L’ordre international est en pleine mutation. La rivalité entre les États-Unis et la Chine va profondément influencer la politique de sécurité mondiale dans les années à venir. La Russie, la Chine, la Corée du Nord et l’Iran resserrent leur coopération et cherchent à modifier l’ordre international perçu comme dominé par l’Occident. La guerre menée par la Russie contre l’Ukraine devrait se poursuivre en 2025. Parallèlement, le conflit entre Israël et l’Iran s’est intensifié: Israël a lancé en juin 2025 des frappes militaires contre le programme nucléaire iranien. La simultanéité de ces crises renforce l’insécurité mondiale.
Espionnage, contournement des sanctions et prolifération: la Suisse comme cible stratégique
La confrontation mondiale accroît la pression sur la Suisse. En tant que siège de nombreuses organisations internationales et centre d’innovation, elle est dans la ligne de mire des services de renseignement étrangers. Les principales menaces d’espionnage proviennent de la Russie et de la Chine qui maintiennent une forte présence en Suisse. Elles s’intéressent aux autorités fédérales, aux entreprises, aux organisations internationales et aux instituts de recherche.
La concurrence accrue entre grandes puissances fait aussi de la Suisse une cible privilégiée pour les tentatives de contournement des sanctions et la prolifération. La Russie, l’Iran et la Corée du Nord tentent de plus en plus d’obtenir via la Suisse des biens à double usage et des technologies pour leurs programmes militaires et nucléaires.
Le SRC apporte ici une contribution importante, en étroite collaboration avec le Secrétariat d’État à l’économie (SECO), dans le domaine de la détection et de la prévention des tentatives de contournement des sanctions. Le SRC et le SECO sensibilisent également les entreprises suisses aux risques liés à l’espionnage, au contournement des sanctions et à la prolifération.
Menace terroriste: focus sur la prévention et la détection précoce
La menace terroriste en Suisse est élevée et est marquée par des personnes inspirées par le djihadisme. La radicalisation en ligne des jeunes constitue un défi majeur. Ce processus peut être rapide, rendant la détection précoce essentielle. Les intérêts juifs et israéliens – notamment les personnes et établissements concernés – restent exposés.
Le SRC coopère étroitement avec les écoles, les organisations de jeunesse et les polices. L’objectif est de détecter les processus de radicalisation à un stade précoce et d’agir de manière préventive.
Infrastructures critiques comme cibles
Pour les opérateurs d’infrastructures critiques suisses, les cyberattaques représentent une menace majeure. Des attaques de sabotage ciblées – menées de façon cinétique ou cybernétique – par des acteurs étatiques pourraient viser à nuire à d’autres États, alliances ou institutions dépendant de ces infrastructures, dans le cadre de conflits hybrides.
La Suisse dans le viseur: la technologie, clé du pouvoir
«La Suisse doit considérer la situation sécuritaire dans un contexte mondial», explique Christian Dussey, directeur du SRC. «La confrontation globale nous touche directement. Notre radar stratégique identifie actuellement 15 foyers de crise simultanés – un tel niveau de menace est sans précédent. Nous ne sommes pas de simples observateurs – nous sommes directement concernés. À cela s’ajoute la lutte pour la suprématie technologique. La technologie est aujourd’hui une clé déterminante du pouvoir. Et la Suisse, en tant que place innovante, est directement exposée à ces enjeux – notamment à travers l’espionnage et d’autres activités de renseignement. Le SRC et les autres autorités de sécurité du pays sont fortement mis à l’épreuve par ces défis. Des défis auxquels nous ne pouvons répondre qu’ensemble, en étroite collaboration avec nos partenaires nationaux et internationaux.»
Cisco has removed a backdoor account from its Unified Communications Manager (Unified CM), which would have allowed remote attackers to log in to unpatched devices with root privileges.
Cisco Unified Communications Manager (CUCM), formerly known as Cisco CallManager, serves as the central control system for Cisco's IP telephony systems, handling call routing, device management, and telephony features.
The vulnerability (tracked as CVE-2025-20309) was rated as maximum severity, and it is caused by static user credentials for the root account, which were intended for use during development and testing.
The Spanish police have arrested two individuals in the province of Las Palmas for their alleged involvement in cybercriminal activity, including data theft from the country's government.
The duo has been described as a "serious threat to national security" and focused their attacks on high-ranking state officials as well as journalists. They leaked samples of the stolen data online to build notoriety and inflate the selling price.
"The investigation began when agents detected the leakage of personal data affecting high-level institutions of the State across various mass communication channels and social networks," reads the police announcement.
"These sensitive data were directly linked to politicians, members of the central and regional governments, and media professionals."
The first suspect is believed to have specialized in data exfiltration, while the second managed the financial part by selling access to databases and credentials, and holding the cryptocurrency wallet that received the funds.
The two were arrested yesterday at their homes. During the raids, the police confiscated a large number of electronic devices that may lead to more incriminating evidence, buyers, or co-conspirators.
June 26, 2025 by Anil Shetty netscaler.com
Over the past two weeks, Cloud Software Group has released builds to address CVE-2025-6543 and CVE 2025-5777, which affect NetScaler ADC and NetScaler Gateway if they are configured as a Gateway (VPN virtual server, ICA Proxy, CVPN, RDP Proxy) OR an Authentication Authorization and Auditing (“AAA”) virtual server. While both of the vulnerabilities involve the same modules, the exposures differ. CVE 2025-6543, if exploited, could lead to a memory overflow vulnerability, resulting in unintended control flow and Denial of Service. CVE 2025-5777 arises from insufficient input validation that leads to memory overread.
Some commentators have drawn comparisons between CVE 2025-5777 and CVE 2023-4966. While the vulnerabilities share some characteristics, Cloud Software Group has found no evidence to indicate that they are related.
The description of the vulnerability on the NIST website for CVE-2025-5777 initially erroneously identified NetScaler Management Interface as implicated in the vulnerability, but they subsequently updated the description to exclude it. The most accurate description of CVE 2025-5777 can be found in the Citrix security bulletin published on June 17, 2025.
Through our internal review process and by collaborating with customers, we identified the affected NetScaler ADC and NetScaler Gateway builds. CVE 2025-5777 only applies to customer-managed NetScaler ADC and NetScaler Gateway. Cloud Software Group upgrades Citrix-managed cloud services and Citrix-managed Adaptive Authentication with the necessary software updates. Please refer to the security bulletin for more details.
Citrix has signed CISA’s Secure by Design pledge, reinforcing our commitment to building security into every stage of the product lifecycle. As part of this pledge, we prioritize security by default, transparency, and accountability in how we manage vulnerabilities. Our Product Security Incident Response Team (PSIRT) follows industry standards to assess, address, and disclose vulnerabilities responsibly. We work closely with security researchers, government agencies and customers to ensure timely fixes and clear communication. Learn more about our responsible disclosure process at Citrix Vulnerability Response.
Additionally, there’s an issue related to authentication that you may observe after upgrading NetScaler to build 14.1 47.46 or 13.1 59.19. This can manifest as a “broken” login page, especially when using authentication methods like DUO configurations based on Radius authentication, SAML, or any Identity Provider (IDP) that relies on custom scripts. This behavior can be attributed to the Content Security Policy (CSP) header being enabled by default in this NetScaler build, especially when CSP was not enabled prior to the upgrade. For more information on this issue please refer to the KB article.
On June 5th, the FBI released a PSA titled “Home Internet Connected Devices Facilitate Criminal Activity.” This PSA largely references devices impacted by the latest generation of BADBOX malware (as named by HUMAN’s Satori Threat Intelligence and Research team) that EFF researchers also encountered primarily on Android TV set-top boxes. However, the malware has impacted tablets, digital projectors, aftermarket vehicle infotainment units, picture frames, and other types of IoT devices.
One goal of this malware is to create a network proxy on the devices of unsuspecting buyers, potentially making them hubs for various potential criminal activities, putting the owners of these devices at risk from authorities. This malware is particularly insidious, coming pre-installed out of the box from major online retailers such as Amazon and AliExpress. If you search “Android TV Box” on Amazon right now, many of the same models that have been impacted are still up being sold by sellers of opaque origins. Facilitating the sale of these devices even led us to write an open letter to the FTC, urging them to take action on resellers.
The FBI listed some indicators of compromise (IoCs) in the PSA for consumers to tell if they were impacted. But the average person isn’t running network detection infrastructure in their homes, and cannot hope to understand what IoCs can be used to determine if their devices generate “unexplained or suspicious Internet traffic.” Here, we will attempt to help give more comprehensive background information about these IoCs. If you find any of these on devices you own, then we encourage you to follow through by contacting the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov.
The FBI lists these IoC:
The presence of suspicious marketplaces where apps are downloaded.
Requiring Google Play Protect settings to be disabled.
Generic TV streaming devices advertised as unlocked or capable of accessing free content.
IoT devices advertised from unrecognizable brands.
Android devices that are not Play Protect certified.
Unexplained or suspicious Internet traffic.
The following adds context to above, as well as some added IoCs we have seen from our research.
WASHINGTON, June 30 (Reuters) - Iran-linked hackers have threatened to disclose more emails stolen from U.S. President Donald Trump's circle, after distributing a prior batch to the media ahead of the 2024 U.S. election.
In online chats with Reuters on Sunday and Monday, the hackers, who go by the pseudonym Robert, said they had roughly 100 gigabytes of emails from the accounts of White House Chief of Staff Susie Wiles, Trump lawyer Lindsey Halligan, Trump adviser Roger Stone and porn star-turned-Trump antagonist Stormy Daniels.
Press release: 30 June 2025
Late last week, the International Criminal Court (“ICC” or “the Court”) detected a new, sophisticated and targeted cyber security incident, which has now been contained.
This incident, the second of this type against the ICC in recent years, was swiftly discovered, confirmed and contained, through the Court’s alert and response mechanisms. A Court-wide impact analysis is being carried out, and steps are already being taken to mitigate any effects of the incident.
The Court considers it essential to inform the public and its States Parties about such incidents as well as efforts to address them, and calls for continued support in the face of such challenges.
Such support ensures the Court’s capacity to implement its critical mandate of justice and accountability, which is a shared responsibility of all States Parties.
July 1, 2025
WASHINGTON Today, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) is designating Aeza Group, a bulletproof hosting (BPH) services provider, for its role in supporting cybercriminal activity targeting victims in the United States and around the world. BPH service providers sell access to specialized servers and other computer infrastructure designed to help cybercriminals like ransomware actors, personal information stealers, and drug vendors evade detection and resist law enforcement attempts to disrupt their malicious activities. OFAC is also designating two affiliated companies and four individuals who are Aeza Group leaders. Finally, in coordination with the United Kingdom’s (UK) National Crime Agency (NCA), OFAC is designating an Aeza Group front company in the UK.
“Cybercriminals continue to rely heavily on BPH service providers like Aeza Group to facilitate disruptive ransomware attacks, steal U.S. technology, and sell black-market drugs,” said Acting Under Secretary of the Treasury for Terrorism and Financial Intelligence Bradley T. Smith. “Treasury, in close coordination with the UK and our other international partners, remains resolved to expose the critical nodes, infrastructure, and individuals that underpin this criminal ecosystem.”
Today’s action is being taken pursuant to Executive Order (E.O.) 13694, as further amended, and builds on OFAC’s February action targeting ZServers BPH. Today’s action also reflects Treasury’s continued work to combat cybercrime and degrade the support networks that enable malicious actors to target U.S. citizens, technology, and critical industries.
AEZA GROUP: KEY TECHNICAL SUPPORT FOR RANSOMWARE GROUPS, CYBERCRIME, AND ILLICIT DRUGS
Aeza Group, headquartered in St. Petersburg, Russia, has provided BPH services to ransomware and malware groups such as the Meduza and Lumma infostealer operators, who have used the hosting service to target the U.S. defense industrial base and technology companies, among other victims globally. Infostealers are often used to harvest personal identifying information, passwords, and other sensitive credentials from compromised victims. These credentials are then often sold on darknet markets for profit, making infostealer operators a key piece of the cybercrime ecosystem.
Aeza Group has also hosted BianLian ransomware, RedLine infostealer panels, and BlackSprut, a Russian darknet marketplace for illicit drugs. Darknet drug marketplaces allow for the anonymous purchase and shipment of narcotics over the internet, making them a present and increasing contributor to drug trafficking to the United States and worldwide. According to Treasury’s Financial Crimes Enforcement Network (FinCEN) and its supplemental advisory on fentanyl, criminal organizations use darknet marketplaces to sell precursor chemicals and manufacturing equipment used for the synthesis of fentanyl and other synthetic opioids, as well as to traffic fentanyl and other narcotics into the United States.
OFAC is designating Aeza Group pursuant to E.O. 13694, as further amended by E.O. 14144 and E.O. 14306, for being responsible or complicit in, or having engaged in, directly or indirectly, cyber-enabled activities originating from, or directed by persons located, in whole or in part, outside the United States that are reasonably likely to result in, or have materially contributed to, a threat to the national security, foreign policy, or economic health or financial stability of the United States, and that have the purpose of or involve causing a misappropriation of funds or economic resources, intellectual property, proprietary or business confidential information, personal identifiers, or financial information for commercial or competitive advantage or private financial gain.
Aeza International Ltd. is the United Kingdom branch of Aeza Group. Aeza Group uses Aeza International to lease IP addresses to cybercriminals, including Meduza infostealer operators.
Aeza Logistic LLC and Cloud Solutions LLC are Russia-based subsidiaries that are 100% owned by Aeza Group. Servers BPH.
A new browser attack vectors just dropped, and it’s called FileFix — an alternative to the well-known ClickFix attack. This method, discovered and shared by mrd0x, shows how attackers can to execute commands right from browser, without requesting target to open cmd dialog. Quick Recap: What’s the ClickFix Attack? First, let's quickly recap ClickFix, the
Qantas can confirm that a cyber incident has occurred in one of its contact centres impacting customer data. The system is now contained.
We understand this will be concerning for customers. We are currently contacting customers to make them aware of the incident, apologise and provide details on the support available.
The incident occurred when a cyber criminal targeted a call centre and gained access to a third party customer servicing platform.
There is no impact to Qantas’ operations or the safety of the airline.
What we know
On Monday, we detected unusual activity on a third party platform used by a Qantas airline contact centre. We then took immediate steps and contained the system. We can confirm all Qantas systems remain secure.
There are 6 million customers that have service records in this platform. We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.
Importantly, credit card details, personal financial information and passport details are not held in this system. No frequent flyer accounts were compromised nor have passwords, PIN numbers or log in details been accessed.
Actions we are taking
While we conduct the investigation, we are putting additional security measures in place to further restrict access and strengthen system monitoring and detection.
Qantas has notified the Australian Cyber Security Centre and the Office of the Australian Information Commissioner. Given the criminal nature of this incident, the Australian Federal Police has also been notified. We will continue to support these agencies as the investigation continues.
Qantas has established a dedicated customer support line as well as a dedicated page on qantas.com to provide the latest information to customers. We will continue to share updates including via our website and social channels.
Qantas Group Chief Executive Officer Vanessa Hudson said:
“We sincerely apologise to our customers and we recognise the uncertainty this will cause. Our customers trust us with their personal information and we take that responsibility seriously.
“We are contacting our customers today and our focus is on providing them with the necessary support.
“We are working closely with the Federal Government’s National Cyber Security Coordinator, the Australian Cyber Security Centre and independent specialised cyber security experts.”
