{"id":992325,"date":"2025-11-03T00:45:34","date_gmt":"2025-11-02T21:45:34","guid":{"rendered":"https:\/\/gpss.ro\/threat-intelligence\/cyber-brief-25-04-march-2025\/"},"modified":"2025-11-03T00:45:34","modified_gmt":"2025-11-02T21:45:34","slug":"cyber-brief-25-04-march-2025","status":"publish","type":"threat_intelligence","link":"https:\/\/delve.ro\/ro\/threat-intelligence\/cyber-brief-25-04-march-2025\/","title":{"rendered":"Cyber Brief 25-04 &#8211; March 2025"},"content":{"rendered":"<div class=\"gpss-language-switcher\" style=\"margin-bottom: 20px; padding: 15px; background: #f0f9ff; border-left: 4px solid #3b82f6; border-radius: 8px;\">\n            <div style=\"display: flex; align-items: center; justify-content: space-between; flex-wrap: wrap; gap: 10px;\">\n                <div style=\"display: flex; align-items: center; gap: 10px;\">\n                    <span style=\"font-weight: 600; color: #1e40af;\">\ud83c\udf0d Limb\u0103 \/ Language:<\/span>\n                    <button onclick=\"switchLanguage('en')\" id=\"btn-lang-en\" class=\"lang-btn lang-btn-active\" style=\"padding: 8px 16px; background: #3b82f6; color: white; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddec\ud83c\udde7 English (Original)\n                    <\/button>\n                    <button onclick=\"switchLanguage('ro')\" id=\"btn-lang-ro\" class=\"lang-btn\" style=\"padding: 8px 16px; background: #e5e7eb; color: #374151; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103\n                    <\/button>\n                <\/div>\n                <small style=\"color: #6b7280; font-style: italic;\">Traducere automat\u0103 \/ Automatic translation<\/small>\n            <\/div>\n        <\/div>\n\n        <div id=\"content-en\" class=\"lang-content\" style=\"display: block;\">\n            <div class=\"article-content\"><h2 id=\"cyber-brief-march-2025\">Cyber Brief (March 2025)<\/h2><p>April 2, 2025 - Version: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Executive summary<\/h2><ul><li><p>We analysed 575 open source reports for this Cyber Brief<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p><strong>Policy, cooperation, and law enforcement.<\/strong> Europol, Finnish, German and US authorities seized servers linked to Garantex, a cryptocurrency exchange, which was reportedly being used to evade sanctions on Russia. Spanish authorities indicted NSO group executives over Pegasus spyware allegations. The US Defense Secretary reportedly ordered Cyber Command to stand down on Russia planning.<\/p><\/li><li><p><strong>Cyberespionage.<\/strong> Pro-Russia actors have reportedly recruited individuals through Telegram to conduct sabotage and espionage activities. China-linked Silk Typhoon reportedly targeted IT supply-chains to conduct cyberespionage on downstream customers and Ant Weaver reportedly infiltrated an Asian telecommunications company for four years. <\/p><\/li><li><p><strong>Cybercrime.<\/strong> Strela stealer was used in the targeting of European e-mail accounts in a widespread phishing campaign. North Korea-linked Lazarus group deployed six new fake npm packages that compromise developer environments to engage in cryptocurrency theft. <\/p><\/li><li><p><strong>Data exposure and leaks.<\/strong> Researchers at a company behind an open-source scanner reported nearly 12.000 API keys and passwords exposed in an AI training dataset, including AWS and MailChimp API keys. <\/p><\/li><li><p><strong>Disruption.<\/strong> Ukraine\u2019s state railway operator experienced a cyberattack disrupting access to online ticket sales and its mobile app. <\/p><\/li><li><p><strong>Hacktivism.<\/strong> Social media platform X experienced DDoS attacks claimed by pro-Palestine supposed hacktivist group Dark Storm. <\/p><\/li><\/ul><h2 id=\"europe\">Europe<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Cyber policy and law enforcement<\/h3><p><strong>European Commission to invest 1.3 billion euro in artificial intelligence, cybersecurity and digital skills<\/strong><br> On March 28, the European Commission announced 1,3 billion euro in funding on artificial intelligence (AI), cybersecurity, cloud technology, and digital skills through the Digital Europe Programme (DIGITAL) for 2025 to 2027. The initiative supports advanced cybersecurity measures for digital infrastructure, including hospitals and submarine cables, reinforcing Europe\u2019s technological sovereignty and digital resilience. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_25_907\">link<\/a> <\/p><p><strong>Switzerland obliges critical infrastructure organisations to report cyberattacks within 24h<\/strong><br> On March 10, Switzerland's National Cybersecurity Centre (NCSC) announced a new mandate through an amendment to the Information Security Act requiring critical infrastructure organisations in the country to report cyberattacks to NCSC within 24 hours of their discovery. The mandate will enter into force on April 1, 2025. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ncsc.admin.ch\/ncsc\/en\/home\/aktuell\/im-fokus\/2025\/meldepflicht-2025.html\">link<\/a> <\/p><p><strong>Europol, Finnish, German and US authorities seize Russian cryptocurrency exchange's domain used to circumvent sanctions<\/strong><br> On March 6, Garantex, a Russian cryptocurrency exchange, announced it was temporarily suspending operations after Europol, Finnish, German and US authorities seized its domain. The US Department of Justice accused the platform of processing at least 96 billion US dollars worth of cryptocurrency transactions to circumvent sanctions. The law enforcement entities seized servers that hosted Garantex\u2019s operations in their respective countries. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/garantex-crypto-exchange-taken-down-law-enforcement-operation\">link<\/a> <\/p><p><strong>Spain indicts NSO group executives over Pegasus spyware allegations<\/strong><br> On March 3, a Spanish Provincial Court indicted three NSO Group executives for their alleged involvement in Pegasus spyware campaigns targeting a lawyer representing the Catalonia-based human rights group Ir\u00eddia between 2019 and 2020. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/iridia.cat\/en\/three-executives-of-the-nso-group-charged-for-their-responsibility-in-the-pegasus-espionage-case\/\">link<\/a> <\/p><p><strong>UK sets post-quantum cryptography migration timeline<\/strong><br> On March 20, NCSC-UK outlined key milestones for the UK\u2019s migration to post-quantum cryptography. By 2028, organisations should define migration goals and assess cryptographic dependencies. By 2031, they must begin high-priority transitions and refine migration plans. Full migration should be completed by 2035, though some technologies may take longer. The guidance targets critical infrastructure, large enterprises, and bespoke IT systems. <code>quantum computing<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ncsc.gov.uk\/guidance\/pqc-migration-timelines\">link<\/a> <\/p><h3 id=\"cyberespionage\">Cyberespionage<\/h3><p><strong>Suspected data breach in the Finnish Foreign Ministry\u2019s remote access service<\/strong><br> On March 27, the Finnish Ministry for Foreign Affairs detected suspicious activity in its remote access service, raising concerns about a possible data breach. In response, the Ministry swiftly disabled the service and launched an internal investigation. The incident was reported to the National Bureau of Investigation and cybersecurity authorities for further analysis. The Ministry emphasised its commitment to securing its systems and mitigating any potential risks. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/um.fi\/current-affairs\/-\/asset_publisher\/gc654PySnjTX\/content\/ulkoasiainhallinnon-etayhteyspalvelussa-tietomurtoepaily\">link<\/a> <\/p><p><strong>Two Serbian journalists targeted with Pegasus spyware in February 2025<\/strong><br> On March 28, Amnesty International reported that two journalists from the Balkan Investigative Reporting Network (BIRN), an award-winning Serbian network of investigative journalists, were targeted with NSO Group\u2019s Pegasus spyware. According to Amnesty International investigation's investigation, the intrusion happened in February 2025. This is the third time in two years that Amnesty International\u2019s Security Lab has found NSO Group\u2019s Pegasus spyware being used against civil society in Serbia. <code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.amnesty.org\/en\/latest\/news\/2025\/03\/serbia-birn-journalists-targeted-with-pegasus-spyware\/\">link<\/a> <\/p><p><strong>Several state-sponsored threat actors exploit Windows zero-day vulnerability<\/strong><br> On March 18, Trend Micro issued a report about a Windows zero-day vulnerability (ZDI-CAN-25373) which was reportedly exploited by as many as 11 state-sponsored APTs linked to North Korea, Russia, Iran, and China. <code>china<\/code> <code>iran<\/code> <code>north korea<\/code> <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/c\/windows-shortcut-zero-day-exploit.html\">link<\/a> <\/p><p><strong>Cellebrite zero-day exploit used to target phone of Serbian student activist<\/strong><br> On February 28, Amnesty International's Security Lab reported that Serbian authorities exploited a zero-day vulnerability in Cellebrite's software to access the phone of a student activist. This sophisticated attack targeted USB drivers in Android devices, allowing unauthorised access. In response, Cellebrite has suspended product use by certain Serbian customers. <code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/securitylab.amnesty.org\/latest\/2025\/02\/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist\/\">link<\/a> <\/p><p><strong>Russia reportedly recruits cyber saboteurs online for hybrid warfare in Europe<\/strong><br> On March 12, Belgium-based VRT reported that pro-Russia actors recruited individuals online for sabotage and espionage activities in Europe, including in Belgium. These groups utilise platforms like Telegram to assign tasks such as collecting e-mail addresses of Belgian journalists or defacing vehicles, offering cryptocurrency as payment. Belgian State Security warns of increased use of disposable agents for intelligence gathering, propaganda, and sabotage, complicating attribution and enhancing Russia's hybrid warfare tactics. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.vrt.be\/vrtnws\/nl\/2025\/03\/11\/rusland-online-ronselen-hybride-oorlog\/\">link<\/a> <\/p><h3 id=\"cybercrime\">Cybercrime<\/h3><p><strong>Swiss company Ascom breached through Jira<\/strong><br> On March 17, Swiss company Ascom reported to have experienced a cyberattack the day prior. The threat actors exploited compromised credentials to breach Ascom's Jira ticketing system, stealing approximately 44\u00a0GB of data, including source code, project details, and confidential documents. The incident did not impact Ascom's business operations. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ascom.com\/news\/Business-News\/cyberattack\/\">link<\/a> <\/p><p><strong>Strela Stealer targets European e-mail users with phishing campaign<\/strong><br> On March 6, Trustwave reported that Strela Stealer, active since 2022, was used to collect Mozilla Thunderbird and Microsoft Outlook credentials in German-speaking regions. Delivered via phishing e-mails disguised as invoices, it verifies system locale before execution. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/spiderlabs-blog\/a-deep-dive-into-strela-stealer-and-how-it-targets-european-countries\/\">link<\/a> <\/p><h3 id=\"disruption\">Disruption<\/h3><p><strong>Cyberattack disrupted Ukrainian railway ticket sales<\/strong><br> On March 24, a cyberattack on Ukraine's state railway operator, Ukrzaliznytsia, disrupted online ticket sales and its mobile app, causing long queues at Kyiv\u2019s central station. Despite the attack, train schedules were unaffected. The company is investigating the incident with security services, but has not disclosed technical details. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/ukraine-railway-ukrzaliznytsia-cyberattack-online-ticket-system\">link<\/a> <\/p><h3 id=\"hacktivism\">Hacktivism<\/h3><p><strong>DDoS attacks disrupt Dutch government login system DigiD, blocking access to critical services<\/strong><br> On March 3, a series of DDoS attacks disrupted DigiD, the Dutch government's authentication system, blocking thousands from accessing vital services like tax filings, municipal resources, and medical portals. <code>public administration<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.nu.nl\/tech\/6347833\/storing-bij-digid-opgelost-inloggen-op-overheidswebsites-weer-mogelijk.html\">link<\/a> <\/p><h2 id=\"world\">World<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Cyber policy and law enforcement<\/h3><p><strong>Microsoft disrupts global cybercrime network exploiting generative AI vulnerabilities<\/strong><br> On February 27, Microsoft researchers identified a global cybercrime network, Storm-2139, exploiting vulnerabilities in generative AI services, including Azure OpenAI, to create and distribute illicit content. By filing a lawsuit and seizing key infrastructure, Microsoft disrupted the network\u2019s operations, named four defendants from Iran, the UK, Hong Kong, and Vietnam, and emphasised the need for robust AI safeguards and continued legal actions to combat the misuse of AI technologies. <code>artificial intelligence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2025\/02\/27\/disrupting-cybercrime-abusing-gen-ai\/\">link<\/a> <\/p><p><strong>LockBit ransomware developer extradited to US<\/strong><br> On March 13, a dual Russian and Israeli national was extradited to the US for developing LockBit ransomware. Arrested in Israel in August, the individual allegedly helped build malware, disable antivirus software, and maintain LockBit's infrastructure. LockBit targeted over 2500 victims, extorting 500 million US dollars worth of cryptocurrency. The arrest follows a global law enforcement operation disrupting LockBit in February. <code>cat: cybercrime<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.justice.gov\/usao-nj\/pr\/dual-russian-and-israeli-national-extradited-united-states-his-role-lockbit-ransomware\">link<\/a> <\/p><p><strong>US charges 12 Chinese nationals for state-sponsored cyberespionage<\/strong><br> On March 5, the US Department of Justice charged 12 Chinese nationals, including officers of China\u2019s Ministry of Public Security and employees of Anxun Information Technology Co. Ltd. (i-Soon), for their roles in hacking campaigns aimed at stealing data and silencing dissent globally. The defendants allegedly infiltrated networks of US and foreign organisations, using stolen data for profit and state-sponsored espionage. <code>china<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-charges-12-chinese-contract-hackers-and-law-enforcement-officers-global\">link<\/a> <\/p><p><strong>Canada launches cyber security certification program for defence contracts<\/strong><br> On March 12, Canada launched the first phase of the Canadian Program for Cyber Security Certification (CPCSC) to strengthen defence sector security against supply-chain threats. This phase introduces a new cyber security standard, an accreditation process, and a self-assessment tool for level 1 certification. The CPCSC will be implemented gradually, ensuring companies meet security requirements at contract award to mitigate risks from cyber threats in the supply-chain. <code>defence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.canada.ca\/en\/public-services-procurement\/news\/2025\/03\/government-of-canada-announces-first-phase-of-canadian-program-for-cyber-security-certification.html\">link<\/a> <\/p><p><strong>Turkey restricts access to social media amid political unrest<\/strong><br> On March 19, NetBlocks confirmed that network data indicated Turkey had restricted access to multiple social media platforms, including X (formerly Twitter), YouTube, Instagram, and TikTok. This occurred amid unrest over the detention of the Istanbul mayor. <code>internet restriction<\/code> <code>Turkey<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/mastodon.social\/@netblocks\/114187457101184560\">link<\/a> <\/p><p><strong>US Defense Secretary reportedly ordered Cyber Command to stand down on Russia planning<\/strong><br> On February 28, The Record reported that the Defense Secretary ordered US Cyber Command to halt planning of operations such as offensive cyber operations against Russia. <code>russia<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/hegseth-orders-cyber-command-stand-down-russia-planning\">link<\/a> <\/p><h3 id=\"cyberespionage-2\">Cyberespionage<\/h3><p><strong>China-linked Weaver Ant long-term attack against Asian telecommunications services provider<\/strong><br> On March 24, Sygnia, a cybersecurity company, reported on Ant Weaver, a China-linked threat actor. Ant Weaver reportedly conducted a campaign against a major Asian telecommunications company for more than four years, hiding traffic and infrastructure with the help of compromised Zyxel CPE routers. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.sygnia.co\/threat-reports-and-advisories\/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation\/\">link<\/a> <\/p><p><strong>Microsoft warns of Silk Typhoon's shift to IT supply-chain attacks<\/strong><br> On March 5, Microsoft reported that the Chinese state-sponsored group Silk Typhoon targeted IT supply-chains, exploiting remote management tools and cloud services to access downstream customers. The group used stolen API keys and credentials, unpatched applications, and zero-day vulnerabilities to infiltrate networks across various sectors, including government, healthcare, and defence, leaving minimal traces by avoiding traditional malware and web shells. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/03\/05\/silk-typhoon-targeting-it-supply-chain\/\">link<\/a> <\/p><p><strong>China-linked cyberespionage actor UNC3886 targets Juniper routers<\/strong><br> On March 12, Google Cloud reported that UNC3886, a China-nexus group, exploited Juniper Networks routers between mid-2023 and early 2024. The attackers deployed custom backdoors with active and passive capabilities, allowing long-term access while disabling logging mechanisms. This tactic enables persistent espionage and potential future disruptions to critical infrastructure. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/china-nexus-espionage-targets-juniper-routers?hl=en\">link<\/a> <\/p><p><strong>China-linked FamousSparrow targets financial organisation in the US<\/strong><br> On March 26, researchers from ESET published their findings about China-linked FamousSparrow targeting a US financial institution in July 2024. The threat actor was thought to be inactive since 2022, but in this targeting, researchers found two new versions of its custom backdoor SparrowDoor. <code>china<\/code> <code>finance<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow\/\">link<\/a> <\/p><p><strong>WhatsApp patched zero-click flaw exploited in Paragon spyware attacks<\/strong><br> On March 19, WhatsApp disclosed that it had patched a zero-click, zero-day vulnerability exploited to install Paragons Graphite spyware. This flaw allowed attackers to infect devices without user interaction. Citizen Lab identified the exploit, leading to WhatsApp addressing the issue without requiring a client-side fix. Approximately 90 Android users, including journalists and activists, were notified of being targeted. <code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/whatsapp-patched-zero-day-flaw-used-in-paragon-spyware-attacks\/\">link<\/a> <\/p><p><strong>Russia-linked threat actor exploits zero-day in Microsoft's Management Console<\/strong><br> On March 25, Trend Micro uncovered a campaign by the Russia-linked threat actor Water Gamayun exploiting a zero-day in Microsoft's Management Console to execute malicious code. By manipulating .MSc files and MUIPath, attackers stole sensitive data and maintain persistence. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/c\/cve-2025-26633-water-gamayun.html\">link<\/a> <\/p><h3 id=\"cybercrime-2\">Cybercrime<\/h3><p><strong>Fake Cloudflare verification on vulnerable WordPress websites results in LummaStealer infections<\/strong><br> On March 19, Sucuri reported a malware campaign where attackers exploit WordPress sites to display fake Cloudflare verification prompts. These prompts deceive Windows users into executing malicious PowerShell commands, leading to LummaStealer Trojan infections. The malware harvests sensitive data, including login credentials and cryptocurrency wallets. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.sucuri.net\/2025\/03\/fake-cloudflare-verification-results-in-lummastealer-trojan-infections.html\">link<\/a> <\/p><p><strong>Black Basta and Cactus ransomware groups exploit Microsoft Teams to deploy BackConnect malware<\/strong><br> On March 3, Trend Micro reported that Black Basta and Cactus ransomware groups have integrated BackConnect malware into their attacks, enabling persistent control over compromised systems. This malware, linked to QakBot, aids in exfiltrating sensitive data and expanding attackers' foothold, with incidents primarily occurring in North America and Europe since October 2024. These groups have evolved their tactics, using social engineering and legitimate tools like Microsoft Teams to gain unauthorised access. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/b\/black-basta-cactus-ransomware-backconnect.html\">link<\/a> <\/p><p><strong>AI-generated fake GitHub repositories distribute Lumma Stealer malware<\/strong><br> On March 11, Trend Micro reported that cybercrime actors are leveraging AI to create fake GitHub repositories, distributing LummaStealer malware as its final payload. These repositories pose as legitimate tools, like employee time tracker Discord bot and cracks for software like IDA Pro, deceiving users into downloading malicious files. The campaign exploits GitHub's trusted reputation to evade detection. This story highlights the importance of downloading software only from official sources. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/c\/ai-assisted-fake-github-repositories.html\">link<\/a> <\/p><p><strong>Microsoft Trusted Signing service abused for malware campaigns<\/strong><br> On March 22, Bleeping Computer reported that cybercrime actors are exploiting Microsoft's Trusted Signing service to codesign malware using short-lived three-day certificates. These certificates enhance malware credibility, bypassing security filters. Researchers identified campaigns like Crazy Evil Traffers and Lumma Stealer using this method. Microsoft is monitoring threats and revoking abused certificates, but the simplified verification process makes its service an attractive alternative to Extended Validation certificates. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-trusted-signing-service-abused-to-code-sign-malware\/\">link<\/a> <\/p><p><strong>DollyWay campaign abused WordPress to redirect users to scam<\/strong><br> On March 17, GoDaddy reported on a WordPress campaign dubbed DollyWay v3. It primarily targets visitors of infected WordPress sites via injected redirect scripts that employ a distributed network of Traffic Direction System nodes hosted on compromised websites. These scripts redirect site visitors to various scam pages through traffic broker networks associated with VexTrio, a cybercrime group. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.godaddy.com\/resources\/news\/dollyway-world-domination\">link<\/a> <\/p><p><strong>SocGholish aids RansomHub ransomware deployment<\/strong><br> On March 14, Trend Micro highlighted SocGholish\u2019s role in enabling RansomHub ransomware through the Water Scylla intrusion set. SocGholish spreads via compromised websites, tricking users into downloading malicious files. It employs an obfuscated JavaScript loader to evade detection, providing persistent access for data theft and malware deployment. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/c\/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\">link<\/a> <\/p><p><strong>DPRK-linked Lazarus group deploys six new fake npm packages<\/strong><br> On March 10, Socket, a technology company, reported that North Korea-linked Lazarus group deployed six new fake npm packages, which have been downloaded over 300 times. The malicious packages compromise developer environments, steal credentials, deploy a backdoor, and extract cryptocurrency data. In some seemingly benign packages, researchers uncovered BeaverTail malware. <code>north korea<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/socket.dev\/blog\/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks\">Data exposure and leaks<\/h3><p><strong>Nearly 12.000 API keys and passwords exposed in AI training dataset<\/strong><br> On February 27, researchers at Truffle Security, the company behind the TruffleHog open-source scanner for sensitive data, discovered nearly 12.000 valid API keys and passwords in the Common Crawl dataset, which is used to train various AI models. The exposed secrets included AWS and MailChimp API keys, raising concerns about insecure coding practices influencing AI behaviour despite pre-processing efforts to remove sensitive information. <code>artificial intelligence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/trufflesecurity.com\/blog\/research-finds-12-000-live-api-keys-and-passwords-in-deepseek-s-training-data\">link<\/a> <\/p><h3 id=\"hacktivism-2\">Hacktivism<\/h3><p><strong>DDoS attack disrupts X<\/strong><br> On March 10, social media platform X suffered a DDoS attack that temporarily disrupted its services three times in a few hours. The DDoS was claimed by a pro-Palestine supposed hacktivist group. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.techradar.com\/news\/live\/x-is-down-latest-news-on-twitters-third-outage\">link<\/a> <\/p><p><em>All CERT-EU's Security Advisories are available to the public on CERT-EU's website, <code>https:\/\/www.cert.europa.eu\/publications\/security-advisories\/<\/code><\/em><\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Conclusions or attributions made in this document merely reflect what publicly available sources report. They do not reflect our stance.&#160;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <div id=\"content-ro\" class=\"lang-content\" style=\"display: none;\">\n            <div class=\"article-content\"><?xml encoding=\"UTF-8\"><h2 id=\"cyber-brief-march-2025\">Cyber &#8203;&#8203;Brief (martie 2025)<\/h2><p>2 aprilie 2025 - Versiunea: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Rezumat<\/h2><ul><li><p>Am analizat 575 de rapoarte open source pentru acest Cyber &#8203;&#8203;Brief<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p><strong>Politic&#259;, cooperare &#537;i aplicarea legii.<\/strong>Europol, autorit&#259;&#539;ile finlandeze, germane &#537;i americane au confiscat servere legate de Garantex, un schimb de criptomonede, care ar fi fost folosit pentru a sustrage sanc&#539;iunile &icirc;mpotriva Rusiei. Autorit&#259;&#539;ile spaniole i-au acuzat pe directorii grupului NSO din cauza acuza&#539;iilor de spyware Pegasus. Secretarul american al Ap&#259;r&#259;rii ar fi ordonat Comandamentului Cyber &#8203;&#8203;s&#259; renun&#539;e la planificarea Rusiei.<\/p><\/li><li><p><strong>Spionajul cibernetic.<\/strong>Se pare c&#259; actorii pro-rusi au recrutat persoane prin Telegram pentru a desf&#259;&#537;ura activit&#259;&#539;i de sabotaj &#537;i spionaj. Silk Typhoon, legat de China, a vizat lan&#539;urile de aprovizionare IT pentru a efectua spionaj cibernetic asupra clien&#539;ilor din aval, iar Ant Weaver s-ar fi infiltrat &icirc;ntr-o companie de telecomunica&#539;ii din Asia timp de patru ani.<\/p><\/li><li><p><strong>Crima cibernetic&#259;.<\/strong>Strela stealer a fost folosit &icirc;n direc&#539;ionarea conturilor de e-mail europene &icirc;ntr-o campanie de phishing pe scar&#259; larg&#259;. Grupul Lazarus legat de Coreea de Nord a implementat &#537;ase noi pachete false NPM care compromit mediile dezvoltatorilor pentru a se implica &icirc;n furtul de criptomonede.<\/p><\/li><li><p><strong>Expunerea &#537;i scurgerile de date.<\/strong>Cercet&#259;torii unei companii din spatele unui scaner open-source au raportat aproape 12.000 de chei API &#537;i parole expuse &icirc;ntr-un set de date de instruire AI, inclusiv chei API AWS &#537;i MailChimp.<\/p><\/li><li><p><strong>Perturbare.<\/strong>Operatorul de c&#259;i ferate de stat din Ucraina a suferit un atac cibernetic care a perturbat accesul la v&acirc;nzarea de bilete online &#537;i la aplica&#539;ia sa mobil&#259;.<\/p><\/li><li><p><strong>Hacktivism.<\/strong>Platforma de socializare X a suferit atacuri DDoS revendicate de un presupus grup hacktivist pro-Palestini Dark Storm.<\/p><\/li><\/ul><h2 id=\"europe\">Europa<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>Comisia European&#259; va investi 1,3 miliarde de euro &icirc;n inteligen&#539;&#259; artificial&#259;, securitate cibernetic&#259; &#537;i competen&#539;e digitale<\/strong><br>Pe 28 martie, Comisia European&#259; a anun&#539;at finan&#539;are de 1,3 miliarde de euro pentru inteligen&#539;a artificial&#259; (AI), securitatea cibernetic&#259;, tehnologia cloud &#537;i abilit&#259;&#539;ile digitale prin Programul Digital Europe (DIGITAL) pentru 2025-2027. Ini&#539;iativa sprijin&#259; m&#259;suri avansate de securitate cibernetic&#259; pentru infrastructura digital&#259;, inclusiv spitale &#537;i cabluri submarine, consolidarea suveranit&#259;&#539;ii digitale &#537;i rezilien&#539;a digital&#259; a Europei.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/ip_25_907\">link<\/a> <\/p><p><strong>Elve&#539;ia oblig&#259; organiza&#539;iile cu infrastructur&#259; critic&#259; s&#259; raporteze atacurile cibernetice &icirc;n termen de 24 de ore<\/strong><br>Pe 10 martie, Centrul Na&#539;ional de Securitate Cibernetic&#259; (NCSC) din Elve&#539;ia a anun&#539;at un nou mandat printr-un amendament la Legea privind securitatea informa&#539;ional&#259; care impune organiza&#539;iilor cu infrastructur&#259; critic&#259; din &#539;ar&#259; s&#259; raporteze atacurile cibernetice c&#259;tre NCSC &icirc;n termen de 24 de ore de la descoperirea lor. Mandatul va intra &icirc;n vigoare la 1 aprilie 2025.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ncsc.admin.ch\/ncsc\/en\/home\/aktuell\/im-fokus\/2025\/meldepflicht-2025.html\">link<\/a> <\/p><p><strong>Autorit&#259;&#539;ile Europol, finlandeze, germane &#537;i americane confisc&#259; domeniul bursei ruse&#537;ti de criptomonede, folosit pentru eludarea sanc&#539;iunilor<\/strong><br>Pe 6 martie, Garantex, o burs&#259; de criptomonede rus&#259;, a anun&#539;at c&#259; suspend&#259; temporar opera&#539;iunile dup&#259; ce Europol, autorit&#259;&#539;ile finlandeze, germane &#537;i americane i-au confiscat domeniul. Departamentul de Justi&#539;ie al SUA a acuzat platforma c&#259; proceseaz&#259; tranzac&#539;ii cu criptomonede &icirc;n valoare de cel pu&#539;in 96 de miliarde de dolari pentru a eluda sanc&#539;iunile. Entit&#259;&#539;ile de aplicare a legii au confiscat serverele care g&#259;zduiau opera&#539;iunile Garantex &icirc;n &#539;&#259;rile lor respective.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/garantex-crypto-exchange-taken-down-law-enforcement-operation\">link<\/a> <\/p><p><strong>Spania &icirc;i acuz&#259; pe directorii grupului NSO pentru acuza&#539;ii de spyware Pegasus<\/strong><br>Pe 3 martie, o Curte provincial&#259; spaniol&#259; a acuzat trei directori ai grupului NSO pentru presupusa lor implicare &icirc;n campaniile de programe spion Pegasus care vizeaz&#259; un avocat care reprezint&#259; grupul pentru drepturile omului Ir&iacute;dia din Catalonia &icirc;ntre 2019 &#537;i 2020.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/iridia.cat\/en\/three-executives-of-the-nso-group-charged-for-their-responsibility-in-the-pegasus-espionage-case\/\">link<\/a> <\/p><p><strong>Marea Britanie stabile&#537;te cronologia migra&#539;iei criptografiei post-cuantice<\/strong><br>Pe 20 martie, NCSC-UK a subliniat etapele cheie pentru migrarea Marii Britanii la criptografia post-cuantic&#259;. P&acirc;n&#259; &icirc;n 2028, organiza&#539;iile ar trebui s&#259; defineasc&#259; obiectivele de migrare &#537;i s&#259; evalueze dependen&#539;ele criptografice. P&acirc;n&#259; &icirc;n 2031, trebuie s&#259; &icirc;nceap&#259; tranzi&#539;iile cu prioritate ridicat&#259; &#537;i s&#259; perfec&#539;ioneze planurile de migra&#539;ie. Migrarea complet&#259; ar trebui s&#259; fie finalizat&#259; p&acirc;n&#259; &icirc;n 2035, de&#537;i unele tehnologii pot dura mai mult. Ghidul vizeaz&#259; infrastructura critic&#259;, &icirc;ntreprinderile mari &#537;i sistemele IT personalizate.<code>calcul cuantic<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ncsc.gov.uk\/guidance\/pqc-migration-timelines\">link<\/a> <\/p><h3 id=\"cyberespionage\">Spionajul cibernetic<\/h3><p><strong>Suspiciune de &icirc;nc&#259;lcare a datelor &icirc;n serviciul de acces la distan&#539;&#259; al Ministerului finlandez de Externe<\/strong><br>Pe 27 martie, Ministerul finlandez pentru Afaceri Externe a detectat activitate suspect&#259; &icirc;n serviciul s&#259;u de acces la distan&#539;&#259;, st&acirc;rnind &icirc;ngrijor&#259;ri cu privire la o posibil&#259; &icirc;nc&#259;lcare a datelor. Ca r&#259;spuns, Ministerul a dezactivat rapid serviciul &#537;i a lansat o investiga&#539;ie intern&#259;. Incidentul a fost raportat Biroului Na&#539;ional de Investiga&#539;ii &#537;i autorit&#259;&#539;ilor de securitate cibernetic&#259; pentru analize suplimentare. Ministerul &#537;i-a subliniat angajamentul de a-&#537;i asigura sistemele &#537;i de a atenua orice riscuri poten&#539;iale.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/um.fi\/current-affairs\/-\/asset_publisher\/gc654PySnjTX\/content\/ulkoasiainhallinnon-etayhteyspalvelussa-tietomurtoepaily\">link<\/a> <\/p><p><strong>Doi jurnali&#351;ti s&acirc;rbi au fost viza&#355;i de programul spion Pegasus &icirc;n februarie 2025<\/strong><br>Pe 28 martie, Amnesty International a raportat c&#259; doi jurnali&#351;ti de la Balkan Investigative Reporting Network (BIRN), o re&#355;ea premiat&#259; de jurnali&#351;ti de investiga&#355;ie din Serbia, au fost viza&#355;i de programul spion Pegasus al Grupului NSO. Potrivit investiga&#539;iei Amnesty International, intruziunea a avut loc &icirc;n februarie 2025. Este a treia oar&#259; &icirc;n doi ani c&acirc;nd Laboratorul de securitate al Amnesty International a constatat c&#259; programul spion Pegasus al Grupului NSO este folosit &icirc;mpotriva societ&#259;&#539;ii civile din Serbia.<code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.amnesty.org\/en\/latest\/news\/2025\/03\/serbia-birn-journalists-targeted-with-pegasus-spyware\/\">link<\/a> <\/p><p><strong>Mai mul&#539;i actori de amenin&#539;&#259;ri sponsoriza&#539;i de stat exploateaz&#259; vulnerabilitatea Windows zero-day<\/strong><br>Pe 18 martie, Trend Micro a emis un raport despre o vulnerabilitate Windows zero-day (ZDI-CAN-25373), care ar fi fost exploatat&#259; de p&acirc;n&#259; la 11 APT-uri sponsorizate de stat, legate de Coreea de Nord, Rusia, Iran &#537;i China.<code>China<\/code> <code>iran<\/code> <code>coreea de nord<\/code> <code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/c\/windows-shortcut-zero-day-exploit.html\">link<\/a> <\/p><p><strong>Exploatarea Cellebrite zero-day a folosit pentru a viza telefonul unui student activist s&acirc;rb<\/strong><br>Pe 28 februarie, Laboratorul de securitate al Amnesty International a raportat c&#259; autorit&#259;&#539;ile s&acirc;rbe au exploatat o vulnerabilitate zero-day &icirc;n software-ul Cellebrite pentru a accesa telefonul unui student activist. Acest atac sofisticat a vizat driverele USB din dispozitivele Android, permi&#539;&acirc;nd accesul neautorizat. Ca r&#259;spuns, Cellebrite a suspendat utilizarea produselor de c&#259;tre anumi&#539;i clien&#539;i s&acirc;rbi.<code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/securitylab.amnesty.org\/latest\/2025\/02\/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist\/\">link<\/a> <\/p><p><strong>Rusia recruteaz&#259; online sabotori cibernetici pentru r&#259;zboi hibrid &icirc;n Europa<\/strong><br>Pe 12 martie, VRT din Belgia a raportat c&#259; actori pro-rusi au recrutat persoane online pentru activit&#259;&#539;i de sabotaj &#537;i spionaj &icirc;n Europa, inclusiv &icirc;n Belgia. Aceste grupuri folosesc platforme precum Telegram pentru a atribui sarcini precum colectarea adreselor de e-mail ale jurnali&#537;tilor belgieni sau distrugerea vehiculelor, oferind criptomonede ca plat&#259;. Securitatea de stat belgian&#259; avertizeaz&#259; cu privire la utilizarea sporit&#259; a agen&#539;ilor de unic&#259; folosin&#539;&#259; pentru str&acirc;ngerea de informa&#539;ii, propagand&#259; &#537;i sabotaj, complic&acirc;nd atribuirea &#537;i &icirc;mbun&#259;t&#259;&#539;ind tacticile de r&#259;zboi hibride ale Rusiei.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.vrt.be\/vrtnws\/nl\/2025\/03\/11\/rusland-online-ronselen-hybride-oorlog\/\">link<\/a> <\/p><h3 id=\"cybercrime\">Crima cibernetic&#259;<\/h3><p><strong>Compania elve&#539;ian&#259; Ascom a intrat prin Jira<\/strong><br>Pe 17 martie, compania elve&#539;ian&#259; Ascom a raportat c&#259; a suferit un atac cibernetic cu o zi &icirc;nainte. Actorii amenin&#539;&#259;rilor au exploatat acredit&#259;rile compromise pentru a &icirc;nc&#259;lca sistemul de ticketing Jira al Ascom, fur&acirc;nd aproximativ 44&nbsp;GB de date, inclusiv codul surs&#259;, detaliile proiectului &#537;i documente confiden&#539;iale. Incidentul nu a afectat opera&#539;iunile de afaceri ale Ascom.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ascom.com\/news\/Business-News\/cyberattack\/\">link<\/a> <\/p><p><strong>Strela Stealer vizeaz&#259; utilizatorii de e-mail europeni cu campanie de phishing<\/strong><br>Pe 6 martie, Trustwave a raportat c&#259; Strela Stealer, activ din 2022, a fost folosit pentru a colecta acredit&#259;ri Mozilla Thunderbird &#537;i Microsoft Outlook &icirc;n regiunile de limb&#259; german&#259;. Livrat prin e-mailuri de phishing deghizate &icirc;n facturi, acesta verific&#259; localitatea sistemului &icirc;nainte de execu&#539;ie.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trustwave.com\/en-us\/resources\/blogs\/spiderlabs-blog\/a-deep-dive-into-strela-stealer-and-how-it-targets-european-countries\/\">link<\/a> <\/p><h3 id=\"disruption\">Perturbare<\/h3><p><strong>Atacul cibernetic a perturbat v&acirc;nz&#259;rile de bilete de cale ferat&#259; din Ucraina<\/strong><br>Pe 24 martie, un atac cibernetic asupra operatorului feroviar de stat al Ucrainei, Ukrzaliznytsia, a perturbat v&acirc;nz&#259;rile online de bilete &#537;i aplica&#539;ia sa mobil&#259;, provoc&acirc;nd cozi lungi la gara central&#259; din Kiev. &Icirc;n ciuda atacului, orarul trenurilor nu a fost afectat. Compania investigheaz&#259; incidentul cu serviciile de securitate, dar nu a dezv&#259;luit detalii tehnice.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/ukraine-railway-ukrzaliznytsia-cyberattack-online-ticket-system\">link<\/a> <\/p><h3 id=\"hacktivism\">Hacktivism<\/h3><p><strong>Atacurile DDoS perturb&#259; sistemul de conectare al guvernului olandez DigiD, bloc&acirc;nd accesul la serviciile critice<\/strong><br>Pe 3 martie, o serie de atacuri DDoS au perturbat DigiD, sistemul de autentificare al guvernului olandez, bloc&acirc;nd accesul a mii de servicii vitale precum declara&#539;iile fiscale, resursele municipale &#537;i portalurile medicale.<code>administra&#539;ia public&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.nu.nl\/tech\/6347833\/storing-bij-digid-opgelost-inloggen-op-overheidswebsites-weer-mogelijk.html\">link<\/a> <\/p><h2 id=\"world\">Lumea<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>Microsoft perturb&#259; re&#539;eaua global&#259; de criminalitate cibernetic&#259; exploat&acirc;nd vulnerabilit&#259;&#539;i generative ale inteligen&#539;ei artificiale<\/strong><br>Pe 27 februarie, cercet&#259;torii Microsoft au identificat o re&#539;ea global&#259; de criminalitate cibernetic&#259;, Storm-2139, care exploateaz&#259; vulnerabilit&#259;&#539;ile din serviciile AI generative, inclusiv Azure OpenAI, pentru a crea &#537;i distribui con&#539;inut ilicit. Depun&acirc;nd un proces &#537;i confisc&acirc;nd infrastructura cheie, Microsoft a perturbat opera&#539;iunile re&#539;elei, a numit patru inculpa&#539;i din Iran, Regatul Unit, Hong Kong &#537;i Vietnam &#537;i a subliniat necesitatea unor garan&#539;ii solide AI &#537;i ac&#539;iuni legale continue pentru a combate utilizarea abuziv&#259; a tehnologiilor AI.<code>inteligen&#539;&#259; artificial&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2025\/02\/27\/disrupting-cybercrime-abusing-gen-ai\/\">link<\/a> <\/p><p><strong>Dezvoltator de ransomware LockBit extr&#259;dat &icirc;n SUA<\/strong><br>Pe 13 martie, un dublu cet&#259;&#539;ean rus &#537;i israelian a fost extr&#259;dat &icirc;n SUA pentru dezvoltarea ransomware-ului LockBit. Arestat &icirc;n Israel &icirc;n august, individul ar fi contribuit la construirea de programe malware, la dezactivarea software-ului antivirus &#537;i la &icirc;ntre&#539;inerea infrastructurii LockBit. LockBit a vizat peste 2500 de victime, extorc&acirc;nd criptomonede &icirc;n valoare de 500 de milioane de dolari. Arestarea urmeaz&#259; unei opera&#539;iuni globale de aplicare a legii care a perturbat LockBit &icirc;n februarie.<code>pisic&#259;: criminalitate cibernetic&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.justice.gov\/usao-nj\/pr\/dual-russian-and-israeli-national-extradited-united-states-his-role-lockbit-ransomware\">link<\/a> <\/p><p><strong>SUA acuz&#259; 12 cet&#259;&#539;eni chinezi pentru spionaj cibernetic sponsorizat de stat<\/strong><br>Pe 5 martie, Departamentul de Justi&#539;ie al SUA a acuzat 12 cet&#259;&#539;eni chinezi, inclusiv ofi&#539;eri ai Ministerului Securit&#259;&#539;ii Publice din China &#537;i angaja&#539;i ai Anxun Information Technology Co. Ltd. (i-Soon), pentru rolul lor &icirc;n campanii de hacking care vizeaz&#259; furtul de date &#537;i reducerea la t&#259;cere a disiden&#539;ei la nivel global. Acuza&#539;ii s-ar fi infiltrat &icirc;n re&#539;ele de organiza&#539;ii americane &#537;i str&#259;ine, folosind date furate pentru profit &#537;i spionaj sponsorizat de stat.<code>China<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.justice.gov\/opa\/pr\/justice-department-charges-12-chinese-contract-hackers-and-law-enforcement-officers-global\">link<\/a> <\/p><p><strong>Canada lanseaz&#259; un program de certificare a securit&#259;&#539;ii cibernetice pentru contractele de ap&#259;rare<\/strong><br>Pe 12 martie, Canada a lansat prima faz&#259; a Programului canadian de certificare a securit&#259;&#539;ii cibernetice (CPCSC) pentru a consolida securitatea sectorului ap&#259;r&#259;rii &icirc;mpotriva amenin&#539;&#259;rilor lan&#539;ului de aprovizionare. Aceast&#259; faz&#259; introduce un nou standard de securitate cibernetic&#259;, un proces de acreditare &#537;i un instrument de autoevaluare pentru certificarea de nivel 1. CPCSC va fi implementat treptat, asigur&acirc;ndu-se c&#259; companiile &icirc;ndeplinesc cerin&#539;ele de securitate la atribuirea contractului pentru a atenua riscurile generate de amenin&#539;&#259;rile cibernetice din lan&#539;ul de aprovizionare.<code>ap&#259;rare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.canada.ca\/en\/public-services-procurement\/news\/2025\/03\/government-of-canada-announces-first-phase-of-canadian-program-for-cyber-security-certification.html\">link<\/a> <\/p><p><strong>Turcia restric&#539;ioneaz&#259; accesul la re&#539;elele sociale pe fondul tulbur&#259;rilor politice<\/strong><br>Pe 19 martie, NetBlocks a confirmat c&#259; datele re&#539;elei indicau c&#259; Turcia avea acces restric&#539;ionat la mai multe platforme de social media, inclusiv X (fostul Twitter), YouTube, Instagram &#537;i TikTok. Acest lucru s-a &icirc;nt&acirc;mplat pe fondul tulbur&#259;rilor din cauza re&#539;inerii primarului de la Istanbul.<code>restric&#539;ie de internet<\/code> <code>Turcia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/mastodon.social\/@netblocks\/114187457101184560\">link<\/a> <\/p><p><strong>Secretarul american al Ap&#259;r&#259;rii ar fi ordonat Comandamentului Cibernetic s&#259; renun&#539;e la planificarea Rusiei<\/strong><br>Pe 28 februarie, The Record a raportat c&#259; secretarul ap&#259;r&#259;rii a ordonat Comandamentului cibernetic al SUA s&#259; opreasc&#259; planificarea opera&#539;iunilor, cum ar fi opera&#539;iunile cibernetice ofensive &icirc;mpotriva Rusiei.<code>rusia<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/hegseth-orders-cyber-command-stand-down-russia-planning\">link<\/a> <\/p><h3 id=\"cyberespionage-2\">Spionajul cibernetic<\/h3><p><strong>Atacul pe termen lung Weaver Ant legat de China &icirc;mpotriva furnizorului asiatic de servicii de telecomunica&#539;ii<\/strong><br>Pe 24 martie, Sygnia, o companie de securitate cibernetic&#259;, a raportat despre Ant Weaver, un actor de amenin&#539;&#259;ri legat de China. Ant Weaver a condus o campanie &icirc;mpotriva unei mari companii de telecomunica&#539;ii din Asia de mai bine de patru ani, ascunz&acirc;nd traficul &#537;i infrastructura cu ajutorul routerelor Zyxel CPE compromise.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.sygnia.co\/threat-reports-and-advisories\/weaver-ant-tracking-a-china-nexus-cyber-espionage-operation\/\">link<\/a> <\/p><p><strong>Microsoft avertizeaz&#259; cu privire la trecerea Silk Typhoon la atacurile lan&#539;ului de aprovizionare IT<\/strong><br>Pe 5 martie, Microsoft a raportat c&#259; grupul chinez sponsorizat de stat Silk Typhoon a vizat lan&#539;urile de aprovizionare IT, exploat&acirc;nd instrumente de management de la distan&#539;&#259; &#537;i servicii cloud pentru a accesa clien&#539;ii din aval. Grupul a folosit chei &#537;i acredit&#259;ri API furate, aplica&#539;ii nepatchate &#537;i vulnerabilit&#259;&#539;i zero-day pentru a se infiltra &icirc;n re&#539;ele din diferite sectoare, inclusiv guvern, asisten&#539;&#259; medical&#259; &#537;i ap&#259;rare, l&#259;s&acirc;nd urme minime prin evitarea malware-ului tradi&#539;ional &#537;i a shell-urilor web.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/03\/05\/silk-typhoon-targeting-it-supply-chain\/\">link<\/a> <\/p><p><strong>Actorul de spionaj cibernetic UNC3886 legat de China vizeaz&#259; routerele Juniper<\/strong><br>Pe 12 martie, Google Cloud a raportat c&#259; UNC3886, un grup China-nexus, a exploatat routerele Juniper Networks &icirc;ntre mijlocul anului 2023 &#537;i &icirc;nceputul lui 2024. Atacatorii au implementat u&#537;i din spate personalizate cu capabilit&#259;&#539;i active &#537;i pasive, permi&#539;&acirc;nd accesul pe termen lung &icirc;n timp ce dezactivau mecanismele de &icirc;nregistrare. Aceast&#259; tactic&#259; permite spionajul persistent &#537;i eventualele &icirc;ntreruperi viitoare ale infrastructurii critice.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/china-nexus-espionage-targets-juniper-routers?hl=en\">link<\/a> <\/p><p><strong>FamousSparrow, legat de China, vizeaz&#259; organiza&#539;ia financiar&#259; din SUA<\/strong><br>Pe 26 martie, cercet&#259;torii de la ESET &#537;i-au publicat descoperirile despre FamousSparrow, legat de China, care vizeaz&#259; o institu&#539;ie financiar&#259; din SUA &icirc;n iulie 2024. Se credea c&#259; actorul amenin&#539;&#259;rii este inactiv din 2022, dar &icirc;n aceast&#259; direc&#539;ionare, cercet&#259;torii au g&#259;sit dou&#259; versiuni noi ale u&#537;ii sale personalizate SparrowDoor.<code>China<\/code> <code>finante<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.welivesecurity.com\/en\/eset-research\/you-will-always-remember-this-as-the-day-you-finally-caught-famoussparrow\/\">link<\/a> <\/p><p><strong>WhatsApp a corectat defectul zero-click exploatat &icirc;n atacurile spyware Paragon<\/strong><br>Pe 19 martie, WhatsApp a dezv&#259;luit c&#259; a corectat o vulnerabilitate zero-click, zero-day exploatat&#259; pentru a instala software-ul spion Paragons Graphite. Acest defect a permis atacatorilor s&#259; infecteze dispozitivele f&#259;r&#259; interac&#539;iunea utilizatorului. Citizen Lab a identificat exploitul, ceea ce a condus la WhatsApp s&#259; rezolve problema f&#259;r&#259; a necesita o remediere la nivelul clientului. Aproximativ 90 de utilizatori Android, inclusiv jurnali&#537;ti &#537;i activi&#537;ti, au fost anun&#539;a&#539;i c&#259; au fost viza&#539;i.<code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/whatsapp-patched-zero-day-flaw-used-in-paragon-spyware-attacks\/\">link<\/a> <\/p><p><strong>Un actor de amenin&#539;&#259;ri legat de Rusia exploateaz&#259; zero-day &icirc;n Consola de management a Microsoft<\/strong><br>Pe 25 martie, Trend Micro a dezv&#259;luit o campanie a actorului de amenin&#539;&#259;ri legat de Rusia, Water Gamayun, care exploateaz&#259; o zi zero &icirc;n Consola de management a Microsoft pentru a executa cod r&#259;u inten&#539;ionat. Prin manipularea fi&#537;ierelor .MSc &#537;i MUIPath, atacatorii au furat date sensibile &#537;i &icirc;&#537;i men&#539;in persisten&#539;a.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/c\/cve-2025-26633-water-gamayun.html\">link<\/a> <\/p><h3 id=\"cybercrime-2\">Crima cibernetic&#259;<\/h3><p><strong>Verificarea fals&#259; Cloudflare pe site-urile WordPress vulnerabile duce la infec&#539;ii cu LummaStealer<\/strong><br>Pe 19 martie, Sucuri a raportat o campanie de malware &icirc;n care atacatorii exploateaz&#259; site-urile WordPress pentru a afi&#537;a solicit&#259;ri false de verificare Cloudflare. Aceste solicit&#259;ri &icirc;n&#537;al&#259; utilizatorii Windows pentru a executa comenzi PowerShell r&#259;u inten&#539;ionate, duc&acirc;nd la infec&#539;ii cu troieni LummaStealer. Programul malware recolteaz&#259; date sensibile, inclusiv acredit&#259;rile de conectare &#537;i portofelele criptomonede.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.sucuri.net\/2025\/03\/fake-cloudflare-verification-results-in-lummastealer-trojan-infections.html\">link<\/a> <\/p><p><strong>Grupurile de ransomware Black Basta &#537;i Cactus exploateaz&#259; Microsoft Teams pentru a implementa malware BackConnect<\/strong><br>Pe 3 martie, Trend Micro a raportat c&#259; grupurile de ransomware Black Basta &#537;i Cactus au integrat malware BackConnect &icirc;n atacurile lor, permi&#539;&acirc;nd controlul persistent asupra sistemelor compromise. Acest malware, legat de QakBot, ajut&#259; la exfiltrarea datelor sensibile &#537;i la extinderea pozi&#539;iei atacatorilor, incidente care au loc &icirc;n principal &icirc;n America de Nord &#537;i Europa din octombrie 2024. Aceste grupuri &#537;i-au evoluat tacticile, folosind inginerie social&#259; &#537;i instrumente legitime precum Microsoft Teams pentru a ob&#539;ine acces neautorizat.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/b\/black-basta-cactus-ransomware-backconnect.html\">link<\/a> <\/p><p><strong>Arhivele false GitHub generate de AI distribuie malware Lumma Stealer<\/strong><br>Pe 11 martie, Trend Micro a raportat c&#259; actorii criminalit&#259;&#539;ii cibernetice folosesc AI pentru a crea depozite GitHub false, distribuind malware LummaStealer ca sarcin&#259; util&#259; final&#259;. Aceste depozite se prezint&#259; ca instrumente legitime, cum ar fi botul Discord de urm&#259;rire a timpului angaja&#539;ilor &#537;i crackurile pentru software precum IDA Pro, &icirc;n&#537;el&acirc;nd utilizatorii s&#259; descarce fi&#537;iere r&#259;u inten&#539;ionate. Campania exploateaz&#259; reputa&#539;ia de &icirc;ncredere a GitHub pentru a evita detectarea. Aceast&#259; poveste eviden&#539;iaz&#259; importan&#539;a de a desc&#259;rca software numai din surse oficiale.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/c\/ai-assisted-fake-github-repositories.html\">link<\/a> <\/p><p><strong>Serviciul Microsoft Trusted Signing a fost abuzat pentru campanii de programe malware<\/strong><br>Pe 22 martie, Bleeping Computer a raportat c&#259; actorii criminalit&#259;&#539;ii cibernetice exploateaz&#259; serviciul Microsoft Trusted Signing pentru a concepe programe malware folosind certificate de trei zile de scurt&#259; durat&#259;. Aceste certificate sporesc credibilitatea programelor malware, ocolind filtrele de securitate. Cercet&#259;torii au identificat campanii precum Crazy Evil Traffers &#537;i Lumma Stealer folosind aceast&#259; metod&#259;. Microsoft monitorizeaz&#259; amenin&#539;&#259;rile &#537;i revoc&#259; certificatele abuzate, dar procesul simplificat de verificare face din serviciul s&#259;u o alternativ&#259; atractiv&#259; la certificatele de validare extins&#259;.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-trusted-signing-service-abused-to-code-sign-malware\/\">link<\/a> <\/p><p><strong>Campania DollyWay a abuzat de WordPress pentru a redirec&#539;iona utilizatorii c&#259;tre &icirc;n&#537;el&#259;torie<\/strong><br>Pe 17 martie, GoDaddy a raportat despre o campanie WordPress numit&#259; DollyWay v3. Acesta vizeaz&#259; &icirc;n primul r&acirc;nd vizitatorii site-urilor WordPress infectate prin intermediul scripturilor de redirec&#539;ionare injectate care folosesc o re&#539;ea distribuit&#259; de noduri ale sistemului de direc&#539;ie a traficului g&#259;zduite pe site-uri web compromise. Aceste scripturi redirec&#539;ioneaz&#259; vizitatorii site-ului c&#259;tre diverse pagini de &icirc;n&#537;el&#259;torie prin intermediul re&#539;elelor de brokeri de trafic asociate cu VexTrio, un grup de criminalitate cibernetic&#259;.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.godaddy.com\/resources\/news\/dollyway-world-domination\">link<\/a> <\/p><p><strong>SocGholish ajut&#259; la implementarea ransomware-ului RansomHub<\/strong><br>Pe 14 martie, Trend Micro a eviden&#539;iat rolul SocGholish &icirc;n activarea ransomware-ului RansomHub prin setul de intruziune Water Scylla. SocGholish se r&#259;sp&acirc;nde&#537;te prin site-uri web compromise, p&#259;c&#259;lind utilizatorii s&#259; descarce fi&#537;iere r&#259;u inten&#539;ionate. Utilizeaz&#259; un &icirc;nc&#259;rc&#259;tor JavaScript obscurcat pentru a evita detectarea, oferind acces persistent pentru furtul de date &#537;i implementarea programelor malware.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/c\/socgholishs-intrusion-techniques-facilitate-distribution-of-rans.html\">link<\/a> <\/p><p><strong>Grupul Lazarus, legat de RPDC, implementeaz&#259; &#537;ase noi pachete NPM false<\/strong><br>Pe 10 martie, Socket, o companie de tehnologie, a raportat c&#259; grupul Lazarus, legat de Coreea de Nord, a implementat &#537;ase noi pachete npm false, care au fost desc&#259;rcate de peste 300 de ori. Pachetele r&#259;u inten&#539;ionate compromit mediile dezvoltatorilor, fur&#259; acredit&#259;ri, desf&#259;&#537;oar&#259; o u&#537;&#259; din spate &#537;i extrag date despre criptomonede. &Icirc;n unele pachete aparent benigne, cercet&#259;torii au descoperit malware BeaverTail.<code>coreea de nord<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/socket.dev\/blog\/lazarus-strikes-npm-again-with-a-new-wave-of-malicious-packages\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks\">Expunerea datelor &#537;i scurgerile<\/h3><p><strong>Aproape 12.000 de chei &#537;i parole API expuse &icirc;n setul de date de antrenament AI<\/strong><br>Pe 27 februarie, cercet&#259;torii de la Truffle Security, compania din spatele scanerului open-source TruffleHog pentru date sensibile, au descoperit aproape 12.000 de chei API &#537;i parole valide &icirc;n setul de date Common Crawl, care este folosit pentru a antrena diverse modele AI. Secretele expuse au inclus cheile API AWS &#537;i MailChimp, ceea ce a st&acirc;rnit &icirc;ngrijor&#259;ri cu privire la practicile de codare nesigure care influen&#539;eaz&#259; comportamentul AI, &icirc;n ciuda eforturilor de preprocesare de a elimina informa&#539;iile sensibile.<code>inteligen&#539;&#259; artificial&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/trufflesecurity.com\/blog\/research-finds-12-000-live-api-keys-and-passwords-in-deepseek-s-training-data\">link<\/a> <\/p><h3 id=\"hacktivism-2\">Hacktivism<\/h3><p><strong>Atacul DDoS perturb&#259; X<\/strong><br>Pe 10 martie, platforma de socializare X a suferit un atac DDoS care &#537;i-a perturbat temporar serviciile de trei ori &icirc;n c&acirc;teva ore. DDoS a fost revendicat de un presupus grup hacktivist pro-Palestini.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.techradar.com\/news\/live\/x-is-down-latest-news-on-twitters-third-outage\">link<\/a> <\/p><p><em>Toate avizele de securitate ale CERT-EU sunt disponibile publicului pe site-ul web al CERT-EU,<code>https:\/\/www.cert.europa.eu\/publications\/security-advisories\/<\/code><\/em><\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Concluziile sau atribu&#539;iile f&#259;cute &icirc;n acest document reflect&#259; doar ceea ce raporteaz&#259; sursele disponibile public. Ele nu reflect&#259; pozi&#539;ia noastr&#259;.&nbsp;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <script>\n        function switchLanguage(lang) {\n            \/\/ Ascunde ambele versiuni\n            document.getElementById(\"content-ro\").style.display = \"none\";\n            document.getElementById(\"content-en\").style.display = \"none\";\n\n            \/\/ Reseteaz\u0103 stilurile butoanelor\n            document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n                btn.style.background = \"#e5e7eb\";\n                btn.style.color = \"#374151\";\n                btn.classList.remove(\"lang-btn-active\");\n            });\n\n            \/\/ Afi\u0219eaz\u0103 versiunea selectat\u0103\n            if (lang === \"ro\") {\n                document.getElementById(\"content-ro\").style.display = \"block\";\n                document.getElementById(\"btn-lang-ro\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-ro\").style.color = \"white\";\n                document.getElementById(\"btn-lang-ro\").classList.add(\"lang-btn-active\");\n            } else {\n                document.getElementById(\"content-en\").style.display = \"block\";\n                document.getElementById(\"btn-lang-en\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-en\").style.color = \"white\";\n                document.getElementById(\"btn-lang-en\").classList.add(\"lang-btn-active\");\n            }\n\n            \/\/ Salveaz\u0103 preferin\u021ba \u00een localStorage\n            localStorage.setItem(\"gpss_preferred_language\", lang);\n        }\n\n        \/\/ Restaureaz\u0103 preferin\u021ba utilizatorului la \u00eenc\u0103rcare\n        document.addEventListener(\"DOMContentLoaded\", function() {\n            var preferredLang = localStorage.getItem(\"gpss_preferred_language\") || \"ro\";\n            switchLanguage(preferredLang);\n        });\n\n        \/\/ Hover effects pentru butoane\n        document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n            btn.addEventListener(\"mouseenter\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#bfdbfe\";\n                    this.style.color = \"#1e40af\";\n                }\n            });\n            btn.addEventListener(\"mouseleave\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#e5e7eb\";\n                    this.style.color = \"#374151\";\n                }\n            });\n        });\n        <\/script>\n\n        <style>\n        .lang-btn:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.3);\n        }\n        .lang-btn-active {\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.4);\n        }\n        <\/style>","protected":false},"excerpt":{"rendered":"<p>\ud83c\udf0d Limb\u0103 \/ Language: \ud83c\uddec\ud83c\udde7 English (Original) \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103 Traducere automat\u0103 \/ Automatic translation Cyber Brief (March 2025)April 2, 2025 &#8211; Version: 1TLP:CLEARExecutive summaryWe analysed 575 open source reports for this Cyber Brief1.Policy, cooperation, and law enforcement. Europol, Finnish, German and US authorities seized servers linked to Garantex, a cryptocurrency exchange, which was reportedly being [&hellip;]<\/p>\n","protected":false},"featured_media":0,"template":"","meta":{"footnotes":""},"ti_category":[198],"ti_source":[172],"ti_severity":[187],"class_list":["post-992325","threat_intelligence","type-threat_intelligence","status-publish","hentry","ti_category-threat-actor","ti_source-cert-eu","ti_severity-critical"],"_links":{"self":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence\/992325","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence"}],"about":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/types\/threat_intelligence"}],"version-history":[{"count":0,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence\/992325\/revisions"}],"wp:attachment":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/media?parent=992325"}],"wp:term":[{"taxonomy":"ti_category","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_category?post=992325"},{"taxonomy":"ti_source","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_source?post=992325"},{"taxonomy":"ti_severity","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_severity?post=992325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}