{"id":992326,"date":"2025-11-03T00:45:45","date_gmt":"2025-11-02T21:45:45","guid":{"rendered":"https:\/\/gpss.ro\/threat-intelligence\/cyber-brief-25-03-february-2025\/"},"modified":"2025-11-03T00:45:45","modified_gmt":"2025-11-02T21:45:45","slug":"cyber-brief-25-03-february-2025","status":"publish","type":"threat_intelligence","link":"https:\/\/delve.ro\/ro\/threat-intelligence\/cyber-brief-25-03-february-2025\/","title":{"rendered":"Cyber Brief 25-03 &#8211; February 2025"},"content":{"rendered":"<div class=\"gpss-language-switcher\" style=\"margin-bottom: 20px; padding: 15px; background: #f0f9ff; border-left: 4px solid #3b82f6; border-radius: 8px;\">\n            <div style=\"display: flex; align-items: center; justify-content: space-between; flex-wrap: wrap; gap: 10px;\">\n                <div style=\"display: flex; align-items: center; gap: 10px;\">\n                    <span style=\"font-weight: 600; color: #1e40af;\">\ud83c\udf0d Limb\u0103 \/ Language:<\/span>\n                    <button onclick=\"switchLanguage('en')\" id=\"btn-lang-en\" class=\"lang-btn lang-btn-active\" style=\"padding: 8px 16px; background: #3b82f6; color: white; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddec\ud83c\udde7 English (Original)\n                    <\/button>\n                    <button onclick=\"switchLanguage('ro')\" id=\"btn-lang-ro\" class=\"lang-btn\" style=\"padding: 8px 16px; background: #e5e7eb; color: #374151; border: none; border-radius: 6px; cursor: pointer; font-weight: 600; transition: all 0.3s;\">\n                        \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103\n                    <\/button>\n                <\/div>\n                <small style=\"color: #6b7280; font-style: italic;\">Traducere automat\u0103 \/ Automatic translation<\/small>\n            <\/div>\n        <\/div>\n\n        <div id=\"content-en\" class=\"lang-content\" style=\"display: block;\">\n            <div class=\"article-content\"><h2 id=\"cyber-brief-february-2025\">Cyber Brief (February 2025)<\/h2><p>March 3, 2025 - Version: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Executive summary<\/h2><ul><li><p>We analysed 433 open source reports for this Cyber Brief<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p><strong>Policy, cooperation, and law enforcement<\/strong>. The EU aims to strengthen the EU's response to large-scale cyber incidents, Sweden and the UK seek backdoor access to private companies, and a former Polish Justice Minister arrested in Pegasus spyware case. Moreover, the US stands down on cyber Russia planning, Japan approves Cyber Defence Bill to counter sophisticated threats, Australian government bans Kaspersky products from government systems, and several police operations result in the arrest of cybercriminals. <\/p><\/li><li><p><strong>Cyberespionage<\/strong>. China-linked threat actors compromised Belgian Secret Service e-mail exchanges, as well as telecommunications worldwide. Russia-linked threat actor Sandworm was active in targeting critical infrastructure in Europe. Multiple Russian threat actors targeted Microsoft device code authentication and Signal Messenger in multiple sectors, including defence. Pegasus software infected at least one EU government official, while another Israeli spyware targeted EU civil society, and North Korea continues targeting developers.<\/p><\/li><li><p><strong>Cybercrime<\/strong>. The Belgian Port of Ostend was a victim of a cyberattack, China-linked threat actors were active in cybercrime worldwide, as were North Korea-linked Lazarus group, who namely carried out what is considered the largest cryptocurrency theft in history. <\/p><\/li><li><p><strong>Information operations<\/strong>. China-linked Spamouflage operation targets the Spanish government, and a report analysed the impact of AI-driven disinformation in financial destabilisation. OpenAI removed accounts from China and North Korea that misused ChatGPT for malicious activities.<\/p><\/li><li><p><strong>Data exposure and leaks<\/strong>. Orange group was a victim of a hack-and-leak attack in Romania, as was the Bulgarian Supreme Administrative Court. <\/p><\/li><\/ul><h2 id=\"europe\">Europe<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Cyber policy and law enforcement<\/h3><p><strong>EU Commission proposes new cybersecurity blueprint to enhance crisis coordination<\/strong><br> On February 24, the European Commission unveiled a proposal to strengthen the EU's response to large-scale cyber incidents. The updated blueprint outlines roles for EU entities throughout the crisis lifecycle, emphasising preparedness, detection, response, and recovery. It also promotes collaboration between civilian and military sectors, including NATO, and aligns with initiatives like the Critical Infrastructure Blueprint. The proposal aims to bolster collective cyber resilience across member states. <code>legislation<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/news\/commission-launches-new-cybersecurity-blueprint-enhance-eu-cyber-crisis-coordination\">link<\/a> <\/p><p><strong>Swedish government seeks backdoor access to encrypted messaging apps<\/strong><br> On February 24, the Swedish government proposed legislation requiring messaging providers to grant law enforcement access to encrypted communications. The proposal, citing national security concerns, targets apps like Signal and WhatsApp. Signal opposed the measure, stating it would leave Sweden if passed. Sweden joins other European nations debating similar laws on law enforcement access to encrypted data. <code>backdoor<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.svt.se\/nyheter\/inrikes\/signal-lamnar-sverige-om-regeringens-forslag-pa-datalagring-klubbas\">link<\/a> <\/p><p><strong>Apple removes Advanced Data Protection in the UK amid government demands<\/strong><br> On February 21, Apple announced the discontinuation of its Advanced Data Protection (ADP) feature for new users in the UK, with plans to require existing users to disable it in the near future. This decision follows demands from UK security services for backdoor access to encrypted iCloud backups. Despite this change, services such as iMessage, FaceTime, health data, and iCloud Keychain will continue to have end-to-end encryption in the UK. <code>backdoor<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.theverge.com\/news\/617273\/apple-removes-encryption-advanced-data-protection-adp-uk-spying-backdoor\">link<\/a><\/p><p><strong>UK government proposes ransomware legislation to curb payments and boost reporting<\/strong><br> On February 19, the UK's home office reported the UK government's consultation on ransomware legislation aimed at reducing payments to cybercriminals and increasing incident reporting. Proposed measures seek to limit financial incentives for attackers, improve intelligence on ransomware transactions, and enhance government response capabilities. The consultation remains open until April 8, 2025, with responses invited from stakeholders. <code>legislation<\/code> <code>ransomware<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.gov.uk\/government\/consultations\/ransomware-proposals-to-increase-incident-reporting-and-reduce-payments-to-criminals\">link<\/a> <\/p><p><strong>Former Polish Justice Minister arrested in Pegasus spyware case<\/strong><br> On January 31, the Polish Police arrested former Justice Minister Zbigniew Ziobro, accusing him of approving the use of government funds for Pegasus spyware to surveil opposition leaders. This follows the earlier arrest of the former Internal Security Agency chief, Piotr Pogonowski. <code>psoa<\/code> <code>arrest<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/poland-spyware-former-justice-minister-arrested\">link<\/a> <\/p><p><strong>Joint operation between The Netherlands and the United States to disrupt cybercrime group<\/strong><br> On January 29, Dutch and US authorities launched \"Operation Heart Blocker\" against a Pakistan-based cybercrime group called Saim Raza, also known as \"The Manipulaters\". The group operated online marketplaces that sold hacking tools, including spam and phishing services, to thousands of customers, resulting in over 3 million US dollars in losses. Their tools were used by organised crime groups to conduct business e-mail compromise (BEC) schemes. <code>pakistan<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politie.nl\/nieuws\/2025\/januari\/27\/09-verstoringsactie-deelt-klap-uit-aan-crimineel-cybernetwerk-heartsender.html\">link<\/a> <\/p><p><strong>Spanish police arrest suspect in cyberattacks against Spanish and international governmental organisations<\/strong><br> On February 5, the Spanish police arrested an individual suspected of conducting 40 cyberattacks against public and private organisations, including the Spanish Guardia Civil and Ministry of Defence, the US Army, NATO, and the UN. <code>arrest<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.policia.es\/_es\/politicaCookies.php\">link<\/a> <\/p><h3 id=\"cyberespionage\">Cyberespionage<\/h3><p><strong>China-linked threat actors compromised Belgian Secret Service e-mail exchanges<\/strong><br> On February 26, the newspaper Le Soir revealed that Chinese threat actors compromised the Belgian Secret Service (VSSE) e-mail exchanges between 2021 and 2023. The threat actors exploited a vulnerability in the e-mail system of a US software supplier, called Barracuda, that was previously reported in 2023 and was being used by Belgian intelligence as well as the Belgian Pipeline Organisation, which monitors pipelines in the North Sea. <code>china<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.lesoir.be\/657866\/article\/2025-02-26\/des-hackers-chinois-ont-vole-des-donnees-sensibles-la-surete-de-letat\">link<\/a> <\/p><p><strong>Multiple Russian threat actors targeting Microsoft device code authentication<\/strong><br> On February 13, Volexity reported that multiple Russian threat actors have targeted Microsoft 365 accounts using Device Code Authentication phishing. These campaigns involved spearphishing e-mails, impersonating various organisations such as the European Parliament, the US Department of State and the Ukrainian Ministry of Defence. Attackers aimed to deceive users into entering codes that allowed unauthorised access to accounts. Volexity tracks these campaigns under three threat actors, including CozyLarch. <code>diplomacy<\/code> <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.volexity.com\/blog\/2025\/02\/13\/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication\/\">link<\/a> <\/p><p><strong>Sandworm APT targets Ukrainian users with trojanised Microsoft KMS activation tools<\/strong><br> On February 11, EclecticIQ reported that Sandworm (APT44), linked to Russia's GRU, is conducting cyberespionage against Ukrainian Windows users. Since late 2023, they have distributed pirated Microsoft Key Management Service activators and fake Windows updates to deploy the BACKORDER loader, which installs Dark Crystal RAT (DcRAT) malware. This campaign exploits Ukraine's reliance on unlicensed software, posing significant risks to national security and critical infrastructure. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.eclecticiq.com\/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\">link<\/a> <\/p><p><strong>Microsoft uncovers BadPilot campaign by Russian Seashell Blizzard subgroup<\/strong><br> On February 12, Microsoft revealed that a subgroup within the Russian state actor Seashell Blizzard (aka Sandworm) has been conducting a multiyear global access operation, termed the \"BadPilot campaign.\" This subgroup exploited vulnerabilities in internet-facing infrastructure to persist on high-value targets across sectors like energy, telecommunications, and government, expanding their operations beyond Eastern Europe since at least 2021. <code>energy<\/code> <code>russia<\/code> <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/02\/12\/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation\/\">link<\/a><\/p><p><strong>CERT-UA analysis complements Microsoft's findings on Sandworm\u2019s BadPilot campaign<\/strong><br> On February 23, CERT-UA reported that UAC-0212, a subcluster of the Russian GRU-linked Sandworm group, targeted supplier companies in Serbia, the Czech Republic, and Ukraine between July 2024 and February 2025. CERT-UA\u2019s findings complement Microsoft\u2019s assessment of BadPilot by detailing phishing-based initial access methods, where attackers posed as customers and delivered malicious PDFs exploiting CVE-2024-38213. CERT-UA reports that the campaign aimed to compromise critical infrastructure service providers. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cert.gov.ua\/article\/6282517\">link<\/a> <\/p><p><strong>Multiple Russia-aligned threat actors actively targeting Signal Messenger<\/strong><br> On February 20, Google's Threat Intelligence Group reported that Russian state-aligned threat actors are targeting Signal Messenger accounts of individuals of interest to Russia's intelligence services. These actors exploit Signal's \"linked devices\" feature by sending malicious QR codes that, when scanned, link the victim's account to a device controlled by the attacker, enabling real-time message interception. Signal has since updated its app to enhance security against such phishing attacks. <code>russia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/russia-targeting-signal-messenger\/?hl=en\">link<\/a> <\/p><p><strong>Pegasus spyware infected private sector devices and at least on European government official<\/strong><br> On February 19, iVerify, a US-based cybersecurity firm, reported new detections of Pegasus spyware on 11 out of 18.000 devices tested in December, including those of business executives in real estate, logistics, and finance, as well as a European government official. The findings suggest broader use of commercial spyware beyond civil society targets. Some victims were monitored for years using multiple Pegasus variants. <code>finance<\/code> <code>psoa<\/code> <code>public administration<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/iverify.io\/blog\/how-democratizing-threat-hunting-is-changing-mobile-security\">link<\/a> <\/p><p><strong>Cellebrite zero-day exploit used to target phone of Serbian student activist<\/strong><br> On February 28, Amnesty International's Security Lab reported that Serbian authorities exploited a zero-day vulnerability in Cellebrite's software to access the phone of a student activist. This sophisticated attack targeted USB drivers in Android devices, allowing unauthorised access. Despite previous reports of misuse, Serbian security services continue to employ such tactics against civil society. In response, Cellebrite has suspended product use by certain Serbian customers. <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/securitylab.amnesty.org\/latest\/2025\/02\/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist\/\">link<\/a> <\/p><h3 id=\"cybercrime\">Cybercrime<\/h3><p><strong>Italian tycoons scammed by AI-generated minister\u2019s voice<\/strong><br> On February 9, the Financial Times reported that Italian tycoons were targeted in an AI-driven scam where fraudsters used a deepfake voice of Defence Minister Guido Crosetto to request ransom payments for kidnapped journalists. Some business leaders were contacted, and at least one transferred 1 million Euros. Authorities suspect phone number spoofing, and the Bank of Italy denied involvement. The case echoes past high-profile scams. <code>artificial intelligence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ft.com\/content\/8e911f1e-6eb7-4e8e-b4e0-3aba62575f23\">link<\/a><\/p><p><strong>Belgian Port of Ostend victim of cyberattack<\/strong><br> On February 12, the Belgian port of Ostend announced having been the victim of a cyberattack on February 10 and filed a complaint with the federal government. The Centre for Cybersecurity Belgium (CCB) is leading a team of internal and external cybersecurity experts to resolve the issue. The attack targeted a system that logs ship movements and crew lists, called Ensor. <code>transport<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.belganewsagency.eu\/port-of-ostend-files-police-complaint-after-cyberattack\">link<\/a> <\/p><p><strong>Green Nailao ransomware campaign targets European healthcare sector<\/strong><br> On February 18, Orange Cyberdefence CERT reported a ransomware campaign, \"Green Nailao,\" targeting European organisations, notably healthcare, between June and October 2024. The attack exploited CVE-2024-24919 to deploy ShadowPad and PlugX backdoors, later delivering the previously undocumented NailaoLocker ransomware. Researchers assess with medium confidence that the activity aligns with Chinese threat actors but remains unattributed to a known group. <code>china<\/code> <code>health<\/code> <code>ransomware<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.orangecyberdefense.com\/global\/blog\/cert-news\/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors\">link<\/a> <\/p><h3 id=\"information-operations\">Information operations<\/h3><p><strong>China-linked Spamouflage operation targets the Spanish government<\/strong><br> On January 29, Graphika, a US social network analysis company, published a report outlining a China-linked social media operation dubbed Spamouflage, targeting the Spanish government. Masquerading as Safeguard Defenders, a Madrid-based NGO, the threat actors called for the overthrow of the Spanish government. Spamouflage has been operating since at least 2017, targeting countries and voters worldwide, including in Europe and the US. <code>china<\/code> <code>public administration<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/world\/chinese-online-influence-operation-called-overthrow-spains-government-graphika-2025-01-29\/\">link<\/a> <\/p><p><strong>Report on the impact of AI-driven disinformation says financial destabilisation may be caused by disinformation campaigns.<\/strong><br> On February 14, Say No to Disinfo and Fenimore Harper communications released a report on the impact of AI-driven disinformation in financial destabilisation. A simulated campaign targeting UK banks showed that 60.8% of exposed individuals considered moving their money, demonstrating the power of synthetic content to incite financial instability. The findings highlight the potential for low-cost influence operations to trigger bank runs and the financial sector\u2019s lack of preparedness against such threats. <code>artificial intelligence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.saynotodisinfo.com\/_files\/ugd\/438ee6_d9f4506bfd2e43218b96f716bae91ce1.pdf\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks\">Data exposure and leaks<\/h3><p><strong>Threat actor leaks Orange Group information from Romania<\/strong><br> On February 25, a threat actor alleged to have stolen almost 6.5\u00a0GB of data from Orange Group, specifically from Orange Romania. The leak mainly affects employees, partners, and contractors, as well as some customers. The data contains e-mail addresses, source code, invoices, contracts, customer and employee information. However, according to BleepingComputer who analysed some of the leaked information, most of it seems to be outdated or expired. <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/orange-group-confirms-breach-after-hacker-leaks-company-documents\/\">link<\/a> <\/p><p><strong>Bulgarian Supreme Administrative Court victim of ransomware<\/strong><br> On February 25, Bulgarian media reported about a ransomware intrusion and data breach impacting a Bulgarian parliamentary committee of the Supreme Administrative Court. 3.5TB of data were allegedly exfiltrated containing documents and information related to judges, including personally identifiable information, and human resources documents. The Acting Chairman of Bulgaria\u2019s Supreme Administrative Court confirmed the ransomware intrusion and stated the court was investigating the possibility of the data leaked online. <code>justice<\/code> <code>ransomware<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/offnews.bg\/temida\/hakerska-grupa-iztochi-danni-ot-sistemite-na-vas-i-gi-publikuva-onlajn-839467.html\">link<\/a> <\/p><h2 id=\"world\">World<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Cyber policy and law enforcement<\/h3><p><strong>Japan approves Cyber Defence Bill to counter sophisticated threats<\/strong><br> On February 7, Japan's Cabinet approved the Cyber Response Capability Enhancement Bill to strengthen defences against sophisticated cyberattacks targeting critical infrastructure. This legislation aligns with the National Security Strategy (December 2022) and incorporates expert recommendations from November 29, 2024. The bill includes active cyber defence measures, such as proactively detecting threats and shutting down enemy servers during an incident to mitigate potential harm. <code>japan<\/code> <code>legislation<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cas.go.jp\/jp\/seisaku\/cyber_anzen_hosyo_torikumi\/index.html\">link<\/a> <\/p><p><strong>Australian government bans Kaspersky products from government systems<\/strong><br> On February 17, the Australian government informed it would ban all Kaspersky products from government systems, citing national security risks. The decision follows concerns over potential access by Russian intelligence services to sensitive data. Australia joins other nations in restricting the use of Kaspersky software in critical infrastructure and public sector networks. <code>russia<\/code> <code>legislation<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.protectivesecurity.gov.au\/system\/files\/2025-02\/PSPF-Direction-002-2025.pdf\">link<\/a> <\/p><p><strong>The Atlantic: Musk\u2019s DOGE poses cybersecurity risks to US federal systems<\/strong><br> According to a report by The Atlantic on February 7, Elon Musk's Department of Government Efficiency (DOGE) has accessed critical US federal IT systems, including those of the Treasury Department and Office of Personnel Management. Cybersecurity experts warn that DOGE\u2019s untrained personnel could unintentionally or deliberately compromise these systems, posing national security risks. The full impact is unclear, but concerns grow over data breaches, system disruptions, and long-term cybersecurity threats. <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.theatlantic.com\/technology\/archive\/2025\/02\/elon-musk-doge-security\/681600\/\">link<\/a> <\/p><p><strong>Hegseth orders Cyber Command to stand down on Russia planning<\/strong><br> On February 28, The Record reported that Defense Secretary Pete Hegseth ordered US Cyber Command to halt all planning against Russia, including offensive cyber operations. This directive, issued to Cyber Command Chief General Timothy Haugh, does not affect the National Security Agency's intelligence activities targeting Russia. The move aligns with the administration's efforts to normalise relations with Moscow. <code>russia<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/hegseth-orders-cyber-command-stand-down-russia-planning\">link<\/a> <\/p><p><strong>Trump administration retreats in fight against Russian cyber threats<\/strong><br> On February 28, The Guardian reported that the Trump administration is downplaying Russia's cyber threat, diverging from longstanding intelligence assessments. This shift was evident when State Department official Liesyl Franz named China and Iran as cyber threats but omitted Russia. Additionally, the Cybersecurity and Infrastructure Security Agency (CISA) has reportedly been directed to deprioritise reporting on Russian cyber threats. <code>russia<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.theguardian.com\/us-news\/2025\/feb\/28\/trump-russia-hacking-cyber-security\">link<\/a> <\/p><p><strong>Google Cloud introduces quantum-safe digital signatures in Cloud KMS<\/strong><br> On February 21, Google announced the integration of quantum-safe digital signature algorithms into its Cloud Key Management Service (Cloud KMS). This enhancement offers software and hardware support for standardised quantum-safe algorithms, facilitating a seamless migration path for existing keys and protocols. The update aims to protect sensitive data from future quantum computing threats, aligning with NIST's post-quantum cryptography standards. <code>quantum computing<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/products\/identity-security\/announcing-quantum-safe-digital-signatures-in-cloud-kms\">link<\/a> <\/p><p><strong>8Base ransomware site taken down as Thai authorities arrest four connected to operation<\/strong><br> On February 10, authorities dismantled the 8Base ransomware group's leak site and arrested four European suspects in Phuket, Thailand. The suspects are accused of extorting 16 million US dollars from over 1.000 victims worldwide. This operation, dubbed PHOBOS AETOR, involved multiple international law enforcement agencies. <code>arrests<\/code> <code>ransomware<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/8base-ransomware-site-taken-down-4-arrested\">link<\/a> <\/p><p><strong>US sanctions LockBit ransomware\u2019s bulletproof hosting provider<\/strong><br> On February 11, the US, Australia, and the UK imposed sanctions on Russia-based Zservers, a bulletproof hosting provider enabling LockBit ransomware operations. The action targets the infrastructure used for cyberattacks, aiming to disrupt ransomware ecosystems. This coordinated effort follows previous sanctions against LockBit actors, reinforcing international pressure on cybercriminal networks operating from Russia. <code>ransomware<\/code> <code>russia<\/code> <code>sanctions<\/code> <code>united states<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/home.treasury.gov\/news\/press-releases\/sb0018\">link<\/a> <\/p><h3 id=\"cyberespionage-2\">Cyberespionage<\/h3><p><strong>Salt Typhoon continues targeting telecommunications and education sector worldwide<\/strong><br> On February 13, Recorded Future reported about Salt Typhoon\u2019s continuing operations targeting the telecommunications sector, as well as education, despite the uncovering of their activities in recent months. Between December 2024 and January 2025, they were identified exploiting unpatched Cisco network devices worldwide. The targets included telecommunications providers in the US, the UK, and South Africa, universities in several countries, possibly to access research in telecommunications, engineering, and technology. <code>china<\/code> <code>education<\/code> <code>telecommunications<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/go.recordedfuture.com\/hubfs\/reports\/cta-cn-2025-0213.pdf\">link<\/a> <\/p><p><strong>China-linked APT41 targets Japanese firms in RevivalStone cyberespionage campaign<\/strong><br> On February 18, Japanese cybersecurity company LAC reported that China-linked APT41 targeted Japanese manufacturing, materials, and energy sectors in a campaign dubbed RevivalStone. Active since at least 2012, Winnti deployed new malware variants in 2024, exploiting an SQL injection vulnerability in an ERP system to drop web shells. The group used stolen certificates and rootkits for persistence and covert access. <code>china<\/code> <code>japan<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.lac.co.jp\/lacwatch\/report\/20250213_004283.html\">link<\/a> <\/p><p><strong>Emerald Sleet uses PowerShell exploits to target international affairs professionals and NGOs<\/strong><br> On February 11, Microsoft reported that North Korea-linked Kimsuky, also known as Emerald Sleet, is using a tactic where victims are deceived into running PowerShell as an administrator and executing malicious code. This facilitates data exfiltration via a remote desktop tool. The group primarily targets individuals working in international affairs, particularly those focused on Northeast Asia, in America, Europe, and East Asia. <code>civil society<\/code> <code>north korea<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/MsftSecIntel\/status\/1889407814604296490\">link<\/a> <\/p><p><strong>Journalists and civil society members targeted on WhatsApp by Israeli spyware<\/strong><br> On January 31, WhatsApp announced that 90 journalists and civil society members were targeted by Israeli spyware Paragon Solutions. The attack was a \"zero-click\", meaning the victims were possibly compromised by simply receiving the malicious PDF file that served as a vector. An Italian and a Swedish journalist were among the victims notified by WhatsApp. <code>civil society<\/code> <code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.theguardian.com\/technology\/2025\/jan\/31\/whatsapp-israel-spyware\">link<\/a> <\/p><h3 id=\"cybercrime-2\">Cybercrime<\/h3><p><strong>Chinese espionage tools used in ransomware attack on Asian firm<\/strong><br> On February 13, Symantec reported that tools typically linked to China-based espionage actors were used in a ransomware attack against an Asian software and services company. In late 2024, the attacker deployed a distinct toolset, including a PlugX variant, previously associated with Chinese espionage activities. This suggests potential crossover between state-sponsored espionage and cybercrime operations. <code>china<\/code> <code>ransomware<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.security.com\/threat-intelligence\/chinese-espionage-ransomware\">link<\/a> <\/p><p><strong>DeepSeek-themed malware campaign uses ClickFix technique to spread Vidar stealer<\/strong><br> On February 25, Zscaler's ThreatLabz reported a malware campaign impersonating DeepSeek to distribute the Vidar stealer using the ClickFix technique. Attackers trick users with a fake CAPTCHA, which injects PowerShell commands via clipboard manipulation, leading to malware execution. The campaign exploits DeepSeek's popularity to deceive users and steal sensitive data. <code>artificial intelligence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/deepseek-lure-using-captchas-spread-malware\">link<\/a> <\/p><p><strong>Lazarus Group deploys Marstech1 JavaScript implant in targeted developer attacks<\/strong><br> On February 14, SecurityScorecard linked the Lazarus Group to a new JavaScript implant, Marstech1, used in targeted attacks against developers. Delivered via a now-removed GitHub profile, the malware collects system data and manipulates browser settings, targeting cryptocurrency wallets like MetaMask. The implant has infected 233 confirmed victims across the US, Europe, and Asia, posing a supply chain risk through NPM packages. <code>north korea<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/securityscorecard.com\/wp-content\/uploads\/2025\/02\/Operation-Marstech-Mayhem-Report_021025_03.pdf\">link<\/a> <\/p><p><strong>Bybit crypto exchange suffers largest cryptocurrency theft in history<\/strong><br> On February 21, Bybit, a Dubai-based cryptocurrency exchange, experienced a security breach resulting in the theft of approximately 1.46 billion US dollars in crypto assets. Initial reports suggest that malware was used to trick the exchange into approving unauthorised transactions. This incident surpasses previous records, marking it as the largest cryptocurrency theft to date. Blockchain analytics firm Elliptic attributed the attack to North Korea\u2019s Lazarus group, citing transaction patterns linked to previous hacks. <code>north korea<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.elliptic.co\/blog\/bybit-hack-largest-in-history\">link<\/a> <\/p><p><strong>Massive botnet exploits Basic Authentication to target Microsoft 365 accounts<\/strong><br> On February 24, SecurityScorecard researchers reported on a massive botnet of over 130.000 compromised devices conducting password-spray attacks on Microsoft 365 accounts using Basic Authentication which will be deprecated in September. The attackers exploit credentials stolen by infostealer malware, targeting non-interactive sign-ins, which do not trigger MFA alerts, and exploiting environments where Basic Authentication remains enabled. <code>botnet<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/securityscorecard.com\/research\/massive-botnet-targets-m365-with-stealthy-password-spraying-attacks\/\">link<\/a> <\/p><p><strong>New macOS infostealer distributed via Fake Update campaign<\/strong><br> On February 18, Proofpoint reported that a new macOS infostealer, FrigidStealer, had been deployed by threat actor TA2727 in collaboration with TA2726 and TA569. The malware is delivered via fake browser update pages and is part of a broader campaign which also targets Windows and Android devices. According to Proofpoint, TA569, previously known for SocGholish malware, has shifted to working with other actors to distribute new payloads globally. <code>stealer<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.infosecurity-magazine.com\/news\/proofpoint-frigidstealer-new-mac\/\">link<\/a> <\/p><p><strong>New Lumma stealer campaign use compromised educational infrastructure to target various sectors<\/strong><br> On February 14, Cloudsek security researchers reported on a Lumma Stealer malware campaign exploiting compromised educational infrastructure to distribute malicious LNK files disguised as PDFs. This campaign targeted finance, healthcare, technology, and media sectors and reportedly steals passwords, browser data, and crypto wallets. These LNK files, when executed, initiate a multistage infection process leading to the deployment of Lumma stealer. <code>education<\/code> <code>finance<\/code> <code>health<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cloudsek.com\/blog\/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure\">link<\/a> <\/p><p><strong>Brute force attacks target VPN devices using 2.8 million IPs<\/strong><br> On February 7, ShadowServer reported that a large-scale brute force attack was underway, utilising nearly 2.8 million IP addresses to target internet exposed networking devices from vendors such as Palo Alto Networks, Ivanti, and SonicWall. The attack aims to guess device credentials to gain initial access to network devices. Many of the attacking IPs are linked to compromised routers and IoT devices, indicating a widespread botnet operation. <code>brute-force<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/Shadowserver\/status\/1887790995191763051\">link<\/a> <\/p><p><strong>New XCSSET macOS variant targeting Xcode<\/strong><br> On February 17, Microsoft reported on a new malware variant dubbed XCSSET which is targeting macOS by infecting Xcode projects. This variant introduces enhanced obfuscation, updated persistence mechanisms using zshrc and dock methods, and new infection techniques. The malware continues to target digital wallets, Notes app data, and system files. Limited attacks have been observed, but its capabilities highlight ongoing macOS security risks. <code>malware<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/MsftSecIntel\/status\/1891410993265123662\">link<\/a> <\/p><p><strong>Microsoft removes popular VSCode extensions over security concerns<\/strong><br> On February 26, Microsoft removed two widely used Visual Studio Code extensions, 'Material Theme \u2013 Free' and 'Material Theme Icons \u2013 Free,' from the Visual Studio Marketplace due to alleged malicious code. Cybersecurity researchers Amit Assaraf and Itay Kruk identified suspicious code in these extensions, leading to their removal. The publisher, Mattia Astorino (aka equinusocio), claims the issue stems from an outdated dependency. Users now receive alerts in VSCode that the extensions have been automatically disabled. <code>technology<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/medium.com\/extensiontotal\/a-wolf-in-dark-mode-the-malicious-vs-code-theme-that-fooled-millions-85ed92b4bd26\">link<\/a> <\/p><h3 id=\"information-operations-2\">Information operations<\/h3><p><strong>OpenAI bans accounts misusing ChatGPT for surveillance and influence campaigns<\/strong><br> On February 21, OpenAI announced the removal of accounts from China and North Korea that misused ChatGPT for malicious activities, including surveillance and opinion-influence operations. These actors generated anti-US news articles in Spanish and created fictitious job profiles to secure employment at Western firms. OpenAI continues to monitor and prevent such policy violations. <code>artificial intelligence<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/openai.com\/global-affairs\/disrupting-malicious-uses-of-ai\/\">link<\/a> <\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Conclusions or attributions made in this document merely reflect what publicly available sources report. They do not reflect our stance.&#160;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <div id=\"content-ro\" class=\"lang-content\" style=\"display: none;\">\n            <div class=\"article-content\"><?xml encoding=\"UTF-8\"><h2 id=\"cyber-brief-february-2025\">Cyber &#8203;&#8203;Brief (februarie 2025)<\/h2><p>3 martie 2025 - Versiunea: 1<\/p><p class=\"tlp-type clear\">TLP:CLEAR<\/p><h2 id=\"executive-summary\">Rezumat<\/h2><ul><li><p>Am analizat 433 de rapoarte open source pentru acest Cyber &#8203;&#8203;Brief<sup class=\"footnote-ref\" id=\"fnref-1\"><a href=\"#fn-1\">1<\/a><\/sup>.<\/p><\/li><li><p><strong>Politic&#259;, cooperare &#537;i aplicarea legii<\/strong>. UE urm&#259;re&#537;te s&#259; consolideze r&#259;spunsul UE la incidentele cibernetice la scar&#259; larg&#259;, Suedia &#537;i Regatul Unit caut&#259; acces &icirc;n spate la companii private &#537;i un fost ministru polonez al Justi&#539;iei a fost arestat &icirc;n cazul programelor spion Pegasus. Mai mult, SUA renun&#539;&#259; la planificarea cibernetic&#259; a Rusiei, Japonia aprob&#259; Cyber &#8203;&#8203;Defense Bill pentru a contracara amenin&#539;&#259;rile sofisticate, guvernul australian interzice produsele Kaspersky din sistemele guvernamentale &#537;i mai multe opera&#539;iuni ale poli&#539;iei au ca rezultat arestarea infractorilor cibernetici.<\/p><\/li><li><p><strong>Spionajul cibernetic<\/strong>. Actorii de amenin&#539;&#259;ri lega&#539;i de China au compromis schimburile de e-mail ale Serviciului Secret Belgian, precum &#537;i telecomunica&#539;iile din &icirc;ntreaga lume. Sandworm, actorul de amenin&#539;&#259;ri legat de Rusia, a fost activ &icirc;n vizarea infrastructurii critice din Europa. Mai mul&#539;i actori ru&#537;i de amenin&#539;&#259;ri au vizat autentificarea codului dispozitivelor Microsoft &#537;i Signal Messenger &icirc;n mai multe sectoare, inclusiv ap&#259;rarea. Software-ul Pegasus a infectat cel pu&#539;in un oficial guvernamental al UE, &icirc;n timp ce un alt program spion israelian a vizat societatea civil&#259; a UE, iar Coreea de Nord continu&#259; s&#259; vizeze dezvoltatorii.<\/p><\/li><li><p><strong>Crima cibernetic&#259;<\/strong>. Portul belgian Ostend a fost victima unui atac cibernetic, actori de amenin&#539;&#259;ri lega&#539;i de China au fost activi &icirc;n criminalitatea cibernetic&#259; la nivel mondial, la fel ca &#537;i grupul Lazarus, legat de Coreea de Nord, care a efectuat ceea ce este considerat cel mai mare furt de criptomonede din istorie.<\/p><\/li><li><p><strong>Opera&#539;iuni de informare<\/strong>. Opera&#539;iunea Spamouflage, legat&#259; de China, vizeaz&#259; guvernul spaniol, iar un raport a analizat impactul dezinformarii determinate de inteligen&#539;&#259; artificial&#259; asupra destabilizarii financiare. OpenAI a eliminat conturile din China &#537;i Coreea de Nord care au folosit abuziv ChatGPT pentru activit&#259;&#539;i r&#259;u inten&#539;ionate.<\/p><\/li><li><p><strong>Expunerea datelor &#537;i scurgerile<\/strong>. Grupul Orange a fost victima unui atac de tip hack-and-leak &icirc;n Rom&acirc;nia, la fel ca &#537;i Curtea Administrativ&#259; Suprem&#259; din Bulgaria.<\/p><\/li><\/ul><h2 id=\"europe\">Europa<\/h2><h3 id=\"cyber-policy-and-law-enforcement\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>Comisia UE propune un nou plan de securitate cibernetic&#259; pentru a &icirc;mbun&#259;t&#259;&#539;i coordonarea crizelor<\/strong><br>Pe 24 februarie, Comisia European&#259; a dezv&#259;luit o propunere de consolidare a r&#259;spunsului UE la incidentele cibernetice la scar&#259; larg&#259;. Planul actualizat subliniaz&#259; rolurile entit&#259;&#539;ilor UE pe parcursul ciclului de via&#539;&#259; al crizei, pun&acirc;nd accent pe preg&#259;tire, detectare, r&#259;spuns &#537;i redresare. De asemenea, promoveaz&#259; colaborarea &icirc;ntre sectoarele civil &#537;i militar, inclusiv NATO, &#537;i se aliniaz&#259; la ini&#539;iative precum Planul de infrastructur&#259; critic&#259;. Propunerea urm&#259;re&#537;te s&#259; consolideze rezilien&#539;a cibernetic&#259; colectiv&#259; &icirc;n statele membre.<code>legislatie<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/news\/commission-launches-new-cybersecurity-blueprint-enhance-eu-cyber-crisis-coordination\">link<\/a> <\/p><p><strong>Guvernul suedez caut&#259; acces &icirc;n backdoor la aplica&#539;iile de mesagerie criptate<\/strong><br>Pe 24 februarie, guvernul suedez a propus o legisla&#539;ie care impune furnizorilor de mesagerie s&#259; acorde for&#539;elor de ordine acces la comunica&#539;iile criptate. Propunerea, invoc&acirc;nd preocup&#259;ri de securitate na&#539;ional&#259;, vizeaz&#259; aplica&#539;ii precum Signal &#537;i WhatsApp. Signal s-a opus m&#259;surii, afirm&acirc;nd c&#259; va p&#259;r&#259;si Suedia dac&#259; va fi adoptat&#259;. Suedia se al&#259;tur&#259; altor na&#539;iuni europene care dezbat legi similare privind accesul for&#539;elor de ordine la datele criptate.<code>u&#537;a din spate<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.svt.se\/nyheter\/inrikes\/signal-lamnar-sverige-om-regeringens-forslag-pa-datalagring-klubbas\">link<\/a> <\/p><p><strong>Apple elimin&#259; Advanced Data Protection &icirc;n Marea Britanie pe fondul cererilor guvernamentale<\/strong><br>Pe 21 februarie, Apple a anun&#539;at &icirc;ntreruperea func&#539;iei sale Advanced Data Protection (ADP) pentru noii utilizatori din Marea Britanie, cu inten&#539;ii de a solicita utilizatorilor existen&#539;i s&#259; o dezactiveze &icirc;n viitorul apropiat. Aceast&#259; decizie vine &icirc;n urma solicit&#259;rilor din partea serviciilor de securitate din Regatul Unit pentru acces din backdoor la copiile de rezerv&#259; criptate iCloud. &Icirc;n ciuda acestei schimb&#259;ri, servicii precum iMessage, FaceTime, date de s&#259;n&#259;tate &#537;i iCloud Keychain vor continua s&#259; aib&#259; criptare end-to-end &icirc;n Marea Britanie.<code>u&#537;a din spate<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.theverge.com\/news\/617273\/apple-removes-encryption-advanced-data-protection-adp-uk-spying-backdoor\">link<\/a><\/p><p><strong>Guvernul Regatului Unit propune o legisla&#539;ie privind ransomware-ul pentru a reduce pl&#259;&#539;ile &#537;i pentru a stimula raportarea<\/strong><br>Pe 19 februarie, biroul de origine al Regatului Unit a raportat consultarea guvernului britanic cu privire la legisla&#539;ia privind ransomware, menit&#259; s&#259; reduc&#259; pl&#259;&#539;ile c&#259;tre infractorii cibernetici &#537;i s&#259; sporeasc&#259; raportarea incidentelor. M&#259;surile propuse urm&#259;resc s&#259; limiteze stimulentele financiare pentru atacatori, s&#259; &icirc;mbun&#259;t&#259;&#539;easc&#259; informa&#539;iile privind tranzac&#539;iile cu ransomware &#537;i s&#259; &icirc;mbun&#259;t&#259;&#539;easc&#259; capacit&#259;&#539;ile de r&#259;spuns ale guvernului. Consultarea r&#259;m&acirc;ne deschis&#259; p&acirc;n&#259; pe 8 aprilie 2025, cu r&#259;spunsuri invitate din partea p&#259;r&#539;ilor interesate.<code>legislatie<\/code> <code>ransomware<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.gov.uk\/government\/consultations\/ransomware-proposals-to-increase-incident-reporting-and-reduce-payments-to-criminals\">link<\/a> <\/p><p><strong>Fost ministru polonez al justi&#539;iei arestat &icirc;n cazul programului spion Pegasus<\/strong><br>Pe 31 ianuarie, poli&#539;ia polonez&#259; l-a arestat pe fostul ministru al justi&#539;iei Zbigniew Ziobro, acuz&acirc;ndu-l c&#259; a aprobat utilizarea fondurilor guvernamentale pentru software-ul spion Pegasus pentru a supraveghea liderii opozi&#539;iei. Aceasta urmeaz&#259; arest&#259;rii anterioare a fostului &#537;ef al Agen&#539;iei de Securitate Intern&#259;, Piotr Pogonowski.<code>psoa<\/code> <code>arestare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/poland-spyware-former-justice-minister-arrested\">link<\/a> <\/p><p><strong>Opera&#539;iune comun&#259; &icirc;ntre &#538;&#259;rile de Jos &#537;i Statele Unite pentru a perturba grupul de criminalitate cibernetic&#259;<\/strong><br>Pe 29 ianuarie, autorit&#259;&#539;ile olandeze &#537;i americane au lansat &bdquo;Opera&#539;iunea Heart Blocker&rdquo; &icirc;mpotriva unui grup de criminalitate cibernetic&#259; din Pakistan numit Saim Raza, cunoscut &#537;i sub numele de &bdquo;Manipulatorii&rdquo;. Grupul opera pie&#539;e online care vindeau instrumente de hacking, inclusiv servicii de spam &#537;i phishing, c&#259;tre mii de clien&#539;i, rezult&acirc;nd pierderi de peste 3 milioane de dolari SUA. Instrumentele lor au fost folosite de grupurile criminale organizate pentru a desf&#259;&#537;ura scheme de compromis prin e-mail de afaceri (BEC).<code>Pakistan<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.politie.nl\/nieuws\/2025\/januari\/27\/09-verstoringsactie-deelt-klap-uit-aan-crimineel-cybernetwerk-heartsender.html\">link<\/a> <\/p><p><strong>Poli&#539;ia spaniol&#259; aresteaz&#259; un suspect &icirc;n atacuri cibernetice &icirc;mpotriva organiza&#539;iilor guvernamentale spaniole &#537;i interna&#539;ionale<\/strong><br>Pe 5 februarie, poli&#539;ia spaniol&#259; a arestat o persoan&#259; suspectat&#259; c&#259; a condus 40 de atacuri cibernetice &icirc;mpotriva organiza&#539;iilor publice &#537;i private, inclusiv Guardia Civil spaniol&#259; &#537;i Ministerul Ap&#259;r&#259;rii, Armata SUA, NATO &#537;i ONU.<code>arestare<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.policia.es\/_es\/politicaCookies.php\">link<\/a> <\/p><h3 id=\"cyberespionage\">Spionajul cibernetic<\/h3><p><strong>Actorii de amenin&#539;&#259;ri lega&#539;i de China au compromis schimburile de e-mail ale Serviciului Secret Belgian<\/strong><br>Pe 26 februarie, ziarul Le Soir a dezv&#259;luit c&#259; actorii de amenin&#539;&#259;ri chinezi au compromis schimburile de e-mail ale Serviciului Secret Belgian (VSSE) &icirc;ntre 2021 &#537;i 2023. Actorii amenin&#539;&#259;rilor au exploatat o vulnerabilitate &icirc;n sistemul de e-mail al unui furnizor de software american, numit Barracuda, care a fost raportat&#259; anterior &icirc;n 2023 &#537;i era folosit&#259; de c&#259;tre organiza&#539;ia belgian&#259; de informa&#539;ii, de asemenea, ca &#537;i conductele de informa&#539;ii belgiene care monitorizeaz&#259; conductele maritime din Belgia.<code>China<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.lesoir.be\/657866\/article\/2025-02-26\/des-hackers-chinois-ont-vole-des-donnees-sensibles-la-surete-de-letat\">link<\/a> <\/p><p><strong>Mai mul&#539;i actori ru&#537;i de amenin&#539;&#259;ri care vizeaz&#259; autentificarea codului dispozitivului Microsoft<\/strong><br>Pe 13 februarie, Volexity a raportat c&#259; mai mul&#539;i actori ru&#537;i de amenin&#539;&#259;ri au vizat conturile Microsoft 365 folosind phishingul cu autentificarea codului dispozitivului. Aceste campanii au implicat spearphishing de e-mailuri, uzurparea identit&#259;&#539;ii diverselor organiza&#539;ii precum Parlamentul European, Departamentul de Stat al SUA &#537;i Ministerul Ap&#259;r&#259;rii ucrainean. Atacatorii urm&#259;reau s&#259; &icirc;n&#537;ele utilizatorii s&#259; introduc&#259; coduri care permiteau accesul neautorizat la conturi. Volexity urm&#259;re&#537;te aceste campanii sub trei amenin&#539;&#259;ri, inclusiv CozyLarch.<code>diploma&#539;ie<\/code> <code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.volexity.com\/blog\/2025\/02\/13\/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication\/\">link<\/a> <\/p><p><strong>Sandworm APT vizeaz&#259; utilizatorii ucraineni cu instrumente de activare Microsoft KMS troianizate<\/strong><br>Pe 11 februarie, EclecticIQ a raportat c&#259; Sandworm (APT44), legat de GRU din Rusia, efectueaz&#259; spionaj cibernetic &icirc;mpotriva utilizatorilor ucraineni de Windows. De la sf&acirc;r&#537;itul anului 2023, au distribuit activatori Microsoft Key Management Service &#537;i actualiz&#259;ri false de Windows pentru a implementa &icirc;nc&#259;rc&#259;torul BACKORDER, care instaleaz&#259; malware Dark Crystal RAT (DcRAT). Aceast&#259; campanie exploateaz&#259; dependen&#539;a Ucrainei de software f&#259;r&#259; licen&#539;&#259;, prezent&acirc;nd riscuri semnificative pentru securitatea na&#539;ional&#259; &#537;i infrastructura critic&#259;.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/blog.eclecticiq.com\/sandworm-apt-targets-ukrainian-users-with-trojanized-microsoft-kms-activation-tools-in-cyber-espionage-campaigns\">link<\/a> <\/p><p><strong>Microsoft descoper&#259; campania BadPilot a subgrupului Russian Seashell Blizzard<\/strong><br>Pe 12 februarie, Microsoft a dezv&#259;luit c&#259; un subgrup din cadrul actorului de stat rus Seashell Blizzard (alias Sandworm) a desf&#259;&#537;urat o opera&#539;iune de acces global pe mai mul&#539;i ani, numit&#259; &bdquo;campania BadPilot&rdquo;. Acest subgrup a exploatat vulnerabilit&#259;&#539;ile din infrastructura care se confrunt&#259; cu internet pentru a persista pe obiective de mare valoare &icirc;n sectoare precum energia, telecomunica&#539;iile &#537;i guvernele, extinz&acirc;ndu-&#537;i opera&#539;iunile dincolo de Europa de Est &icirc;ncep&acirc;nd cu cel pu&#539;in 2021.<code>energie<\/code> <code>rusia<\/code> <code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2025\/02\/12\/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation\/\">link<\/a><\/p><p><strong>Analiza CERT-UA completeaz&#259; concluziile Microsoft privind campania BadPilot a Sandworm<\/strong><br>La 23 februarie, CERT-UA a raportat c&#259; UAC-0212, un subcluster al grupului Sandworm din Rusia, legat de GRU, a vizat companii furnizori din Serbia, Republica Ceh&#259; &#537;i Ucraina &icirc;ntre iulie 2024 &#537;i februarie 2025. Descoperirile CERT-UA completeaz&#259; evaluarea BadPilot de c&#259;tre Microsoft prin detalierea atacurilor bazate pe phishing &#537;i a accesului ini&#539;ial al clientului ca metode mali&#539;ioase de exploatare a PDF-ului. CVE-2024-38213. CERT-UA raporteaz&#259; c&#259; campania a avut ca scop compromiterea furnizorilor de servicii de infrastructur&#259; critic&#259;.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cert.gov.ua\/article\/6282517\">link<\/a> <\/p><p><strong>Mai mul&#539;i actori de amenin&#539;&#259;ri alinia&#539;i cu Rusia care vizeaz&#259; activ Signal Messenger<\/strong><br>Pe 20 februarie, Google Threat Intelligence Group a raportat c&#259; actorii ru&#537;i de amenin&#539;&#259;ri alinia&#539;i la stat vizeaz&#259; conturile Signal Messenger ale persoanelor de interes pentru serviciile de informa&#539;ii ale Rusiei. Ace&#537;ti actori exploateaz&#259; caracteristica &bdquo;dispozitive conectate&rdquo; a Signal prin trimiterea de coduri QR r&#259;u inten&#539;ionate care, atunci c&acirc;nd sunt scanate, leag&#259; contul victimei la un dispozitiv controlat de atacator, permi&#539;&acirc;nd interceptarea mesajelor &icirc;n timp real. De atunci, Signal &#537;i-a actualizat aplica&#539;ia pentru a spori securitatea &icirc;mpotriva unor astfel de atacuri de tip phishing.<code>rusia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/russia-targeting-signal-messenger\/?hl=en\">link<\/a> <\/p><p><strong>Programele spion Pegasus au infectat dispozitive din sectorul privat &#537;i cel pu&#539;in pe un oficial guvernamental european<\/strong><br>Pe 19 februarie, iVerify, o firm&#259; de securitate cibernetic&#259; din SUA, a raportat noi detect&#259;ri de programe spion Pegasus pe 11 din 18.000 de dispozitive testate &icirc;n decembrie, inclusiv pe cele ale directorilor de afaceri din domeniul imobiliar, logistic&#259; &#537;i finan&#539;e, precum &#537;i ale unui oficial guvernamental european. Descoperirile sugereaz&#259; o utilizare mai larg&#259; a programelor spion comerciale dincolo de obiectivele societ&#259;&#539;ii civile. Unele victime au fost monitorizate ani de zile folosind mai multe variante Pegasus.<code>finante<\/code> <code>psoa<\/code> <code>administra&#539;ia public&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/iverify.io\/blog\/how-democratizing-threat-hunting-is-changing-mobile-security\">link<\/a> <\/p><p><strong>Exploatarea Cellebrite zero-day a folosit pentru a viza telefonul unui student activist s&acirc;rb<\/strong><br>Pe 28 februarie, Laboratorul de securitate al Amnesty International a raportat c&#259; autorit&#259;&#539;ile s&acirc;rbe au exploatat o vulnerabilitate zero-day &icirc;n software-ul Cellebrite pentru a accesa telefonul unui student activist. Acest atac sofisticat a vizat driverele USB din dispozitivele Android, permi&#539;&acirc;nd accesul neautorizat. &Icirc;n ciuda rapoartelor anterioare de utilizare abuziv&#259;, serviciile de securitate s&acirc;rbe continu&#259; s&#259; foloseasc&#259; astfel de tactici &icirc;mpotriva societ&#259;&#539;ii civile. Ca r&#259;spuns, Cellebrite a suspendat utilizarea produselor de c&#259;tre anumi&#539;i clien&#539;i s&acirc;rbi.<a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/securitylab.amnesty.org\/latest\/2025\/02\/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist\/\">link<\/a> <\/p><h3 id=\"cybercrime\">Crima cibernetic&#259;<\/h3><p><strong>Magna&#539;ii italieni &icirc;n&#537;ela&#539;i de vocea ministrului generat&#259; de inteligen&#539;&#259; artificial&#259;<\/strong><br>Pe 9 februarie, Financial Times a raportat c&#259; magna&#539;ii italieni au fost viza&#539;i de o &icirc;n&#537;el&#259;torie bazat&#259; pe inteligen&#539;&#259; artificial&#259;, &icirc;n care escrocii au folosit o voce fals&#259; a ministrului Ap&#259;r&#259;rii Guido Crosetto pentru a solicita pl&#259;&#539;i de r&#259;scump&#259;rare pentru jurnali&#537;tii r&#259;pi&#539;i. Unii lideri de afaceri au fost contacta&#539;i, iar cel pu&#539;in unul a transferat 1 milion de euro. Autorit&#259;&#539;ile suspecteaz&#259; falsificarea num&#259;rului de telefon, iar Banca Italiei a negat implicarea. Cazul &#539;ine ecou din trecutul &icirc;n&#537;el&#259;toriilor importante.<code>inteligen&#539;&#259; artificial&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.ft.com\/content\/8e911f1e-6eb7-4e8e-b4e0-3aba62575f23\">link<\/a><\/p><p><strong>Portul belgian Ostende, victim&#259; a unui atac cibernetic<\/strong><br>Pe 12 februarie, portul belgian Ostende a anun&#539;at c&#259; a fost victima unui atac cibernetic pe 10 februarie &#537;i a depus o pl&acirc;ngere la guvernul federal. Centrul pentru securitate cibernetic&#259; din Belgia (CCB) conduce o echip&#259; de exper&#539;i interni &#537;i externi &icirc;n securitate cibernetic&#259; pentru a rezolva problema. Atacul a vizat un sistem care &icirc;nregistreaz&#259; mi&#537;c&#259;rile navelor &#537;i listele echipajului, numit Ensor.<code>transport<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.belganewsagency.eu\/port-of-ostend-files-police-complaint-after-cyberattack\">link<\/a> <\/p><p><strong>Campania de ransomware Green Nailao vizeaz&#259; sectorul medical european<\/strong><br>Pe 18 februarie, Orange Cyberdefence CERT a raportat o campanie de ransomware, &bdquo;Green Nailao&rdquo;, care vizeaz&#259; organiza&#539;iile europene, &icirc;n special asisten&#539;a medical&#259;, &icirc;n perioada iunie-octombrie 2024. Atacul a exploatat CVE-2024-24919 pentru a implementa u&#537;ile din spate ShadowPad &#537;i PlugX, livr&acirc;nd ulterior NailaoLocker, nedocumentat anterior. Cercet&#259;torii evalueaz&#259; cu o &icirc;ncredere medie c&#259; activitatea se aliniaz&#259; cu actorii amenin&#539;&#259;rilor chinezi, dar r&#259;m&acirc;ne neatribuit&#259; unui grup cunoscut.<code>China<\/code> <code>s&#259;n&#259;tate<\/code> <code>ransomware<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.orangecyberdefense.com\/global\/blog\/cert-news\/meet-nailaolocker-a-ransomware-distributed-in-europe-by-shadowpad-and-plugx-backdoors\">link<\/a> <\/p><h3 id=\"information-operations\">Opera&#539;iuni de informare<\/h3><p><strong>Opera&#539;iunea Spamouflage legat&#259; de China vizeaz&#259; guvernul spaniol<\/strong><br>Pe 29 ianuarie, Graphika, o companie american&#259; de analiz&#259; a re&#539;elelor sociale, a publicat un raport care descrie o opera&#539;iune de socializare legat&#259; de China, numit&#259; Spamouflage, care vizeaz&#259; guvernul spaniol. Mascarat&#259; ca Safeguard Defenders, un ONG cu sediul la Madrid, actorii amenin&#539;&#259;rilor au cerut r&#259;sturnarea guvernului spaniol. Spamouflage func&#539;ioneaz&#259; cel pu&#539;in din 2017, viz&acirc;nd &#539;&#259;ri &#537;i aleg&#259;tori din &icirc;ntreaga lume, inclusiv &icirc;n Europa &#537;i SUA.<code>China<\/code> <code>administra&#539;ia public&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.reuters.com\/world\/chinese-online-influence-operation-called-overthrow-spains-government-graphika-2025-01-29\/\">link<\/a> <\/p><p><strong>Raportul privind impactul dezinformarii bazate pe inteligen&#539;a artificial&#259; spune c&#259; destabilizarea financiar&#259; poate fi cauzat&#259; de campaniile de dezinformare.<\/strong><br>Pe 14 februarie, comunica&#539;iile Say No to Disinfo &#537;i Fenimore Harper au lansat un raport despre impactul dezinformarii determinate de AI asupra destabilizarii financiare. O campanie simulat&#259; care vizeaz&#259; b&#259;ncile din Marea Britanie a ar&#259;tat c&#259; 60,8% dintre persoanele expuse au considerat s&#259;-&#537;i mute banii, demonstr&acirc;nd puterea con&#539;inutului sintetic de a incita instabilitatea financiar&#259;. Descoperirile eviden&#539;iaz&#259; poten&#539;ialul ca opera&#539;iunile de influen&#539;&#259; cu costuri reduse s&#259; declan&#537;eze rulaje bancare &#537;i lipsa de preg&#259;tire a sectorului financiar &icirc;mpotriva unor astfel de amenin&#539;&#259;ri.<code>inteligen&#539;&#259; artificial&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.saynotodisinfo.com\/_files\/ugd\/438ee6_d9f4506bfd2e43218b96f716bae91ce1.pdf\">link<\/a> <\/p><h3 id=\"data-exposure-and-leaks\">Expunerea datelor &#537;i scurgerile<\/h3><p><strong>Un actor de amenin&#539;are scurge informa&#539;ii despre Orange Group din Rom&acirc;nia<\/strong><br>Pe 25 februarie, un actor de amenin&#539;&#259;ri a sus&#539;inut c&#259; ar fi furat aproape 6,5&nbsp;GB de date de la Orange Group, &icirc;n special de la Orange Rom&acirc;nia. Scurgerea afecteaz&#259; &icirc;n principal angaja&#539;ii, partenerii &#537;i contractan&#539;ii, precum &#537;i unii clien&#539;i. Datele con&#539;in adrese de e-mail, cod surs&#259;, facturi, contracte, informa&#539;ii despre clien&#539;i &#537;i angaja&#539;i. Cu toate acestea, potrivit BleepingComputer, care a analizat unele dintre informa&#539;iile scurse, majoritatea par s&#259; fie dep&#259;&#537;ite sau expirate.<code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/orange-group-confirms-breach-after-hacker-leaks-company-documents\/\">link<\/a> <\/p><p><strong>Curtea Administrativ&#259; Suprem&#259; din Bulgaria, victim&#259; a unui ransomware<\/strong><br>Pe 25 februarie, presa bulgar&#259; a raportat despre o intruziune de tip ransomware &#537;i o &icirc;nc&#259;lcare a datelor care au afectat o comisie parlamentar&#259; bulgar&#259; a Cur&#539;ii Administrative Supreme. Se presupune c&#259; au fost exfiltrate 3,5 TB de date care con&#539;ineau documente &#537;i informa&#539;ii legate de judec&#259;tori, inclusiv informa&#539;ii de identificare personal&#259; &#537;i documente de resurse umane. Pre&#537;edintele interimar al Cur&#539;ii Administrative Supreme a Bulgariei a confirmat intruziunea ransomware &#537;i a declarat c&#259; instan&#539;a investigheaz&#259; posibilitatea scurgerii datelor online.<code>dreptate<\/code> <code>ransomware<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/offnews.bg\/temida\/hakerska-grupa-iztochi-danni-ot-sistemite-na-vas-i-gi-publikuva-onlajn-839467.html\">link<\/a> <\/p><h2 id=\"world\">Lumea<\/h2><h3 id=\"cyber-policy-and-law-enforcement-2\">Politica cibernetic&#259; &#537;i aplicarea legii<\/h3><p><strong>Japonia aprob&#259; proiectul de lege pentru ap&#259;rarea cibernetic&#259; pentru a contracara amenin&#539;&#259;rile sofisticate<\/strong><br>Pe 7 februarie, Cabinetul Japoniei a aprobat proiectul de lege pentru &icirc;mbun&#259;t&#259;&#539;irea capacit&#259;&#539;ii de r&#259;spuns cibernetic pentru a consolida ap&#259;rarea &icirc;mpotriva atacurilor cibernetice sofisticate care vizeaz&#259; infrastructura critic&#259;. Aceast&#259; legisla&#539;ie se aliniaz&#259; cu Strategia Na&#539;ional&#259; de Securitate (decembrie 2022) &#537;i &icirc;ncorporeaz&#259; recomand&#259;ri ale exper&#539;ilor din 29 noiembrie 2024. Proiectul de lege include m&#259;suri active de ap&#259;rare cibernetic&#259;, cum ar fi detectarea proactiv&#259; a amenin&#539;&#259;rilor &#537;i &icirc;nchiderea serverelor inamice &icirc;n timpul unui incident pentru a atenua poten&#539;ialele daune.<code>Japonia<\/code> <code>legislatie<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cas.go.jp\/jp\/seisaku\/cyber_anzen_hosyo_torikumi\/index.html\">link<\/a> <\/p><p><strong>Guvernul australian interzice produsele Kaspersky din sistemele guvernamentale<\/strong><br>Pe 17 februarie, guvernul australian a informat c&#259; va interzice toate produsele Kaspersky din sistemele guvernamentale, invoc&acirc;nd riscuri de securitate na&#539;ional&#259;. Decizia vine &icirc;n urma preocup&#259;rilor legate de poten&#539;ialul acces al serviciilor de informa&#539;ii ruse la date sensibile. Australia se al&#259;tur&#259; altor na&#539;iuni &icirc;n limitarea utiliz&#259;rii software-ului Kaspersky &icirc;n infrastructura critic&#259; &#537;i re&#539;elele din sectorul public.<code>rusia<\/code> <code>legislatie<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.protectivesecurity.gov.au\/system\/files\/2025-02\/PSPF-Direction-002-2025.pdf\">link<\/a> <\/p><p><strong>Atlantic: DOGE al lui Musk prezint&#259; riscuri de securitate cibernetic&#259; pentru sistemele federale din SUA<\/strong><br>Potrivit unui raport al The Atlantic din 7 februarie, Departamentul de Eficien&#539;&#259; Guvernamental&#259; (DOGE) al lui Elon Musk a accesat sisteme informatice federale critice din SUA, inclusiv cele ale Departamentului de Trezorerie &#537;i Biroului de Management al Personalului. Exper&#539;ii &icirc;n securitate cibernetic&#259; avertizeaz&#259; c&#259; personalul neinstruit DOGE ar putea compromite &icirc;n mod neinten&#539;ionat sau deliberat aceste sisteme, prezent&acirc;nd riscuri de securitate na&#539;ional&#259;. Impactul total este neclar, dar preocup&#259;rile cresc cu privire la &icirc;nc&#259;lc&#259;rile datelor, &icirc;ntreruperile sistemului &#537;i amenin&#539;&#259;rile pe termen lung la securitatea cibernetic&#259;.<code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.theatlantic.com\/technology\/archive\/2025\/02\/elon-musk-doge-security\/681600\/\">link<\/a> <\/p><p><strong>Hegseth ordon&#259; Cyber &#8203;&#8203;Command s&#259; renun&#539;e la planificarea Rusiei<\/strong><br>Pe 28 februarie, The Record a raportat c&#259; secretarul ap&#259;r&#259;rii Pete Hegseth a ordonat Comandamentului cibernetic al SUA s&#259; opreasc&#259; orice planificare &icirc;mpotriva Rusiei, inclusiv opera&#539;iunile cibernetice ofensive. Aceast&#259; directiv&#259;, emis&#259; generalului &#537;ef al comandamentului cibernetic Timothy Haugh, nu afecteaz&#259; activit&#259;&#539;ile de informa&#539;ii ale Agen&#539;iei Na&#539;ionale de Securitate care vizeaz&#259; Rusia. Mi&#537;carea se aliniaz&#259; eforturilor administra&#539;iei de a normaliza rela&#539;iile cu Moscova.<code>rusia<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/hegseth-orders-cyber-command-stand-down-russia-planning\">link<\/a> <\/p><p><strong>Administra&#539;ia Trump se retrage &icirc;n lupta &icirc;mpotriva amenin&#539;&#259;rilor cibernetice ruse&#537;ti<\/strong><br>Pe 28 februarie, The Guardian a raportat c&#259; administra&#539;ia Trump minimizeaz&#259; amenin&#539;area cibernetic&#259; a Rusiei, diverg&acirc;nd de la evalu&#259;rile de lung&#259; durat&#259; ale serviciilor de informa&#539;ii. Aceast&#259; schimbare a fost evident&#259; atunci c&acirc;nd oficialul Departamentului de Stat Liesyl Franz a numit China &#537;i Iranul drept amenin&#539;&#259;ri cibernetice, dar a omis Rusia. &Icirc;n plus, se pare c&#259; Agen&#539;ia de Securitate Cibernetic&#259; &#537;i Securitate a Infrastructurii (CISA) a fost direc&#539;ionat&#259; s&#259; reduc&#259; prioritate raport&#259;rii privind amenin&#539;&#259;rile cibernetice din Rusia.<code>rusia<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.theguardian.com\/us-news\/2025\/feb\/28\/trump-russia-hacking-cyber-security\">link<\/a> <\/p><p><strong>Google Cloud introduce semn&#259;turi digitale cu siguran&#539;&#259; cuantic&#259; &icirc;n Cloud KMS<\/strong><br>Pe 21 februarie, Google a anun&#539;at integrarea algoritmilor de semn&#259;tur&#259; digital&#259; cu siguran&#539;&#259; cuantic&#259; &icirc;n Serviciul s&#259;u Cloud Key Management (Cloud KMS). Aceast&#259; &icirc;mbun&#259;t&#259;&#539;ire ofer&#259; suport software &#537;i hardware pentru algoritmi standardiza&#539;i de siguran&#539;&#259; cuantic&#259;, facilit&acirc;nd o cale de migrare f&#259;r&#259; &icirc;ntreruperi pentru cheile &#537;i protocoalele existente. Actualizarea &icirc;&#537;i propune s&#259; protejeze datele sensibile de viitoarele amenin&#539;&#259;ri de calcul cuantic, aliniindu-se cu standardele de criptografie post-cuantic&#259; ale NIST.<code>calcul cuantic<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/cloud.google.com\/blog\/products\/identity-security\/announcing-quantum-safe-digital-signatures-in-cloud-kms\">link<\/a> <\/p><p><strong>Site-ul de ransomware 8Base a fost eliminat deoarece autorit&#259;&#539;ile thailandeze aresteaz&#259; patru persoane conectate la opera&#539;iune<\/strong><br>Pe 10 februarie, autorit&#259;&#539;ile au demontat site-ul de scurgeri al grupului de ransomware 8Base &#537;i au arestat patru suspec&#539;i europeni &icirc;n Phuket, Thailanda. Suspec&#539;ii sunt acuza&#539;i c&#259; au extorcat 16 milioane de dolari de la peste 1.000 de victime din &icirc;ntreaga lume. Aceast&#259; opera&#539;iune, denumit&#259; PHOBOS AETOR, a implicat mai multe agen&#539;ii interna&#539;ionale de aplicare a legii.<code>arest&#259;ri<\/code> <code>ransomware<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/therecord.media\/8base-ransomware-site-taken-down-4-arrested\">link<\/a> <\/p><p><strong>SUA sanc&#539;ioneaz&#259; furnizorul de g&#259;zduire antiglon&#539; al ransomware-ului LockBit<\/strong><br>Pe 11 februarie, SUA, Australia &#537;i Marea Britanie au impus sanc&#539;iuni &icirc;mpotriva Zservers cu sediul &icirc;n Rusia, un furnizor de g&#259;zduire care permite opera&#539;iunile de ransomware LockBit. Ac&#539;iunea vizeaz&#259; infrastructura utilizat&#259; pentru atacuri cibernetice, cu scopul de a perturba ecosistemele ransomware. Acest efort coordonat urmeaz&#259; sanc&#539;iunile anterioare &icirc;mpotriva actorilor LockBit, &icirc;nt&#259;rind presiunea interna&#539;ional&#259; asupra re&#539;elelor criminale cibernetice care opereaz&#259; din Rusia.<code>ransomware<\/code> <code>rusia<\/code> <code>sanc&#539;iuni<\/code> <code>state unite<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/home.treasury.gov\/news\/press-releases\/sb0018\">link<\/a> <\/p><h3 id=\"cyberespionage-2\">Spionajul cibernetic<\/h3><p><strong>Salt Typhoon continu&#259; s&#259; vizeze sectorul telecomunica&#539;iilor &#537;i al educa&#539;iei la nivel mondial<\/strong><br>Pe 13 februarie, Recorded Future a raportat despre opera&#539;iunile continue ale Salt Typhoon care vizeaz&#259; sectorul telecomunica&#539;iilor, precum &#537;i educa&#539;ia, &icirc;n ciuda faptului c&#259; activit&#259;&#539;ile lor au fost descoperite &icirc;n ultimele luni. &Icirc;ntre decembrie 2024 &#537;i ianuarie 2025, ace&#537;tia au fost identifica&#539;i exploat&acirc;nd dispozitive de re&#539;ea Cisco nepatchate la nivel mondial. &#538;intele au inclus furnizori de telecomunica&#539;ii din SUA, Marea Britanie &#537;i Africa de Sud, universit&#259;&#539;i din mai multe &#539;&#259;ri, posibil pentru a accesa cercetarea &icirc;n telecomunica&#539;ii, inginerie &#537;i tehnologie.<code>China<\/code> <code>educa&#539;ie<\/code> <code>telecomunica&#539;ii<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/go.recordedfuture.com\/hubfs\/reports\/cta-cn-2025-0213.pdf\">link<\/a> <\/p><p><strong>APT41 legat de China vizeaz&#259; firmele japoneze &icirc;n campania de spionaj cibernetic RevivalStone<\/strong><br>Pe 18 februarie, compania japonez&#259; de securitate cibernetic&#259; LAC a raportat c&#259; APT41, legat de China, a vizat sectoarele japoneze de produc&#539;ie, materiale &#537;i energie &icirc;ntr-o campanie numit&#259; RevivalStone. Activ din 2012 cel pu&#539;in, Winnti a implementat noi variante de malware &icirc;n 2024, exploat&acirc;nd o vulnerabilitate de injectare SQL &icirc;ntr-un sistem ERP pentru a arunca shell-uri web. Grupul a folosit certificate &#537;i rootkit-uri furate pentru persisten&#539;&#259; &#537;i acces ascuns.<code>China<\/code> <code>Japonia<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.lac.co.jp\/lacwatch\/report\/20250213_004283.html\">link<\/a> <\/p><p><strong>Emerald Sleet folose&#537;te exploat&#259;rile PowerShell pentru a viza profesioni&#537;tii din domeniul afacerilor interna&#539;ionale &#537;i ONG-urile<\/strong><br>Pe 11 februarie, Microsoft a raportat c&#259; Kimsuky, legat de Coreea de Nord, cunoscut &#537;i sub numele de Emerald Sleet, folose&#537;te o tactic&#259; &icirc;n care victimele sunt &icirc;n&#537;elate s&#259; ruleze PowerShell ca administrator &#537;i s&#259; execute cod r&#259;u inten&#539;ionat. Acest lucru faciliteaz&#259; exfiltrarea datelor printr-un instrument desktop de la distan&#539;&#259;. Grupul vizeaz&#259; &icirc;n primul r&acirc;nd persoanele care lucreaz&#259; &icirc;n afaceri interna&#539;ionale, &icirc;n special pe cei concentra&#539;i pe Asia de Nord-Est, &icirc;n America, Europa &#537;i Asia de Est.<code>societatea civil&#259;<\/code> <code>coreea de nord<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/MsftSecIntel\/status\/1889407814604296490\">link<\/a> <\/p><p><strong>Jurnali&#537;ti &#537;i membri ai societ&#259;&#539;ii civile viza&#539;i pe WhatsApp de software-ul spion israelian<\/strong><br>Pe 31 ianuarie, WhatsApp a anun&#539;at c&#259; 90 de jurnali&#537;ti &#537;i membri ai societ&#259;&#539;ii civile au fost viza&#539;i de software-ul spion israelian Paragon Solutions. Atacul a fost un &bdquo;clic zero&rdquo;, ceea ce &icirc;nseamn&#259; c&#259; victimele au fost posibil compromise prin simpla primire a fi&#537;ierului PDF r&#259;u inten&#539;ionat care a servit ca vector. Un jurnalist italian &#537;i un suedez s-au num&#259;rat printre victimele sesizate prin WhatsApp.<code>societatea civil&#259;<\/code> <code>psoa<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.theguardian.com\/technology\/2025\/jan\/31\/whatsapp-israel-spyware\">link<\/a> <\/p><h3 id=\"cybercrime-2\">Crima cibernetic&#259;<\/h3><p><strong>Instrumente de spionaj chineze&#537;ti utilizate &icirc;n atacul ransomware asupra unei firme asiatice<\/strong><br>Pe 13 februarie, Symantec a raportat c&#259; instrumente legate de obicei de actori de spionaj din China au fost folosite &icirc;ntr-un atac ransomware &icirc;mpotriva unei companii asiatice de software &#537;i servicii. La sf&acirc;r&#537;itul anului 2024, atacatorul a desf&#259;&#537;urat un set de instrumente distinct, inclusiv o variant&#259; PlugX, asociat&#259; anterior cu activit&#259;&#539;ile de spionaj din China. Acest lucru sugereaz&#259; un poten&#539;ial &icirc;ncruci&#537;are &icirc;ntre opera&#539;iunile de spionaj sponsorizate de stat &#537;i opera&#539;iunile de criminalitate cibernetic&#259;.<code>China<\/code> <code>ransomware<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.security.com\/threat-intelligence\/chinese-espionage-ransomware\">link<\/a> <\/p><p><strong>Campania de malware cu tematic&#259; DeepSeek folose&#537;te tehnica ClickFix pentru a r&#259;sp&acirc;ndi Vidar stealer<\/strong><br>Pe 25 februarie, ThreatLabz de la Zscaler a raportat o campanie de malware care uzurpa identitatea DeepSeek pentru a distribui furtul Vidar folosind tehnica ClickFix. Atacatorii p&#259;c&#259;lesc utilizatorii cu un CAPTCHA fals, care injecteaz&#259; comenzi PowerShell prin manipularea clipboard-ului, ceea ce duce la executarea programelor malware. Campania exploateaz&#259; popularitatea DeepSeek pentru a &icirc;n&#537;ela utilizatorii &#537;i a fura date sensibile.<code>inteligen&#539;&#259; artificial&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.zscaler.com\/blogs\/security-research\/deepseek-lure-using-captchas-spread-malware\">link<\/a> <\/p><p><strong>Lazarus Group implementeaz&#259; implantul JavaScript Marstech1 &icirc;n atacurile &#539;intite ale dezvoltatorilor<\/strong><br>Pe 14 februarie, SecurityScorecard a legat grupul Lazarus de un nou implant JavaScript, Marstech1, utilizat &icirc;n atacuri direc&#539;ionate &icirc;mpotriva dezvoltatorilor. Livrat printr-un profil GitHub acum eliminat, malware-ul colecteaz&#259; date de sistem &#537;i manipuleaz&#259; set&#259;rile browserului, viz&acirc;nd portofelele criptomonede precum MetaMask. Implantul a infectat 233 de victime confirmate din SUA, Europa &#537;i Asia, prezent&acirc;nd un risc pentru lan&#539;ul de aprovizionare prin pachetele NPM.<code>coreea de nord<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/securityscorecard.com\/wp-content\/uploads\/2025\/02\/Operation-Marstech-Mayhem-Report_021025_03.pdf\">link<\/a> <\/p><p><strong>Bursa de criptomonede Bybit sufer&#259; cel mai mare furt de criptomonede din istorie<\/strong><br>Pe 21 februarie, Bybit, o burs&#259; de criptomonede cu sediul &icirc;n Dubai, a suferit o &icirc;nc&#259;lcare a securit&#259;&#539;ii care a dus la furtul a aproximativ 1,46 miliarde de dolari SUA &icirc;n active cripto. Rapoartele ini&#539;iale sugereaz&#259; c&#259; a fost folosit malware pentru a p&#259;c&#259;li bursa s&#259; aprobe tranzac&#539;ii neautorizate. Acest incident dep&#259;&#537;e&#537;te recordurile anterioare, marc&acirc;ndu-l drept cel mai mare furt de criptomonede p&acirc;n&#259; &icirc;n prezent. Firma de analiz&#259; blockchain Elliptic a atribuit atacul grupului Lazarus din Coreea de Nord, invoc&acirc;nd modele de tranzac&#539;ii legate de hack-uri anterioare.<code>coreea de nord<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.elliptic.co\/blog\/bybit-hack-largest-in-history\">link<\/a> <\/p><p><strong>Re&#539;eaua botnet masiv&#259; exploateaz&#259; Autentificarea de baz&#259; pentru a viza conturile Microsoft 365<\/strong><br>Pe 24 februarie, cercet&#259;torii SecurityScorecard au raportat despre o re&#539;ea botnet masiv&#259; de peste 130.000 de dispozitive compromise care efectueaz&#259; atacuri de pulverizare a parolei asupra conturilor Microsoft 365 folosind Autentificarea de baz&#259;, care va fi retras&#259; &icirc;n septembrie. Atacatorii exploateaz&#259; acredit&#259;rile furate de malware-ul infostealer, &#539;intind conect&#259;ri non-interactive, care nu declan&#537;eaz&#259; alerte MFA &#537;i exploat&acirc;nd medii &icirc;n care Autentificarea de baz&#259; r&#259;m&acirc;ne activat&#259;.<code>botnet<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/securityscorecard.com\/research\/massive-botnet-targets-m365-with-stealthy-password-spraying-attacks\/\">link<\/a> <\/p><p><strong>Nou macOS infostealer distribuit prin campania Fake Update<\/strong><br>Pe 18 februarie, Proofpoint a raportat c&#259; un nou infostealer macOS, FrigidStealer, a fost implementat de actorul de amenin&#539;are TA2727 &icirc;n colaborare cu TA2726 &#537;i TA569. Malware-ul este livrat prin pagini false de actualizare a browserului &#537;i face parte dintr-o campanie mai ampl&#259; care vizeaz&#259; &#537;i dispozitivele Windows &#537;i Android. Potrivit Proofpoint, TA569, cunoscut anterior pentru software-ul malware SocGholish, a trecut la lucrul cu al&#539;i actori pentru a distribui noi &icirc;nc&#259;rc&#259;turi utile la nivel global.<code>ho&#539;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.infosecurity-magazine.com\/news\/proofpoint-frigidstealer-new-mac\/\">link<\/a> <\/p><p><strong>Noua campanie Lumma stealer folose&#537;te infrastructura educa&#539;ional&#259; compromis&#259; pentru a viza diverse sectoare<\/strong><br>Pe 14 februarie, cercet&#259;torii de securitate Cloudsek au raportat despre o campanie de malware Lumma Stealer care exploateaz&#259; infrastructura educa&#539;ional&#259; compromis&#259; pentru a distribui fi&#537;iere LNK r&#259;u inten&#539;ionate deghizate &icirc;n PDF-uri. Aceast&#259; campanie a vizat sectoarele finan&#539;elor, asisten&#539;ei medicale, tehnologiei &#537;i media &#537;i se pare c&#259; fur&#259; parole, datele browserului &#537;i portofelele cripto. Aceste fi&#537;iere LNK, atunci c&acirc;nd sunt executate, ini&#539;iaz&#259; un proces de infec&#539;ie &icirc;n mai multe etape care duce la implementarea Lumma stealer.<code>educa&#539;ie<\/code> <code>finante<\/code> <code>s&#259;n&#259;tate<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/www.cloudsek.com\/blog\/lumma-stealer-chronicles-pdf-themed-campaign-using-compromised-educational-institutions-infrastructure\">link<\/a> <\/p><p><strong>Atacurile cu for&#539;&#259; brut&#259; vizeaz&#259; dispozitivele VPN care folosesc 2,8 milioane de IP<\/strong><br>Pe 7 februarie, ShadowServer a raportat c&#259; un atac cu for&#539;&#259; brut&#259; la scar&#259; larg&#259; a fost &icirc;n curs, utiliz&acirc;nd aproape 2,8 milioane de adrese IP pentru a viza dispozitivele de re&#539;ea expuse internetului de la furnizori precum Palo Alto Networks, Ivanti &#537;i SonicWall. Atacul urm&#259;re&#537;te s&#259; ghiceasc&#259; acredit&#259;rile dispozitivului pentru a ob&#539;ine accesul ini&#539;ial la dispozitivele din re&#539;ea. Multe dintre IP-urile atacatoare sunt legate de routere &#537;i dispozitive IoT compromise, ceea ce indic&#259; o opera&#539;iune pe scar&#259; larg&#259; a re&#539;elelor botnet.<code>for&#539;&#259; brut&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/Shadowserver\/status\/1887790995191763051\">link<\/a> <\/p><p><strong>Noua variant&#259; XCSSET macOS care vizeaz&#259; Xcode<\/strong><br>Pe 17 februarie, Microsoft a raportat despre o nou&#259; variant&#259; de malware numit&#259; XCSSET, care vizeaz&#259; macOS prin infectarea proiectelor Xcode. Aceast&#259; variant&#259; introduce o ofuscare &icirc;mbun&#259;t&#259;&#539;it&#259;, mecanisme de persisten&#539;&#259; actualizate folosind metode zshrc &#537;i dock &#537;i noi tehnici de infec&#539;ie. Malware-ul continu&#259; s&#259; vizeze portofelele digitale, datele aplica&#539;iei Notes &#537;i fi&#537;ierele de sistem. Au fost observate atacuri limitate, dar capacit&#259;&#539;ile sale eviden&#539;iaz&#259; riscurile continue de securitate macOS.<code>malware<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/x.com\/MsftSecIntel\/status\/1891410993265123662\">link<\/a> <\/p><p><strong>Microsoft elimin&#259; extensiile populare VSCode din cauza problemelor de securitate<\/strong><br>Pe 26 februarie, Microsoft a eliminat dou&#259; extensii de cod Visual Studio utilizate pe scar&#259; larg&#259;, &bdquo;Tem&#259; material&#259; &ndash; gratuit&rdquo; &#537;i &bdquo;Icoane tem&#259; material&#259; &ndash; gratuit&rdquo;, din Visual Studio Marketplace din cauza unui presupus cod r&#259;u inten&#539;ionat. Cercet&#259;torii de securitate cibernetic&#259; Amit Assaraf &#537;i Itay Kruk au identificat cod suspect &icirc;n aceste extensii, ceea ce a dus la eliminarea acestora. Editorul, Mattia Astorino (alias equinusocio), sus&#539;ine c&#259; problema provine dintr-o dependen&#539;&#259; &icirc;nvechit&#259;. Utilizatorii primesc acum alerte &icirc;n VSCode c&#259; extensiile au fost dezactivate automat.<code>tehnologie<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/medium.com\/extensiontotal\/a-wolf-in-dark-mode-the-malicious-vs-code-theme-that-fooled-millions-85ed92b4bd26\">link<\/a> <\/p><h3 id=\"information-operations-2\">Opera&#539;iuni de informare<\/h3><p><strong>OpenAI interzice conturile care folosesc abuziv ChatGPT pentru campanii de supraveghere &#537;i influen&#539;&#259;<\/strong><br>Pe 21 februarie, OpenAI a anun&#539;at eliminarea conturilor din China &#537;i Coreea de Nord care au folosit abuziv ChatGPT pentru activit&#259;&#539;i r&#259;u inten&#539;ionate, inclusiv opera&#539;iuni de supraveghere &#537;i influen&#539;&#259; a opiniei. Ace&#537;ti actori au generat articole de &#537;tiri anti-SUA &icirc;n spaniol&#259; &#537;i au creat profiluri de locuri de munc&#259; fictive pentru a-&#537;i asigura locuri de munc&#259; la firme occidentale. OpenAI continu&#259; s&#259; monitorizeze &#537;i s&#259; previn&#259; astfel de &icirc;nc&#259;lc&#259;ri ale politicii.<code>inteligen&#539;&#259; artificial&#259;<\/code> <a rel=\"noopener\" target=\"_blank\" href=\"https:\/\/openai.com\/global-affairs\/disrupting-malicious-uses-of-ai\/\">link<\/a> <\/p><div class=\"footnotes\"><hr><ol><li id=\"fn-1\"><p>Concluziile sau atribu&#539;iile f&#259;cute &icirc;n acest document reflect&#259; doar ceea ce raporteaz&#259; sursele disponibile public. Ele nu reflect&#259; pozi&#539;ia noastr&#259;.&nbsp;<a href=\"#fnref-1\" class=\"footnoteBackLink\" title=\"Jump back to footnote 1 in the text.\">&#8617;<\/a><\/p><\/li><\/ol><\/div><\/div>\n        <\/div>\n\n        <script>\n        function switchLanguage(lang) {\n            \/\/ Ascunde ambele versiuni\n            document.getElementById(\"content-ro\").style.display = \"none\";\n            document.getElementById(\"content-en\").style.display = \"none\";\n\n            \/\/ Reseteaz\u0103 stilurile butoanelor\n            document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n                btn.style.background = \"#e5e7eb\";\n                btn.style.color = \"#374151\";\n                btn.classList.remove(\"lang-btn-active\");\n            });\n\n            \/\/ Afi\u0219eaz\u0103 versiunea selectat\u0103\n            if (lang === \"ro\") {\n                document.getElementById(\"content-ro\").style.display = \"block\";\n                document.getElementById(\"btn-lang-ro\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-ro\").style.color = \"white\";\n                document.getElementById(\"btn-lang-ro\").classList.add(\"lang-btn-active\");\n            } else {\n                document.getElementById(\"content-en\").style.display = \"block\";\n                document.getElementById(\"btn-lang-en\").style.background = \"#3b82f6\";\n                document.getElementById(\"btn-lang-en\").style.color = \"white\";\n                document.getElementById(\"btn-lang-en\").classList.add(\"lang-btn-active\");\n            }\n\n            \/\/ Salveaz\u0103 preferin\u021ba \u00een localStorage\n            localStorage.setItem(\"gpss_preferred_language\", lang);\n        }\n\n        \/\/ Restaureaz\u0103 preferin\u021ba utilizatorului la \u00eenc\u0103rcare\n        document.addEventListener(\"DOMContentLoaded\", function() {\n            var preferredLang = localStorage.getItem(\"gpss_preferred_language\") || \"ro\";\n            switchLanguage(preferredLang);\n        });\n\n        \/\/ Hover effects pentru butoane\n        document.querySelectorAll(\".lang-btn\").forEach(function(btn) {\n            btn.addEventListener(\"mouseenter\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#bfdbfe\";\n                    this.style.color = \"#1e40af\";\n                }\n            });\n            btn.addEventListener(\"mouseleave\", function() {\n                if (!this.classList.contains(\"lang-btn-active\")) {\n                    this.style.background = \"#e5e7eb\";\n                    this.style.color = \"#374151\";\n                }\n            });\n        });\n        <\/script>\n\n        <style>\n        .lang-btn:hover {\n            transform: translateY(-2px);\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.3);\n        }\n        .lang-btn-active {\n            box-shadow: 0 4px 12px rgba(59, 130, 246, 0.4);\n        }\n        <\/style>","protected":false},"excerpt":{"rendered":"<p>\ud83c\udf0d Limb\u0103 \/ Language: \ud83c\uddec\ud83c\udde7 English (Original) \ud83c\uddf7\ud83c\uddf4 Rom\u00e2n\u0103 Traducere automat\u0103 \/ Automatic translation Cyber Brief (February 2025)March 3, 2025 &#8211; Version: 1TLP:CLEARExecutive summaryWe analysed 433 open source reports for this Cyber Brief1.Policy, cooperation, and law enforcement. The EU aims to strengthen the EU&#8217;s response to large-scale cyber incidents, Sweden and the UK seek backdoor [&hellip;]<\/p>\n","protected":false},"featured_media":0,"template":"","meta":{"footnotes":""},"ti_category":[198],"ti_source":[172],"ti_severity":[187],"class_list":["post-992326","threat_intelligence","type-threat_intelligence","status-publish","hentry","ti_category-threat-actor","ti_source-cert-eu","ti_severity-critical"],"_links":{"self":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence\/992326","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence"}],"about":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/types\/threat_intelligence"}],"version-history":[{"count":0,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/threat-intelligence\/992326\/revisions"}],"wp:attachment":[{"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/media?parent=992326"}],"wp:term":[{"taxonomy":"ti_category","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_category?post=992326"},{"taxonomy":"ti_source","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_source?post=992326"},{"taxonomy":"ti_severity","embeddable":true,"href":"https:\/\/delve.ro\/ro\/wp-json\/wp\/v2\/ti_severity?post=992326"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}