lucky_Gh0$t, and the destructive Numero malware, targeting businesses in sales, tech, and marketing. Distributed via SEO poisoning and social platforms, these malicious installers impersonate tools like ChatGPT and InVideo AI, encrypting or damaging files while exploiting trust in widely adopted AI solutions for automation and customer engagement. <code>artificial intelligence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.talosintelligence.com\/fake-ai-tool-installers\/\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks\">Data exposure and leaks<\/h3><p><strong>Repackaged leak exposes billions of old stolen credentials online<\/strong><br> On June 23, CyberNews revealed that a massive compilation of around 16 billion login credentials \u2014 drawn from 30 different datasets \u2014 was briefly exposed online. These credentials, covering platforms like Google, Apple, Facebook, Telegram, and government services, were harvested not via hacking but through infostealers malware. This isn't a new breach\u2014just a repackaged database of old credentials stolen via infostealers, past breaches, and credential stuffing, now exposed online. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cybernews.com\/security\/billions-credentials-exposed-infostealers-data-leak\/\">link<\/a> <\/p><h3 id=\"information-operations-2\">Information operations<\/h3><p><strong>Fake messages urging Israelis to avoid going into shelters<\/strong><br> On June 16, the Israeli Cyber Authority warned the population of fake messages being sent in the name of the Home Front, allegedly urging Israelis to avoid going to shelters due to alerts of terror attacks. <code>iran<\/code> <code>israel<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.timesofisrael.com\/liveblog_entry\/cyber-authority-warns-against-fake-messages-urging-israelis-to-avoid-going-into-shelters\/\">link<\/a> <\/p><p><strong>Argentina government investigates network of Russian agents it accuses of promoting disinformation campaigns<\/strong><br> On June 18, Argentine intelligence (SIDE) uncovered a network of five Russian-linked residents tied to \u201cLa Compa\u00f1\u00eda\u201d and Project Lakhta\u2014echoing Prigozhin\u2019s Kremlin-backed disinformation operations. Cyber efforts included creating and spreading content on social media, influencing NGOs and focus groups, and collecting political intelligence via digital channels. The goal: orchestrate online campaigns to manipulate public opinion in favor of Russian geopolitical interests. <code>argentina<\/code> <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.lanacion.com.ar\/politica\/el-gobierno-investiga-una-red-de-espias-rusos-a-los-que-acusa-de-impulsar-campanas-de-desinformacion-nid18062025\/\">link<\/a> <\/p><h3 id=\"disruption-destruction-2\">Disruption &amp; destruction<\/h3><p><strong>Cloudflare blocked record 7.3 Tbps DDoS attack with autonomous mitigation<\/strong><br> On June\u202f19, Cloudflare revealed it had autonomously blocked the largest DDoS attack ever recorded\u2014an astonishing 7.3\u202fTbps in mid\u2011May\u2014targeted at a hosting provider using Magic Transit. The attack unleashed 37.4\u202fTB in just 45\u202fseconds via over 20.000 UDP ports per second and multiple reflection\/amplification techniques. Cloudflare\u2019s eBPF\u2011driven detection rules were applied seamlessly across its global network, requiring no human intervention. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.cloudflare.com\/defending-the-internet-how-cloudflare-blocked-a-monumental-7-3-tbps-ddos\/\">link<\/a> <\/p><p><strong>Iran shuts down internet as Israeli strikes continue<\/strong><br> On June 18, a near-total internet blackout in Iran cut connectivity to just 3\u202f%, severely limiting external communication amid ongoing Israeli strikes. The shutdown, likely ordered by Iranian authorities, followed warnings of a planned disconnection. Officials cited concerns over Israeli cyberattacks and covert activity. Since the blackout, phone access has been strained, news updates halted, and vital alerts, such as evacuation notices, maybe unreachable for many residents. <code>iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/mastodon.social\/@netblocks\">link<\/a> <\/p><p><strong>Iran imposes internet restrictions following Israel's attack on the country<\/strong><br> On June 13, internet users in Iran reported network disruptions relating to the internet and communications applications. The Islamic Revolutionary Guard Corps asked the population to refrain from transferring information on foreign messaging apps, namely WhatsApp and Instagram. According to the Ministry of Communication, this is in light of Israel's attack on the same day. <code>iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.tasnimnews.com\/fa\/news\/1404\/03\/23\/3334504\/%D9%88%D8%B2%D8%A7%D8%B1%D8%AA-%D8%A7%D8%B1%D8%AA%D8%A8%D8%A7%D8%B7%D8%A7%D8%AA-%D9%85%D8%AD%D8%AF%D9%88%D8%AF%DB%8C%D8%AA-%D9%87%D8%A7%DB%8C-%D8%A7%DB%8C%D9%86%D8%AA%D8%B1%D9%86%D8%AA-%DA%A9%D8%B4%D9%88%D8%B1-%D9%85%D9%88%D9%82%D8%AA%DB%8C-%D8%A7%D8%B3%D8%AA\">link<\/a> <\/p><p><strong>Solar storms accelerate Starlink satellite reentry, raising operational and security concerns<\/strong><br> From May 31 to June 2, severe solar storms increased atmospheric drag on Starlink satellites, accelerating their reentry and raising concerns over satellite lifespan, debris, and operational reliability. NASA researchers warned this issue, intensified by the ongoing solar maximum and Starlink\u2019s vast LEO constellation, could disrupt telecommunication services globally and complicate future satellite operations, particularly as Starlink expands amid geopolitical scrutiny over its use in tariff-affected nations. <code>space<\/code> <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.the-independent.com\/space\/starlink-satellites-elon-musk-space-b2759288.html\">link<\/a> <\/p><p><strong>Destructive npm packages disguised as health monitoring utilities enable remote system wipe<\/strong><br> On\u202fJune\u202f5, Socket uncovered two malicious npm packages\u2014express-api-sync and system-health-sync-api\u2014posing as backend utilities for API syncing and system health monitoring. Instead, they enabled full system wipes via hidden HTTP endpoints. One deleted files with the key \u201cDEFAULT_123,\u201d the other after collecting system info and receiving the \u201cHelloWorld\u201d secret. Both exploited trust in common developer tools to deploy destructive payloads. <code>supply-chain attack<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/socket.dev\/blog\/destructive-npm-packages-enable-remote-system-wipe\">link<\/a> <\/p><h3 id=\"hacktivism-2\">Hacktivism<\/h3><p><strong>Israeli-linked supposed hacktivist claims to have breached an Iranian cryptocurrency platform<\/strong><br> On June 18, an Israel-linked supposed hacktivist named Predatory Sparrow claimed to have stolen and burned over 90 million US dollars in cryptocurrency from Iran\u2019s largest cryptocurrency exchange platform, Nobitex. They warned they would also release Nobitex\u2019s source code. <code>iran<\/code> <code>israel<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/pro-israel-hackers-hit-irans-nobitex-exchange-burn-90m-in-crypto\/\">link<\/a> <\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Conclusions or attributions made in this document merely reflect what publicly available sources report. They do not reflect our stance.&#160;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <div id=\"content-ro\" class=\"lang-content\" style=\"display: none;\">\n            <div class=\"article-content\"><?xml encoding=\"UTF-8\"><h2 id=\"cyber-brief-june-2025\">Cyber &#8203;&#8203;Brief (iunie 2025)<\/h2><p>1 iulie 2025 - Versiunea: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Rezumat<\/h2><ul><li><p>Am analizat 277 de rapoarte open source pentru acest Cyber &#8203;&#8203;Brief<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p>Referitor la<strong>politica cibernetic&#259; &#537;i aplicarea legii<\/strong>, UE a adoptat un plan pentru a gestiona mai bine crizele cibernetice europene. SUA au avertizat cu privire la amenin&#539;&#259;rile cibernetice iraniene la adresa infrastructurii critice din SUA &#537;i se preg&#259;tesc s&#259; interzic&#259; agen&#539;iilor federale s&#259; foloseasc&#259; instrumente AI de la &bdquo;adversarii str&#259;ini&rdquo;. Operatorii BreachForums au fost aresta&#539;i &icirc;n Fran&#539;a.<\/p><\/li><li><p>Pe<strong>ciberspionaj<\/strong>in fata, in Europa, un ministru olandez a avertizat cu privire la cresterea spionajului chinez in sectoarele high-tech; Programul spion Paragon Graphite a vizat jurnali&#351;tii. &Icirc;n alt&#259; parte, un furnizor de telecomunica&#539;ii canadian &#537;i o companie de satelit Viasat a dezv&#259;luit c&#259; a fost piratat de Salt Typhoon, un actor de amenin&#539;are legat de Rusia, care a vizat cadre universitare de seam&#259;, &icirc;n timp ce Contagious Interview, legat de Coreea de Nord, a continuat s&#259; vizeze dezvoltatorii cu atacuri la lan&#539;ul de aprovizionare. Legat de r&#259;zboiul Israel\/Iran, agen&#539;ii iranieni &#537;i-au dat identitatea unui jurnalist pentru a viza ofi&#539;erii israelieni cu programe spion.<\/p><\/li><li><p>Referitor la<strong>criminalitatea cibernetic&#259;<\/strong>, mai multe atacuri pe lan&#539;ul de aprovizionare au vizat dezvoltatorii care foloseau pachete npm, &icirc;n timp ce actorii amenin&#539;&#259;rilor au vizat produsele SonicWall &#537;i ConnectWise, aflate &icirc;nc&#259; &icirc;n atacuri pe lan&#539;ul de aprovizionare.<\/p><\/li><li><p>Au fost<strong>perturbator<\/strong>incidente, Iranul a &icirc;nchis internetul pe fondul atacurilor israeliene &#537;i un probabil &#537;terg&#259;tor iranian a fost observat &icirc;n Albania.<\/p><\/li><li><p>&Icirc;n ceea ce prive&#537;te<strong>expunerea datelor &#537;i scurgerile<\/strong>incidente, o scurgere reambalat&#259;, extras&#259; din 30 de seturi de date diferite, a expus miliarde de acredit&#259;ri vechi furate online.<\/p><\/li><li><p>Referitor la<strong>opera&#539;iuni de informare<\/strong>, o campanie de dezinformare pro-Rusia a vizat Moldova folosind conturi false Euronews, &icirc;n timp ce Israelul a avertizat cu privire la mesaje false care &icirc;ndeamn&#259; israelienii s&#259; evite s&#259; intre &icirc;n ad&#259;posturi.<\/p><\/li><li><p>Pe<strong>hacktivism<\/strong>&Icirc;n fa&#539;&#259;, NoName057(16) a vizat Summit-ul NATO cu atacuri DDoS &#537;i a sugerat sabotajul feroviar olandez, &icirc;n timp ce presupusul hacktivist legat de Israel a sus&#539;inut c&#259; a &icirc;nc&#259;lcat o platform&#259; de criptomoned&#259; iranian&#259;.<\/p><\/li><\/ul><h2 id=\"europe\">Europa<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>UE adopt&#259; un plan pentru a gestiona mai bine crizele &#537;i incidentele cibernetice europene<\/strong><br>La 6 iunie, UE a adoptat un nou plan pentru a &icirc;mbun&#259;t&#259;&#539;i gestionarea crizelor cibernetice la scar&#259; larg&#259;. Acesta define&#537;te rolurile statelor membre &icirc;n detectarea, r&#259;spunsul &#537;i redresarea, consolideaz&#259; cooperarea la nivel tehnic &#537;i politic &#537;i integreaz&#259; legi recente precum NIS2. Cadrul promoveaz&#259;, de asemenea, cooperarea civilo-militar&#259; &#537;i coordonarea cu NATO pentru a spori rezilien&#539;a cibernetic&#259; a Europei.<code>politica<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.consilium.europa.eu\/en\/press\/press-releases\/2025\/06\/06\/eu-adopts-blueprint-to-better-manage-european-cyber-crises-and-incidents\/\">link<\/a><\/p><p><strong>Analiza strategic&#259; a ap&#259;r&#259;rii din Regatul Unit 2025: &Icirc;mbun&#259;t&#259;&#539;irea capacit&#259;&#539;ilor cibernetice ofensive &#537;i integrarea &icirc;n NATO<\/strong><br>Pe 2 iunie, Ministerul Ap&#259;r&#259;rii din Regatul Unit &#537;i-a publicat evaluarea strategic&#259; a ap&#259;r&#259;rii, subliniind schimb&#259;ri-cheie, cum ar fi noi investi&#539;ii cibernetice, lansarea unui Comandament cibernetic &#537;i electromagnetic (CyberEM) p&acirc;n&#259; la sf&acirc;r&#537;itul anului 2025 &#537;i o integrare cibernetic&#259; mai profund&#259; cu NATO. Secretarul Ap&#259;r&#259;rii a subliniat o atitudine proactiv&#259;, inclusiv opera&#539;iuni cibernetice ofensive care vizeaz&#259; Rusia &#537;i China.<code>capacit&#259;&#539;i ofensive<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/assets.publishing.service.gov.uk\/media\/683d89f181deb72cce2680a5\/The_Strategic_Defence_Review_2025_-_Making_Britain_Safer_-_secure_at_home__strong_abroad.pdf\">link<\/a><\/p><p><strong>Operatori BreachForums aresta&#539;i &icirc;n Fran&#539;a &icirc;ntr-un raid major de criminalitate cibernetic&#259;<\/strong><br>Pe 25 iunie, LeParisien a raportat c&#259; poli&#539;ia francez&#259; a arestat cinci operatori ai forumului de criminalitate cibernetic&#259; BreachForums. Raiduri simultane &icirc;n Hauts de Seine, Seine-Maritime &#537;i R&eacute;union au generat &bdquo;ShinyHunters&rdquo;, &bdquo;Hollow&rdquo;, &bdquo;Noct&rdquo; &#537;i &bdquo;Depressed&rdquo;, &icirc;n timp ce IntelBroker a fost arestat anterior &icirc;n februarie 2025. Forumul, folosit pentru a face schimb de date furate &#537;i a &icirc;nc&#259;lca sistemele corporative, inclusiv de c&acirc;nd agen&#539;ia na&#539;ional&#259; de &#537;omaj din Fran&#539;a, care afecteaz&#259; oamenii de &#537;omaj &icirc;n afara liniei43.<code>arestare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.leparisien.fr\/high-tech\/la-police-interpelle-cinq-hackers-francais-de-haut-vol-derriere-un-celebre-forum-de-vol-de-donnees-25-06-2025-QJTPFTDPQZAP7B25MF24YLHU6E.php\">link<\/a><\/p><h3 id=\"cyberespionage-prepositioning\">Spionaj cibernetic &#537;i prepozi&#539;ionare<\/h3><p><strong>Ministrul olandez avertizeaz&#259; cu privire la cre&#537;terea spionajului chinez &icirc;n sectoarele high-tech<\/strong><br>Pe 31 mai, ministrul olandez al Ap&#259;r&#259;rii a avertizat c&#259; spionajul cibernetic chinez care vizeaz&#259; industriile olandeze, &icirc;n special sectorul semiconductorilor, se intensific&#259;, motivul principal fiind furtul de proprietate intelectual&#259;. El a citat rapoarte de informa&#539;ii care identific&#259; China drept principala amenin&#539;are cibernetic&#259; a &#538;&#259;rilor de Jos &#537;i a subliniat necesitatea de a reduce dependen&#539;a european&#259; de China pentru materii prime esen&#539;iale, deoarece Beijingul &icirc;&#537;i valorific&#259; din ce &icirc;n ce mai mult pozi&#539;ia economic&#259; pentru influen&#539;a &#537;i presiunea geopolitic&#259;.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/business\/aerospace-defense\/chinese-spying-dutch-industries-intensifying-dutch-defence-minister-2025-05-31\/\">link<\/a><\/p><p><strong>APT28 a vizat o agen&#539;ie guvernamental&#259; ucrainean&#259; cu u&#537;&#259; din spate Beardshell &#537;i cadru Covenant<\/strong><br>Pe 21 iunie, CERT-UA a raportat despre APT28, legat de Rusia, compromiterea unei instan&#539;e guvernamentale ucrainene cu u&#537;a din spate Beardshell. Actorul amenin&#539;&#259;rii a trimis un mesaj de semnal c&#259;tre &#539;int&#259; cu un<code>.doc<\/code>fi&#537;ier care con&#539;ine o macrocomand&#259;. C&acirc;nd a fost activat&#259;, macro-ul a declan&#537;at un lan&#539; complex de infec&#539;ie instal&acirc;nd cadrul Covenant &icirc;n memorie care a fost folosit pentru a lansa u&#537;a din spate, folosind serviciile de stocare &icirc;n cloud Icedrive &#537;i Koofr ca canale de control.<code>administra&#539;ia public&#259;<\/code> <code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cert.gov.ua\/article\/6284080\">link<\/a> <\/p><p><strong>Ucraina spune c&#259; a &icirc;nc&#259;lcat produc&#259;torul rus de avioane de r&#259;zboi Tupolev, expun&acirc;nd date strategice ale avia&#539;iei<\/strong><br>Pe 4 iunie, serviciile de informa&#539;ii militare ale Ucrainei (HUR) a sus&#539;inut c&#259; a spart produc&#259;torul rus de avioane de r&#259;zboi Tupolev, fur&acirc;nd 4,4 GB de date sensibile, inclusiv &icirc;nregistr&#259;rile personalului, comunica&#539;iile interne &#537;i documentele de proiectare. HUR a spus c&#259; &icirc;nc&#259;lcarea, parte a opera&#539;iunilor cibernetice mai ample care vizeaz&#259; sectorul de ap&#259;rare al Rusiei, a expus detalii critice ale programelor strategice de avia&#539;ie ale Rusiei &#537;i a urmat deformarea site-ului web al lui Tupolev &#537;i atacurile cibernetice anterioare asupra mai multor agen&#539;ii guvernamentale ruse &#537;i organiza&#539;ii legate de armat&#259;.<code>ap&#259;rare<\/code> <code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.kyivpost.com\/post\/53946\">link<\/a> <\/p><p><strong>UNC1151 vizeaz&#259; utilizatorii polonezi prin intermediul exploat&#259;rii Roundcube &icirc;n campania de furt de acredit&#259;ri<\/strong><br>Pe 5 iunie, CERT Polska a raportat c&#259; grupul pro-belarus UNC1151 a exploatat vulnerabilitatea Roundcube CVE-2024-42009 &icirc;ntr-o campanie de spearphishing care vizeaz&#259; entit&#259;&#539;ile poloneze pentru a fura acredit&#259;rile utilizatorilor folosind JavaScript &#537;i Service Workers r&#259;u inten&#539;iona&#539;i. De&#537;i nu s-a observat nicio exploatare a unei vulnerabilit&#259;&#539;i Roundcube recent descoperite (CVE-2025-49113), utilizarea sa poten&#539;ial&#259; &icirc;n viitoare atacuri spore&#537;te &icirc;ngrijor&#259;rile legate de compromiterea total&#259; a serverului prin furtul de acredit&#259;ri &#537;i phishing.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cert.pl\/en\/posts\/2025\/06\/unc1151-campaign-roundcube\/\">link<\/a> <\/p><p><strong>A fost detectat&#259; o posibil&#259; campanie de programe spion pentru iPhone, care vizeaz&#259; utilizatorii de profil &icirc;nalt din SUA &#537;i UE<\/strong><br>Pe 5 iunie, iVerify a raportat posibile dovezi ale unei campanii de programe spion pentru iPhone care vizeaz&#259; indivizi din SUA &#537;i UE, inclusiv oficiali guvernamentali, membri ai campaniei politice &#537;i personal media, printr-o eroare iOS &bdquo;Nickname&rdquo; remediat&#259; acum. &Icirc;n timp ce Apple neag&#259; orice exploatare activ&#259;, iVerify indic&#259; semne circumstan&#539;iale, cum ar fi bloc&#259;rile dispozitivului &#537;i alertele de amenin&#539;are Apple, ca justific&acirc;nd investiga&#539;ii suplimentare asupra poten&#539;ialei &#539;intiri la nivel &icirc;nalt legate de activit&#259;&#539;ile anterioare de supraveghere din China.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.axios.com\/2025\/06\/05\/spyware-iphones-apple-iverify\">link<\/a> <\/p><p><strong>Programul spion Paragon Graphite vizeaz&#259; jurnali&#351;tii prin exploatare iOS zero-click<\/strong><br>Pe 12 iunie, The Citizen Lab a raportat confirmarea criminalistic&#259; c&#259; jurnalistul italian Ciro Pellegrino &#537;i un jurnalist european proeminent au fost viza&#539;i de software-ul spion Paragon Graphite printr-un exploit iMessage f&#259;r&#259; clic, CVE-2025-43200. Ambele cazuri sunt legate de acela&#537;i actor de amenin&#539;are. Descoperirile eviden&#539;iaz&#259; un efort mai larg de spionaj cibernetic &icirc;mpotriva<code>Fanpage[.]it<\/code>&#537;i amenin&#539;&#259;ri continue la adresa jurnali&#537;tilor din Europa.<code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/citizenlab.ca\/2025\/06\/first-forensic-confirmation-of-paragons-ios-mercenary-spyware-finds-journalists-targeted\/\">link<\/a> <\/p><h3 id=\"cybercrime\">Crima cibernetic&#259;<\/h3><h3 id=\"disruption-destruction\">Perturbare &#537;i distrugere<\/h3><p><strong>Televiziunea public&#259; suedez&#259; SVT vizat&#259; de atacuri DDoS<\/strong><br>&Icirc;ntre 8 iunie &#537;i 11 iunie, un actor de amenin&#539;are necunoscut a lansat atacuri DDoS &icirc;mpotriva companiei suedeze de televiziune public&#259; SVT, provoc&acirc;nd perioade temporare de &icirc;ntrerupere. Aceasta urmeaz&#259; &icirc;ntreruperilor temporare anterioare ale altor servicii digitale utilizate pe scar&#259; larg&#259;, cum ar fi aplica&#539;iile pentru eID &#537;i transferurile de bani. Prim-ministrul suedez Kristersson a recunoscut amenin&#539;&#259;rile cibernetice continue care vizeaz&#259; at&acirc;t entit&#259;&#539;ile de stat, c&acirc;t &#537;i firmele critice.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/swedenherald.com\/article\/svt-and-swedish-parliament-websites-hit-by-overload-attacks\">leg&#259;tur&#259;<\/a> <\/p><p><strong>Un &#537;terg&#259;tor iranian probabil a observat &#539;intirea &icirc;n Albania<\/strong><br>Pe 20 iunie, Symantec a raportat un atac de &#537;tergere care vizeaz&#259; organiza&#539;ii din Albania de c&#259;tre grupul iranian Druidfly. Grupul cibernetic iranian Druidfly este cunoscut pentru atacurile sale distructive &#537;i opera&#539;iunile de spionaj. Druidfly vizeaz&#259; &#539;&#259;ri ostile Iranului, inclusiv Albania &#537;i Israelul. &#8203;Grupul folose&#537;te tactici de inginerie social&#259;, u&#537;i din spate personalizate &#537;i ransomware precum DarkBit, servind adesea drept acoperire pentru atacurile lor devastatoare.<code>iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/threatintel\/status\/1936049254432231444\">link<\/a> <\/p><h3 id=\"information-operations\">Opera&#539;iuni de informare<\/h3><p><strong>Dezinformarea pro-rus&#259; vizeaz&#259; Moldova folosind conturi false Euronews<\/strong><br>Pe 3 iunie, Euronews a raportat o campanie coordonat&#259; de dezinformare a unor actori de amenin&#539;&#259;ri pro-ru&#537;i care utilizeaz&#259; profiluri generate de inteligen&#539;&#259; artificial&#259; pentru a-&#537;i uzurpa identitatea personalului de pe TikTok &#537;i X, r&#259;sp&acirc;ndind videoclipuri false care pretindeau criminalitate &#537;i instabilitate &icirc;n Moldova. Adresat&#259; publicului UE, NATO &#537;i ucrainean, opera&#539;iunea reflect&#259; tactici legate de &bdquo;Opera&#539;iunea Supra&icirc;nc&#259;rcare&rdquo;, cu con&#539;inut aliniat la obiectivele de influen&#539;&#259; ale Rusiei &#537;i menite s&#259; submineze alian&#539;ele occidentale. Euronews &icirc;nl&#259;tur&#259; &icirc;n mod activ materialul fals.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.euronews.com\/my-europe\/2025\/06\/03\/euronews-targeted-by-anti-moldova-disinformation-campaign\">link<\/a> <\/p><p><strong>Israelul folose&#537;te reclamele pl&#259;tite YouTube pentru a-&#537;i justifica ac&#539;iunile &icirc;n Iran<\/strong><br>Pe 18 iunie, un canal de &#537;tiri online a raportat c&#259; utilizatorii YouTube v&#259;d &icirc;n mod constant reclame de propagand&#259; israelian&#259; care justific&#259; atacurile sale aeriene asupra Iranului. Se pare c&#259; vizeaz&#259; &#539;&#259;ri europene, &#537;i anume Germania, Italia, Fran&#539;a &#537;i Regatul Unit. Rapoarte similare au fost f&#259;cute din octombrie 2023 cu privire la justificarea Israelului asupra atacurilor sale asupra Gaza.<code>israel<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.fudzilla.com\/news\/61216-iran-shores-up-cyber-defences\">link<\/a> <\/p><h3 id=\"hacktivism\">Hacktivism<\/h3><p><strong>NoName057(16) vizeaz&#259; Summit-ul NATO cu atacuri DDoS &#537;i sugereaz&#259; sabotajul feroviar olandez<\/strong><br>&Icirc;n perioada 23-24 iunie, grupul hacktivist pro-rus NoName057(16) a lansat atacuri DDoS asupra site-urilor web olandeze &#537;i ale NATO, coinciz&acirc;nd cu summitul NATO din 2025. Pe 24 iunie, ei au sugerat implicarea &icirc;ntr-o &icirc;ntrerupere a cablului de tren olandez, suger&acirc;nd c&#259; ar putea fi &bdquo;&icirc;nvinuit&#259;&rdquo; asupra lor &#537;i a proiectului DDoSia. Ministerul olandez al Justi&#539;iei a raportat c&#259; incidentul - un incendiu care a deteriorat aproximativ 30 de cabluri - poate fi legat de sabotaj.<code>rusia<\/code> <\/p><p><strong>Killnet sus&#539;ine &icirc;nc&#259;lcarea aplica&#539;iei pentru spa&#539;iul aerian ucrainean &icirc;n urma unui atac major cu drone<\/strong><br>Pe 2 iunie, Killnet &#537;i-a revendicat responsabilitatea pentru &icirc;nc&#259;lcarea unei aplica&#539;ii ucrainene de monitorizare a spa&#539;iului aerian &#537;i a lansat un canal Telegram care partaja firmware-ul dronei, probabil ca r&#259;spuns la &bdquo;Opera&#539;iunea P&acirc;nz&#259; de P&acirc;nz&#259;&rdquo; a Ucrainei din 1 iunie, care a avariat zeci de avioane militare ruse&#537;ti. De la reapari&#539;ia &icirc;n mai 2025, Killnet &#537;i-a intensificat eforturile de a-&#537;i rec&acirc;&#537;tiga notorietatea &#539;intind opera&#539;iunile cu drone ale Ucrainei, de&#537;i impactul real al hackurilor sale pretinse r&#259;m&acirc;ne neclar.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/t.me\/WeAreKillnet_Channel\/16\">link<\/a> <\/p><h2 id=\"world\">Lumea<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>Proiectul de lege american &icirc;ncearc&#259; s&#259; interzic&#259; agen&#539;iilor federale s&#259; foloseasc&#259; DeepSeek, instrumente AI de la &bdquo;adversarii str&#259;ini&rdquo;<\/strong><br>Pe 26 iunie, senatorii RickScott &#537;i GaryPeters au introdus Legea bipartizan&#259; No Adversarial AI, interzic&acirc;nd agen&#539;iilor federale s&#259; foloseasc&#259; instrumente AI de la &bdquo;adversarii str&#259;ini&rdquo; &ndash; China, Rusia, Iran &#537;i Coreea de Nord &ndash; invoc&acirc;nd &icirc;n mod special preocup&#259;rile legate de DeepSeek din China, care poate furniza date sectoarelor militare\/de informa&#539;ii. Proiectul de lege impune un registru al Consiliului de Securitate al Achizi&#539;iilor Federale actualizat la fiecare 180 de zile &#537;i permite scutiri limitate pentru cercetarea &#537;i testarea verificat&#259;.<code>ban<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/bipartisan-bill-ban-deepseek-federal\">link<\/a> <\/p><p><strong>WhatsApp a fost interzis pe dispozitivele angaja&#539;ilor Casei SUA<\/strong><br>Pe 23 iunie, Axios a raportat c&#259; WhatsApp a fost interzis pentru utilizarea pe dispozitivele guvernamentale &icirc;n r&acirc;ndul personalului Congresului Camerei. Interdic&#539;ia este ca r&#259;spuns la preocup&#259;rile de securitate cibernetic&#259; pentru utilizatori, din cauza lipsei de transparen&#539;&#259; &icirc;n modul &icirc;n care protejeaz&#259; datele utilizatorilor, a absen&#539;ei cript&#259;rii datelor stocate &#537;i a poten&#539;ialelor riscuri de securitate implicate de utilizarea acestora.<code>ban<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.axios.com\/2025\/06\/23\/whatsapp-house-congress-staffers-messaging-app\">link<\/a> <\/p><p><strong>Agen&#539;iile americane avertizeaz&#259; asupra amenin&#539;&#259;rilor cibernetice iraniene la adresa infrastructurii critice din SUA<\/strong><br>La 30 iunie, agen&#539;iile americane au emis &icirc;n comun un avertisment &icirc;n care avertizeaz&#259; c&#259; hackerii &#537;i grupurile hacktivi&#537;ti afiliate iranianului pot desf&#259;&#537;ura activit&#259;&#539;i cibernetice r&#259;u inten&#539;ionate &ndash; &icirc;n ciuda unei &icirc;ncet&#259;ri a focului declarate &#537;i a negocierilor &icirc;n curs pentru o solu&#539;ie permanent&#259;. Ei au eviden&#539;iat riscurile pentru infrastructura critic&#259;, inclusiv re&#539;elele de energie, ap&#259;, asisten&#539;&#259; medical&#259;, transport &#537;i ap&#259;rare, f&#259;c&acirc;nd referire la intruziunile anterioare, cum ar fi &icirc;nc&#259;lcarea instala&#539;iei de ap&#259; din Pennsylvania din 2023.<code>state unite<\/code> <code>iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cisa.gov\/sites\/default\/files\/2025-06\/joint-fact-sheet-Iranian-cyber-actors-may-target-vulnerable-US-networks-and-entities-of-interest-508c-1.pdf\">link<\/a><\/p><p><strong>ISAC avertizeaz&#259; sectoarele critice ale SUA cu privire la posibile atacuri cibernetice iraniene pe fondul tensiunilor din Israel<\/strong><br>Pe 17 iunie, furnizorii americani de infrastructur&#259; critic&#259; &ndash; &icirc;n special &icirc;n energie, ap&#259;, transport, comunica&#539;ii, alimenta&#539;ie &#537;i agricultur&#259; &#537;i IT &ndash; au fost &icirc;ndemna&#539;i s&#259; consolideze securitatea cibernetic&#259; pe fondul escalad&#259;rii tensiunilor Iran-Israel. Food and Ag&#8209;ISAC &#537;i IT&#8209;ISAC au emis alerte comune, avertiz&acirc;nd cu privire la poten&#539;ialele contagii ale opera&#539;iunilor cibernetice iraniene care vizeaz&#259; Israelul, &icirc;n timp ce ISAC pentru energie electric&#259;, avia&#539;ie, servicii financiare &#537;i ap&#259; au sporit, de asemenea, vigilen&#539;a.<code>iran<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politico.com\/news\/2025\/06\/17\/us-critical-networks-iran-israel-cyber-attack-00411799\">link<\/a> <\/p><p><strong>SUA ofer&#259; recompens&#259; pentru informa&#539;ii despre Cyber &#8203;&#8203;Av3ngers lega&#539;i de Iran<\/strong><br>Cyber &#8203;&#8203;Av3ngers, un actor de amenin&#539;&#259;ri cunoscut pentru c&#259; vizeaz&#259; dispozitivele ICS &#537;i IoT fabricate &icirc;n Israel, a crescut activitatea pe re&#539;elele sociale dup&#259; activitatea cinetic&#259; recent&#259; Israel-Iran. Pe 12 iunie, Rewards for Justice al Departamentului de Stat al SUA a oferit 10 milioane de dolari SUA pentru informa&#539;ii despre Cyber &#8203;&#8203;Av3ngers, Mr Soul sau afilia&#539;i. Guvernul SUA leag&#259; grupul de IRGC-CEC al Iranului &#537;i atribuie atacurile cibernetice asupra infrastructurii critice americane actorului amenin&#539;&#259;rii.<code>iran<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/RFJ_USA\/status\/1933237876470280354\">link<\/a> <\/p><p><strong>China ofer&#259; recompense pentru informa&#539;ii despre agen&#539;ii cibernetici militari taiwanezi<\/strong><br>Pe 5 iunie, China a oferit recompense &icirc;n numerar pentru indicii care au condus la arestarea a 20 de persoane despre care sus&#539;ine c&#259; sunt agen&#539;i cibernetici militari taiwanezi. I-a acuzat c&#259; vizeaz&#259; sectoare chineze &#537;i c&#259; colaboreaz&#259; cu serviciile de informa&#539;ii americane. Taiwan a respins afirma&#539;iile, numindu-le inventate &#537;i subliniind preocup&#259;rile globale cu privire la activit&#259;&#539;ile cibernetice &#537;i dezinformarea chineze.<code>China<\/code> <code>Taiwan<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.straitstimes.com\/asia\/east-asia\/chinese-authorities-issue-bounty-for-hackers-said-to-be-linked-to-taiwan\">link<\/a> <\/p><p><strong>SUA acuz&#259; o persoan&#259; britanic&#259; din spatele identit&#259;&#539;ii criminalit&#259;&#539;ii cibernetice IntelBroker<\/strong><br>Pe 25 iunie, Departamentul de Justi&#539;ie al SUA a raportat c&#259; a acuzat un cet&#259;&#539;ean britanic pentru operarea identit&#259;&#539;ii online IntelBroker. Potrivit acuza&#539;iilor, IntelBroker s-a infiltrat &icirc;n re&#539;elele de calculatoare ale victimelor, a furat date, a v&acirc;ndut datele furate &#537;i a provocat pagube de milioane de dolari pentru zeci de victime din &icirc;ntreaga lume.<code>state unite<\/code> <code>taxe<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.justice.gov\/usao-sdny\/pr\/serial-hacker-intelbroker-charged-causing-25-million-damages-victims\">link<\/a> <\/p><p><strong>Interpol demonteaz&#259; re&#539;ele de furt de informa&#539;ii din 26 de &#539;&#259;ri<\/strong><br>Pe 11 iunie, Interpol a anun&#539;at rezultatele opera&#539;iunii Secure, o represiune a criminalit&#259;&#539;ii cibernetice din ianuarie p&acirc;n&#259; &icirc;n aprilie 2025. Autorit&#259;&#539;ile din 26 de &#539;&#259;ri au demontat infrastructura infostealerului, arest&acirc;nd 32 de suspec&#539;i &#537;i confisc&acirc;nd 41 de servere. Au eliminat peste 20.000 de IP-uri\/domenii r&#259;u inten&#539;ionate &#537;i au notificat 216.000 de victime. Ac&#539;iunea, sus&#539;inut&#259; de Group-IB, Kaspersky &#537;i Trend Micro, a perturbat actorii importan&#539;i ai criminalit&#259;&#539;ii cibernetice, &icirc;n special &icirc;n Vietnam, Sri Lanka, Nauru &#537;i Hong Kong.<code>eliminare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.interpol.int\/News-and-Events\/News\/2025\/20-000-malicious-IPs-and-domains-taken-down-in-INTERPOL-infostealer-crackdown\">link<\/a> <\/p><p><strong>Eliminarea AVCheck &icirc;ntrerupe serviciul cheie de testare a malware-ului &icirc;n represiunea global&#259; a criminalit&#259;&#539;ii cibernetice<\/strong><br>Pe 27 mai, for&#539;ele interna&#539;ionale de aplicare a legii au confiscat AVCheck, un important serviciu antivirus utilizat de infractorii cibernetici pentru a testa &#537;i a perfec&#539;iona evaziunea malware, ca parte a Operation Endgame. Domeniul oficial al serviciului de la AVCheck afi&#537;eaz&#259; acum un banner de sechestru care prezint&#259; stemele Departamentului de Justi&#539;ie al SUA, FBI, Serviciului Secret al SUA &#537;i poli&#539;iei olandeze (Politie), subliniind rolul s&#259;u &icirc;n sprijinirea grupurilor de ransomware &#537;i &icirc;n sprijinirea atacurilor cibernetice furtive.<code>eliminare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.justice.gov\/usao-sdtx\/pr\/websites-selling-hacking-tools-cybercriminals-seized\">link<\/a> <\/p><h3 id=\"cyberespionage-prepositioning-2\">Spionaj cibernetic &#537;i prepozi&#539;ionare<\/h3><p><strong>Salt Typhoon a exploatat un defect Cisco pentru a pirata telecomunica&#539;iile canadiene<\/strong><br>Pe 23 iunie, agen&#539;ia de securitate cibernetic&#259; a Canadei &#537;i FBI au dezv&#259;luit c&#259; grupul chinez SaltTyphoon s-a infiltrat &icirc;ntr-un furnizor de telecomunica&#539;ii canadian &icirc;n februarie exploat&acirc;nd vulnerabilitatea Cisco IOSXE CVE 2023 20198, nepattchizat&#259;, permi&#539;&acirc;nd crearea de conturi &#537;i snooping &icirc;n re&#539;ea prin tunelurile GRE. &Icirc;n ciuda faptului c&#259; defectul a fost dezv&#259;luit &icirc;n octombrie 2023, cel pu&#539;in o firm&#259; important&#259; nu aplicase plasturele. Autorit&#259;&#539;ile avertizeaz&#259; c&#259; campania de spionaj va persista &#537;i &icirc;ndeamn&#259; corectarea urgent&#259; a dispozitivelor edge.<code>canada<\/code> <code>China<\/code> <code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ic3.gov\/CSA\/2025\/250620.pdf\">link<\/a> <\/p><p><strong>Compania de satelit Viasat a fost printre victimele campaniei Salt Typhoon, legate de China<\/strong><br>Pe 18 iunie, Viasat, o companie de satelit cu prezen&#539;&#259; &icirc;n Europa, a confirmat c&#259; a fost una dintre victimele opera&#539;iunii de spionaj cibernetic a Salt Typhoon, legat&#259; de China, care vizeaz&#259; mai multe sectoare, &#537;i anume telecomunica&#539;iile, la nivel mondial, descoperit&#259; &icirc;n 2024.<code>China<\/code> <code>spa&#539;iu<\/code> <code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.satellitetoday.com\/cybersecurity\/2025\/06\/18\/viasat-confirms-unauthorized-access-after-bloomberg-report-of-salt-typhoon-impact\/\">link<\/a> <\/p><p><strong>Clusterul de activitate legat de China PurpleHaze &#537;i ShadowPad vizeaz&#259; organiza&#539;ii din &icirc;ntreaga lume<\/strong><br>Pe 9 iunie, SentinelOne a raportat c&#259; a contracara clusterele de activitate legate de China PurpleHaze &#537;i ShadowPad, care au inclus &icirc;ncerc&#259;ri de recunoa&#537;tere &#537;i intruziune din iulie 2024 p&acirc;n&#259; &icirc;n martie 2025. Acestea au vizat peste 70 de organiza&#539;ii, inclusiv un guvern din Asia de Sud &#537;i un media european. Sectoarele vizate includ produc&#539;ia, mass-media, securitatea cibernetic&#259;, administra&#539;ia public&#259; &#537;i telecomunica&#539;iile. SentinelOne a confirmat c&#259; nu a compromite activele sale, subliniind interesul persistent al actorilor de spionaj cibernetic pentru furnizorii de securitate cibernetic&#259;.<code>China<\/code> <code>administra&#539;ia public&#259;<\/code> <code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.sentinelone.com\/labs\/follow-the-smoke-china-nexus-threat-actors-hammer-at-the-doors-of-top-tier-targets\/\">link<\/a> <\/p><p><strong>Jurnali&#351;tii de la Washington Post viza&#355;i de atacuri cibernetice<\/strong><br>Pe 15 iunie, The Wall Street Journal a raportat c&#259; mai mul&#539;i jurnali&#537;ti din conturile de e-mail ale Washington Post au fost compromisi &icirc;ntr-un atac cibernetic. Atacurile vizate au fost f&#259;cute &icirc;mpotriva jurnali&#351;tilor care scriau despre securitate na&#355;ional&#259; &#351;i politic&#259; economic&#259;, precum &#351;i &icirc;mpotriva Chinei.<code>China<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.wsj.com\/tech\/cybersecurity\/cyberattack-on-washington-post-compromises-email-accounts-of-journalists-70bf1300\">link<\/a> <\/p><p><strong>China avertizeaz&#259; cu privire la spionajul cibernetic care vizeaz&#259; sectoarele de stat &#537;i de cercetare<\/strong><br>Pe 4 iunie, Ministerul Securit&#259;&#539;ii de Stat (MSS) din China a avertizat cu privire la trei incidente recente de spionaj cibernetic care vizeaz&#259; agen&#539;iile guvernamentale, institutele de cercetare &#537;i infrastructura critic&#259;. &Icirc;ntr-un caz, un angajat al laboratorului a stocat fi&#537;iere clasificate pe un dispozitiv personal &#537;i a f&#259;cut clic pe un ata&#537;ament r&#259;u inten&#539;ionat de e-mail, permi&#539;&acirc;nd agen&#539;ilor str&#259;ini s&#259; fure date timp de trei luni. &Icirc;n altul, o leg&#259;tur&#259; de phishing a compromis o agen&#539;ie guvernamental&#259;. Un al treilea atac a exploatat software de birou &icirc;nvechit pentru a se infiltra &icirc;ntr-o institu&#539;ie de cercetare.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.globaltimes.cn\/page\/202506\/1335381.shtml\">link<\/a> <\/p><p><strong>Opera&#539;iunea DRAGONCLONE: Industria chinez&#259; de telecomunica&#539;ii vizat&#259; prin intermediul programelor malware VELETRIX &#537;i VShell<\/strong><br>Pe 6 iunie, Seqrite Labs, o companie de securitate cibernetic&#259; din India, a dezv&#259;luit OperationDRAGONCLONE, o campanie cibernetic&#259; sofisticat&#259; care vizeaz&#259; China MobileTietong. &Icirc;ncepe cu un ZIP r&#259;u inten&#539;ionat care exploateaz&#259; &icirc;nc&#259;rcarea lateral&#259; DLL a Wondershare Repairit, implement&acirc;nd &icirc;nc&#259;rc&#259;torul VELETRIX cu tehnici anti-sandbox &#537;i &bdquo;IPFuscation&rdquo; pentru a lansa VShell &icirc;n memorie. Campania include 44 de implanturi, infrastructur&#259; suprapus&#259; legat&#259; de UNC5174 &#537;i EarthLamia &#537;i folose&#537;te CobaltStrike, SuperShell &#537;i Asset Lighthouse System.<code>China<\/code> <code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.seqrite.com\/blog\/operation-dragonclone-chinese-telecom-veletrix-vshell-malware\/\">link<\/a> <\/p><p><strong>Actorul de amenin&#539;&#259;ri UNC6293 legat de Rusia folose&#537;te parolele specifice aplica&#539;iei pentru a accesa conturile de e-mail academice<\/strong><br>Pe 18 iunie, The Citizen Lab &#537;i Google au raportat despre activit&#259;&#539;ile actorului de amenin&#539;are UNC6293 legate de Rusia, care vizeaz&#259; academicieni de seam&#259; &#537;i critici ai Rusiei, cel pu&#539;in din aprilie p&acirc;n&#259; la &icirc;nceputul lunii iunie. Pe 22 mai, UNC6293 l-a &icirc;n&#537;elat pe Keir Giles, un expert rus &icirc;n opera&#539;iuni de informa&#539;ii, s&#259; genereze parole specifice aplica&#539;iei (ASP), s&#259; ocoleasc&#259; autentificarea multifactor (MFA) &#537;i s&#259; ob&#539;in&#259; acces persistent la e-mail. Ulterior, Google a dezactivat conturile compromise &#537;i a conectat activitatea la APT29 cu o &icirc;ncredere sc&#259;zut&#259;.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/citizenlab.ca\/2025\/06\/russian-government-linked-social-engineering-targets-app-specific-passwords\/\">link<\/a> <\/p><p><strong>Guvernul israelian avertizeaz&#259; cet&#259;&#539;enii cu privire la spionaj prin intermediul camerelor de securitate la domiciliu<\/strong><br>Pe 20 iunie, Israel National Cyber &#8203;&#8203;Directorate (INCD) a emis un avertisment cet&#259;&#539;enilor israelieni cu privire la amenin&#539;&#259;rile cibernetice la adresa camerelor de securitate, &icirc;ndemn&acirc;nd utilizatorii s&#259;-&#537;i schimbe parolele de acces. Alerta a subliniat c&#259; camerele care sunt configurate incorect ar putea prezenta riscuri de securitate semnificative, poten&#539;ial exploatate de Iran &#537;i alia&#539;ii s&#259;i pentru colectarea de informa&#539;ii &icirc;n timp real.<code>Israel<\/code> <code>Iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.jpost.com\/israel-news\/article-858606\">link<\/a> <\/p><p><strong>Agen&#539;ii iranieni &#537;i-au dat identitatea jurnalistului i24NEWS pentru a viza ofi&#539;erii israelieni cu programe spion<\/strong><br>Pe 23 iunie, autorit&#259;&#539;ile israeliene au dezv&#259;luit o opera&#539;iune cibernetic&#259; iranian&#259; &icirc;n care agen&#539;ii s-au dat drept jurnalist i24NEWS pentru a viza ofi&#539;eri israelieni superiori cu programe spion. Atacatorii au folosit adrese de e-mail false &#537;i au &icirc;ncercat s&#259;-i ademeneasc&#259; pe destinatari s&#259; fac&#259; clic pe linkuri r&#259;u inten&#539;ionate. Opera&#539;iunea a fost z&#259;d&#259;rnicit&#259; atunci c&acirc;nd un ofi&#539;er vizat a raportat mesajul suspect c&#259;tre Direc&#539;ia de securitate a informa&#539;iilor a IDF, determin&acirc;nd o investiga&#539;ie &#537;i un r&#259;spuns coordonat.<code>iran<\/code> <code>israel<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.i24news.tv\/en\/news\/israel\/defense\/artc-iranian-operatives-impersonated-i24news-journalist-to-target-israeli-officers-with-spyware#google_vignette\">link<\/a> <\/p><p><strong>Campania nord-coreean&#259; Contagious Interview elimin&#259; 35 de noi pachete npm r&#259;u inten&#539;ionate<\/strong><br>Pe 25 iunie, Socket, o companie de securitate cibernetic&#259; din SUA, a dezv&#259;luit c&#259; hackerii nord-coreeni din spatele campaniei &bdquo;Contagious Interview&rdquo; au publicat 35 de pachete npm r&#259;u inten&#539;ionate prin intermediul a 24 de conturi, desc&#259;rcate de peste 4000 de ori. Aceste pachete folosesc un &icirc;nc&#259;rc&#259;tor ascuns HexEval care preia amprentele sistemelor, ofer&#259; BeaverTail (un infostealer), backdoor InvisibleFerret &#537;i, &icirc;ntr-un caz, un keylogger multiplatform. &#538;intele &ndash; dezvoltatorii &icirc;n c&#259;utarea unui loc de munc&#259; &ndash; sunt atra&#537;i de recrutori fal&#537;i de pe LinkedIn &#537;i presa&#539;i s&#259; ruleze malware &icirc;n afara containerelor.<code>coreea de nord<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/socket.dev\/blog\/north-korean-contagious-interview-campaign-drops-35-new-malicious-npm-packages\">link<\/a> <\/p><p><strong>ICC detecteaz&#259; &#537;i con&#539;ine al doilea incident cibernetic din ultimii ani<\/strong><br>Pe 30 iunie, Curtea Penal&#259; Interna&#539;ional&#259; a raportat c&#259; a detectat &#537;i con&#539;inut un incident sofisticat de securitate cibernetic&#259;, marc&acirc;nd al doilea de acest gen &icirc;n ultimii ani. Curtea efectueaz&#259; o analiz&#259; de impact &#537;i ia m&#259;suri de atenuare, &icirc;ndemn&acirc;nd totodat&#259; sprijinul continuu din partea statelor p&#259;r&#539;i pentru a-&#537;i men&#539;ine misiunea de justi&#539;ie &#537;i responsabilitate.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.icc-cpi.int\/news\/icc-detects-and-contains-new-sophisticated-cyber-security-incident\">Link<\/a><\/p><h3 id=\"cybercrime-2\">Crima cibernetic&#259;<\/h3><p><strong>Adversarii exploateaz&#259; confuzia de nume PyPI &#537;i npm pentru a furniza malware pe mai multe platforme<\/strong><br>Pe 28 mai, un cercet&#259;tor de securitate de la Checkmarx Zero a raportat o campanie pentru lan&#539;ul de aprovizionare care a folosit typosquatting &#537;i confuzia de nume &icirc;ntre ecosisteme pentru a viza dezvoltatorii Python &#537;i JavaScript. Pachetele r&#259;u inten&#539;ionate care imit&#259; Colorama &#537;i Colorizr au fost &icirc;nc&#259;rcate &icirc;n PyPI, oferind programe malware care permit accesul de la distan&#539;&#259;, exfiltrarea datelor &#537;i persisten&#539;a pe sistemele Windows &#537;i Linux. Pachetele au fost eliminate.<code>atacul lan&#539;ului de aprovizionare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/checkmarx.com\/zero-post\/python-pypi-supply-chain-attack-colorama\/\">link<\/a> <\/p><p><strong>Atacul &icirc;n lan&#539;ul de aprovizionare vizeaz&#259; pachetele populare de accesibilitate React Native pe npm<\/strong><br>Pe 6 iunie, atacatorii au compromis pachetele Gluestack @react-native-aria npm &mdash; componente de accesibilitate UI pentru aplica&#539;iile React Native &mdash; prin injectarea unui troian de acces la distan&#539;&#259; &icirc;n 17 din 20 de module. Codul r&#259;u inten&#539;ionat a permis executarea comenzilor shell &#537;i transferurile de fi&#537;iere. Aceste pachete, cu peste 1.020.000 de desc&#259;rc&#259;ri s&#259;pt&#259;m&acirc;nale, au fost utilizate pe scar&#259; larg&#259; &icirc;n dezvoltarea de aplica&#539;ii mobile. Gluestack a revocat simbolul compromis &#537;i a depreciat versiunile afectate pentru a opri atacul lan&#539;ului de aprovizionare.<code>atacul lan&#539;ului de aprovizionare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/supply-chain-attack-hits-gluestack-npm-packages-with-960k-weekly-downloads\/\">link<\/a> <\/p><p><strong>Actorii amenin&#539;&#259;ri vizeaz&#259; acredit&#259;rile VPN cu programul de instalare SonicWall NetExtender fals<\/strong><br>Pe 23 iunie, SonicWall &#537;i Microsoft au raportat c&#259; actorii amenin&#539;&#259;rilor au lansat o campanie folosind un client SonicWall NetExtender VPN troianizat pentru a fura acredit&#259;rile. Atacatorii au g&#259;zduit programul de instalare fals pe site-uri web falsificate &#537;i l-au semnat cu un certificat cu aspect legitim. Odat&#259; instalat, malware-ul a exfiltrat numele de utilizator VPN, parolele &#537;i datele de domeniu prin HTTP.<code>atacul lan&#539;ului de aprovizionare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.sonicwall.com\/blog\/threat-actors-modify-and-re-create-commercial-software-to-steal-users-information\">link<\/a> <\/p><p><strong>Actorii amenin&#539;&#259;rilor construiesc malware semnat prin abuzul ConnectWise ScreenConnect<\/strong><br>Pe 23 iunie, cercet&#259;torii de la G DATA CyberDefense au dezv&#259;luit c&#259;, din martie, actorii amenin&#539;&#259;rilor au abuzat de instalatorii semnati de ConnectWise ScreenConnect pentru a construi &#537;i r&#259;sp&acirc;ndi software modificat cu func&#539;ii r&#259;u inten&#539;ionate. Ei exploateaz&#259; umplutura cu cod autentic pentru a &icirc;ncorpora set&#259;ri r&#259;u inten&#539;ionate, permi&#539;&acirc;nd actualiz&#259;ri false ale Windows &#537;i conexiuni ascunse. Metoda de semnare a ConnectWise le permite adversarilor s&#259; modifice comportamentul f&#259;r&#259; a rupe semn&#259;tura, iar acest lucru submineaz&#259; detectarea de c&#259;tre software-ul de securitate.<code>atacul lan&#539;ului de aprovizionare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.gdatasoftware.com\/blog\/2025\/06\/38218-connectwise-abuse-malware\">link<\/a> <\/p><p><strong>TeamFiltration A.T.O. campania atinge conturile Microsoft cloud prin abuzul Teams<\/strong><br>Pe 11 iunie, echipa de cercetare a amenin&#539;&#259;rilor de la Proofpoint a dezv&#259;luit o campanie global&#259; de preluare a conturilor numit&#259; UNK_SneakyStrike, exploat&acirc;nd cadrul de testare TeamFiltration prin API-ul Microsoft Teams &#537;i serverele AWS. Atacatorii au folosit enumerarea automat&#259; &#537;i pulverizarea parolelor pentru a deturna conturile Microsoft Entra ID, viz&acirc;nd peste 80.000 de utilizatori din aproape 100 de chiria&#537;i din cloud &icirc;nainte de a &icirc;ntrerupe opera&#539;iunile.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/attackers-unleash-teamfiltration-account-takeover-campaign\">link<\/a> <\/p><p><strong>Grupul de criminalitate cibernetic&#259; Water Curse a armat depozitele GitHub pentru a oferi un furt &icirc;n mai multe etape<\/strong><br>Pe 16 iunie, cercet&#259;torii de securitate Trend Micro au raportat despre o campanie atribuit&#259; Water Curse &icirc;n care actorul amenin&#539;&#259;rii a armat cel pu&#539;in 76 de depozite GitHub, &icirc;ncorpor&acirc;nd &icirc;nc&#259;rc&#259;turi utile r&#259;u inten&#539;ionate &icirc;n instrumente de dezvoltare cu aspect legitim. &Icirc;nc&#259;rc&#259;turile utile, ascunse &icirc;n Visual Studio construiesc scripturi, efectueaz&#259; infec&#539;ii &icirc;n mai multe etape utiliz&acirc;nd VBS, PowerShell &#537;i binare ofucate pentru a fura acredit&#259;rile, datele de browser\/sesiune, de a stabili persisten&#539;a &#537;i de a exfiltra informa&#539;ii.<code>atacul lan&#539;ului de aprovizionare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/f\/water-curse.html\">link<\/a> <\/p><p><strong>FBI avertizeaz&#259; c&#259; ransomware-ul Play a lovit 900 de victime &#537;i r&#259;m&acirc;ne o amenin&#539;are major&#259; pentru infrastructura critic&#259;<\/strong><br>Pe 4 iunie, FBI, &icirc;ntr-un aviz comun actualizat cu CISA &#537;i Centrul Australian de Securitate Cibernetic&#259;, a dezv&#259;luit c&#259; grupul de ransomware Play a &icirc;nc&#259;lcat aproximativ 900 de organiza&#539;ii la nivel global p&acirc;n&#259; &icirc;n mai 2025, triplu num&#259;rul raportat &icirc;n 2023. Actorul amenin&#539;&#259;rilor, activ din 2022, a vizat din ce &icirc;n ce mai mult infrastructura critic&#259; utiliz&acirc;nd infrastructura critic&#259; &#537;i exploat&acirc;nd infrastructura critic&#259; &#537;i exploat&acirc;nd infrastructuri critice &#537;i exploat&acirc;nd victimele de date &#537;i exploateaz&#259; amenin&#539;&#259;ri cu telefoane malware. s&#259; pl&#259;teasc&#259; r&#259;scump&#259;r&#259;ri.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cisa.gov\/news-events\/cybersecurity-advisories\/aa23-352a\">link<\/a> <\/p><p><strong>Milioane de dispozitive IoT &icirc;n afara m&#259;rcii infectate de re&#539;eaua botnet BadBox 2.0<\/strong><br>Pe 5 iunie, FBI a dezv&#259;luit c&#259; BadBox 2.0 a compromis milioane de dispozitive IoT fabricate &icirc;n China, ob&#539;in&acirc;nd acces fie pre-cump&#259;rare, fie prin intermediul aplica&#539;iilor backdoor &icirc;n timpul instal&#259;rii. Aceste dispozitive, utilizate ca proxy reziden&#539;iali, permit activitatea de criminalitate cibernetic&#259;. Indicatorii includ dispozitive Android necertificate, magazine de aplica&#539;ii suspecte &#537;i trafic neobi&#537;nuit.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ic3.gov\/PSA\/2025\/PSA250605\">link<\/a> <\/p><p><strong>Instalatorii fal&#537;i de instrumente AI r&#259;sp&acirc;ndesc CyberLock &#537;i alte programe malware<\/strong><br>Pe 29 mai, Cisco Talos a dezv&#259;luit c&#259; actorii amenin&#539;&#259;rilor folosesc instalatoare false de instrumente AI pentru a r&#259;sp&acirc;ndi programe malware, inclusiv ransomware CyberLock, Lucky_Gh0$t &#537;i malware distructiv Numero, viz&acirc;nd companiile din v&acirc;nz&#259;ri, tehnologie &#537;i marketing. Distribui&#539;i prin otr&#259;vire SEO &#537;i platforme sociale, ace&#537;ti instalatori r&#259;u inten&#539;iona&#539;i uzurp&#259; identitatea unor instrumente precum ChatGPT &#537;i InVideo AI, cript&acirc;nd sau d&#259;un&acirc;nd fi&#537;iere &icirc;n timp ce exploateaz&#259; &icirc;ncrederea &icirc;n solu&#539;iile AI adoptate pe scar&#259; larg&#259; pentru automatizare &#537;i implicarea clien&#539;ilor.<code>inteligen&#539;&#259; artificial&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.talosintelligence.com\/fake-ai-tool-installers\/\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks\">Expunerea datelor &#537;i scurgerile<\/h3><p><strong>Scurgerea reambalat&#259; expune online miliarde de acredit&#259;ri vechi furate<\/strong><br>Pe 23 iunie, CyberNews a dezv&#259;luit c&#259; o compila&#539;ie masiv&#259; de aproximativ 16 miliarde de date de conectare - extrase din 30 de seturi de date diferite - a fost expus&#259; pentru scurt timp online. Aceste acredit&#259;ri, care acoper&#259; platforme precum Google, Apple, Facebook, Telegram &#537;i servicii guvernamentale, au fost culese nu prin hacking, ci prin malware infostealers. Aceasta nu este o &icirc;nc&#259;lcare nou&#259;, ci doar o baz&#259; de date reambalat&#259; cu acredit&#259;ri vechi furate prin furturi de informa&#539;ii, &icirc;nc&#259;lc&#259;ri anterioare &#537;i umplutur&#259; de acredit&#259;ri, acum expuse online.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cybernews.com\/security\/billions-credentials-exposed-infostealers-data-leak\/\">link<\/a> <\/p><h3 id=\"information-operations-2\">Opera&#539;iuni de informare<\/h3><p><strong>Mesaje false care &icirc;i &icirc;ndeamn&#259; pe israelieni s&#259; evite s&#259; intre &icirc;n ad&#259;posturi<\/strong><br>Pe 16 iunie, Autoritatea Cibernetic&#259; Israelian&#259; a avertizat popula&#539;ia cu privire la mesajele false trimise &icirc;n numele Frontului Intern, &icirc;ndemn&acirc;nd israelienii s&#259; evite s&#259; mearg&#259; la ad&#259;posturi din cauza alertelor de atacuri teroriste.<code>iran<\/code> <code>israel<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.timesofisrael.com\/liveblog_entry\/cyber-authority-warns-against-fake-messages-urging-israelis-to-avoid-going-into-shelters\/\">link<\/a> <\/p><p><strong>Guvernul Argentinei investigheaz&#259; re&#539;eaua de agen&#539;i ru&#537;i pe care &icirc;i acuz&#259; de promovarea campaniilor de dezinformare<\/strong><br>Pe 18 iunie, serviciile de informa&#539;ii argentine (SIDE) au descoperit o re&#539;ea de cinci reziden&#539;i lega&#539;i de ru&#537;i, lega&#539;i de &bdquo;La Compa&ntilde;&iacute;a&rdquo; &#537;i Proiectul Lakhta &ndash; f&#259;c&acirc;nd ecou opera&#539;iunilor de dezinformare sus&#539;inute de Kremlin ale lui Prigozhin. Eforturile cibernetice au inclus crearea &#537;i r&#259;sp&acirc;ndirea de con&#539;inut pe re&#539;elele sociale, influen&#539;area ONG-urilor &#537;i a focus-grupurilor &#537;i colectarea de informa&#539;ii politice prin canale digitale. Scopul: orchestrarea campaniilor online pentru a manipula opinia public&#259; &icirc;n favoarea intereselor geopolitice ruse&#537;ti.<code>argentina<\/code> <code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.lanacion.com.ar\/politica\/el-gobierno-investiga-una-red-de-espias-rusos-a-los-que-acusa-de-impulsar-campanas-de-desinformacion-nid18062025\/\">link<\/a> <\/p><h3 id=\"disruption-destruction-2\">Perturbare &#537;i distrugere<\/h3><p><strong>Cloudflare a blocat un atac DDoS record de 7,3 Tbps cu atenuare autonom&#259;<\/strong><br>Pe 19 iunie, Cloudflare a dezv&#259;luit c&#259; a blocat &icirc;n mod autonom cel mai mare atac DDoS &icirc;nregistrat vreodat&#259; &ndash; un uluitor de 7,3 Tbps la mijlocul lunii mai &ndash; vizat unui furnizor de g&#259;zduire care folose&#537;te Magic Transit. Atacul a dezl&#259;n&#539;uit 37,4 TB &icirc;n doar 45 de secunde prin intermediul a peste 20.000 de porturi UDP pe secund&#259; &#537;i a mai multor tehnici de reflectare\/amplificare. Regulile de detectare bazate pe eBPF ale Cloudflare au fost aplicate f&#259;r&#259; probleme &icirc;n re&#539;eaua sa global&#259;, nefiind nevoie de interven&#539;ie uman&#259;.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.cloudflare.com\/defending-the-internet-how-cloudflare-blocked-a-monumental-7-3-tbps-ddos\/\">link<\/a> <\/p><p><strong>Iranul &icirc;nchide internetul &icirc;n timp ce atacurile israeliene continu&#259;<\/strong><br>Pe 18 iunie, o &icirc;ntrerupere aproape total&#259; a internetului &icirc;n Iran a redus conectivitatea la doar 3%, limit&acirc;nd sever comunicarea extern&#259; pe fondul atacurilor israeliene &icirc;n curs. &Icirc;nchiderea, probabil ordonat&#259; de autorit&#259;&#539;ile iraniene, a urmat avertismentelor privind o deconectare planificat&#259;. Oficialii au citat &icirc;ngrijor&#259;ri cu privire la atacurile cibernetice israeliene &#537;i activitatea sub acoperire. De la &icirc;ntrerupere, accesul la telefon a fost &icirc;ncordat, actualiz&#259;rile de &#537;tiri au fost oprite &#537;i alertele vitale, cum ar fi avizele de evacuare, pot fi inaccesibile pentru mul&#539;i reziden&#539;i.<code>iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/mastodon.social\/@netblocks\">link<\/a> <\/p><p><strong>Iranul impune restric&#539;ii de internet &icirc;n urma atacului Israelului asupra &#539;&#259;rii<\/strong><br>Pe 13 iunie, utilizatorii de internet din Iran au raportat &icirc;ntreruperi ale re&#539;elei legate de internet &#537;i aplica&#539;iile de comunica&#539;ii. Corpul G&#259;rzii Revolu&#539;ionare Islamice a cerut popula&#539;iei s&#259; se ab&#539;in&#259; de la transferul de informa&#539;ii despre aplica&#539;iile de mesagerie str&#259;ine, &#537;i anume WhatsApp &#537;i Instagram. Potrivit Ministerului Comunica&#539;iilor, acest lucru are loc &icirc;n lumina atacului Israelului din aceea&#537;i zi.<code>iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.tasnimnews.com\/fa\/news\/1404\/03\/23\/3334504\/%D9%88%D8%B2%D8%A7%D8%B1%D8%AA-%D8%A7%D8%B1%D8%AA%D8%A8%D8%A7%D8%B7%D8%A7%D8%AA-%D9%85%D8%AD%D8%AF%D9%88%D8%AF%DB%8C%D8%AA-%D9%87%D8%A7%DB%8C-%D8%A7%DB%8C%D9%86%D8%AA%D8%B1%D9%86%D8%AA-%DA%A9%D8%B4%D9%88%D8%B1-%D9%85%D9%88%D9%82%D8%AA%DB%8C-%D8%A7%D8%B3%D8%AA\">link<\/a> <\/p><p><strong>Furtunile solare accelereaz&#259; reintrarea satelitului Starlink, ridic&acirc;nd preocup&#259;ri opera&#539;ionale &#537;i de securitate<\/strong><br>&Icirc;ntre 31 mai &#537;i 2 iunie, furtunile solare severe au crescut rezisten&#539;a atmosferic&#259; a sateli&#539;ilor Starlink, acceler&acirc;nd reintrarea acestora &#537;i ridic&acirc;nd &icirc;ngrijor&#259;ri cu privire la durata de via&#539;&#259; a sateli&#539;ilor, resturile &#537;i fiabilitatea opera&#539;ional&#259;. Cercet&#259;torii NASA au avertizat c&#259; aceast&#259; problem&#259;, intensificat&#259; de maximul solar &icirc;n curs &#537;i de vasta constela&#539;ie LEO a Starlink, ar putea perturba serviciile de telecomunica&#539;ii la nivel global &#537;i ar putea complica viitoarele opera&#539;iuni prin satelit, &icirc;n special pe m&#259;sur&#259; ce Starlink se extinde pe fondul controlului geopolitic asupra utiliz&#259;rii sale &icirc;n &#539;&#259;rile afectate de tarife.<code>spa&#539;iu<\/code> <code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.the-independent.com\/space\/starlink-satellites-elon-musk-space-b2759288.html\">link<\/a> <\/p><p><strong>Pachetele npm distructive deghizate &icirc;n utilitare de monitorizare a s&#259;n&#259;t&#259;&#539;ii permit &#537;tergerea de la distan&#539;&#259; a sistemului<\/strong><br>Pe 5 iunie, Socket a descoperit dou&#259; pachete npm r&#259;u inten&#539;ionate &mdash; express-api-sync &#537;i system-health-sync-api &mdash; care se prezint&#259; drept utilitare backend pentru sincronizarea API &#537;i monitorizarea s&#259;n&#259;t&#259;&#539;ii sistemului. &Icirc;n schimb, au activat &#537;tergerea complet&#259; a sistemului prin puncte finale HTTP ascunse. Unul a &#537;ters fi&#537;ierele cu cheia &bdquo;DEFAULT_123&rdquo;, cel&#259;lalt dup&#259; ce a colectat informa&#539;ii despre sistem &#537;i a primit secretul &bdquo;HelloWorld&rdquo;. Ambele au exploatat &icirc;ncrederea &icirc;n instrumentele comune pentru dezvoltatori pentru a implementa sarcini utile distructive.<code>atacul lan&#539;ului de aprovizionare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/socket.dev\/blog\/destructive-npm-packages-enable-remote-system-wipe\">link<\/a> <\/p><h3 id=\"hacktivism-2\">Hacktivism<\/h3><p><strong>Presupusul hacktivist legat de Israel sus&#539;ine c&#259; a &icirc;nc&#259;lcat o platform&#259; de criptomoned&#259; iranian&#259;<\/strong><br>Pe 18 iunie, un presupus hacktivist legat de Israel, numit Predatory Sparrow, a sus&#539;inut c&#259; a furat &#537;i ars peste 90 de milioane de dolari SUA &icirc;n criptomonede de la cea mai mare platform&#259; de schimb de criptomonede din Iran, Nobitex. Ei au avertizat c&#259; vor lansa &#537;i codul surs&#259; al Nobitex.<code>iran<\/code> <code>israel<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/pro-israel-hackers-hit-irans-nobitex-exchange-burn-90m-in-crypto\/\">link<\/a> <\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Concluziile sau atribu&#539;iile f&#259;cute &icirc;n acest document reflect&#259; doar ceea ce raporteaz&#259; sursele disponibile public. Ele nu reflect&#259; pozi&#539;ia noastr&#259;.&nbsp;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <script>\n        function switchLanguage(lang) {\n            \/\/ Ascunde ambele versiuni\n            document.getElementById(\"content-ro\").style.display = \"none\";\n            document.getElementById(\"content-en\").style.display = \"none\";\n\n            \/\/ Reseteaz\u0103 stilurile butoanelor\n            document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n                btn.style.background = \"#e5e7eb\";\n                btn.style.color = \"#374151\";\n                btn.classList.remove(\"lang-btn-active\");\n            });\n\n            \/\/ Afi\u0219eaz\u0103 versiunea selectat\u0103\n            if (lang === \"ro\") {\n                document.getElementById(\"content-ro\").style.display = \"block\";\n                document.getElementById(\"btn-lang-ro\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-ro\").style.color = \"white\";\n                document.getElementById(\"btn-lang-ro\").classList.add(\"lang-btn-active\");\n            } else {\n                document.getElementById(\"content-en\").style.display = \"block\";\n                document.getElementById(\"btn-lang-en\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-en\").style.color = \"white\";\n                document.getElementById(\"btn-lang-en\").classList.add(\"lang-btn-active\");\n            }\n\n            \/\/ Salveaz\u0103 preferin\u021ba \u00een localStorage\n            localStorage.setItem(\"gpss_preferred_language\", lang);\n        }\n\n        \/\/ Restaureaz\u0103 preferin\u021ba utilizatorului la \u00eenc\u0103rcare\n        document.addEventListener(\"DOMContentLoaded\", function() {\n            var preferredLang = localStorage.getItem(\"gpss_preferred_language\") || \"ro\";\n            switchLanguage(preferredLang);\n        });\n\n        \/\/ Hover effects pentru butoane\n        document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n            btn.addEventListener(\"mouseenter\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#bfdbfe\";\n                    this.style.color = \"#1e40af\";\n                }\n            });\n            btn.addEventListener(\"mouseleave\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#e5e7eb\";\n                    this.style.color = \"#374151\";\n                }\n            });\n        });\n        <\/script>\n\n        <style>\n        .lang-btn:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.3);\n        }\n        .lang-btn-active {\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.4);\n        }\n        <\/style>\n        ","protected":false},"excerpt":{"rendered":"<p>\ud83c\udf0d Limb\u0103 \/ Language: \ud83c\uddec\ud83c\udde7 English (Original) \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103 Traducere automat\u0103 \/ Automatic translation Cyber Brief (June 2025)July 1, 2025 &#8211; Version: 1TLP:CLEARExecutive summaryWe analysed 277 open source reports for this Cyber Brief1.Relating to cyber policy and law enforcement, the EU adopted a blueprint to better manage European cyber crises. The US warned of Iranian [&hellip;]<\/p>\n","protected":false},"featured_media":0,"template":"","meta":{"footnotes":""},"ti_category":[198],"ti_source":[172],"ti_severity":[187],"class_list":["post-992322","threat_intelligence","type-threat_intelligence","status-publish","hentry","ti_category-threat-actor","ti_source-cert-eu","ti_severity-critical"],"_links":{"self":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence\/992322","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence"}],"about":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/types\/threat_intelligence"}],"version-history":[{"count":0,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence\/992322\/revisions"}],"wp:attachment":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/media?parent=992322"}],"wp:term":[{"taxonomy":"ti_category","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_category?post=992322"},{"taxonomy":"ti_source","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_source?post=992322"},{"taxonomy":"ti_severity","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_severity?post=992322"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}