This week brought a wave of high impact incidents and critical updates including a massive third-party breach at Qantas, while a sophisticated cyberattack has targeted none other than the International Criminal Court. Meanwhile, a ransomware assault on a Swiss health foundation has resulted in the exposure of a staggering 1.3 terabytes of sensitive data.

On the defense front, Google has rushed out an emergency patch for a Chrome zero-day that is already being exploited in the wild, and Microsoft’s June Patch Tuesday addresses over 70 vulnerabilities, including five actively exploited zero-days. To round off the week’s developments, researchers have uncovered “FileFix 2.0,” a dangerous new exploit technique that can bypass browser security measures, posing fresh risks to internet users.

Qantas Third Party Data Breach Affects Up to 6 Million Customers

Australia’s Qantas has confirmed a cyberattack targeting a third-party call centre service, potentially impacting customer records from up to 6 million individuals.

The records include names, birthdates, phone numbers, email addresses and frequent flyer numbers, though no financial, passport, password or login data were accessed.

The breach, detected and contained on Monday, is linked to the Scattered Spider threat group, known to use social engineering to bypass MFA and compromise vendor systems. Qantas has secured the affected system, notified the Australian Cyber Security Centre, Privacy Commissioner and Federal Police. The organisation also launched a dedicated support portal while working with independent cyber experts to investigate and enhance security measures.

Sophisticated Cyberattack Hits International Criminal Court

On June 30th, the International Criminal Court (ICC) detected and contained a “new, sophisticated and targeted” cyberattack marking the second such incident in recent years.

The Court immediately initiated a comprehensive, organisation wide impact analysis and deployed mitigation measures through its built-in alert systems.

While no technical specifics or data breaches have been disclosed, the ICC emphasised the importance of transparency with States Parties and reaffirmed its commitment to upholding justice and accountability amid escalating cyber threats

Ransomware Attack on Swiss Health Foundation Exposes 1.3TB of Data

The Sarcoma ransomware group breached Zurich based Radix, a non-profit health foundation, stealing and encrypting 1.3TB of data. When Radix refused to pay ransom demands, the attackers published the stolen material on the dark web on June 29.

Although Radix isn’t directly connected to federal systems, its client base includes Swiss federal offices—raising the likelihood that sensitive government data is among the leaked files. The Swiss National Cyber Security Centre (NCSC) is actively investigating the leak, analysing five archived data bundles despite slow download speeds hindering the process.

In response, Radix revoked compromised system access, confirmed clean backups, and notified potentially affected individuals. The foundation also alerted authorities including Zurich police, the NCSC, and the Federal Data Protection and Information Commissioner.

Google Rushes Out Chrome Patch for Actively Exploited Zero‑Day

Google has issued an urgent update for Chrome versions:

• 138.0.7204.96/.97 (Windows)
• 138.0.7204.92/.93 (macOS)
• 138.0.7204.96 (Linux)

The patch addresses a critical zero‑day type confusion flaw in the V8 JavaScript and WebAssembly engine tracked as CVE 2025 6554 which is already being exploited in the wild.

The vulnerability, discovered by Clément Lecigne of Google’s Threat Analysis Group on June 25, 2025, allows remote attackers to perform arbitrary read/write operations by luring victims to a crafted HTML page. This type of bug poses serious risk, enabling attackers to run malicious code, install spyware, or trigger drive‑by downloads.

Google indicates a configuration based mitigation was promptly deployed across all Chrome Stable channels on July 1, 2025. Users and administrators are strongly advised to update immediately and ensure automatic patching is enabled. Other Chromium-based browsers like Edge, Brave, Opera, and Vivaldi should also receive updates soon

Microsoft’s June Patch Tuesday Fixes Over 70 Vulnerabilities Including Five Exploited Zero‑Days

In its June 2025 Patch Tuesday, Microsoft released updates addressing more than 70 security flaws, notably patching five zero‑day vulnerabilities that were actively exploited, including critical privilege escalation bugs in the Windows DWM Core Library (CVE 2025 30400), WinSock and Common Log File System drivers (CVE 2025 32709, CVE 2025 32701, CVE 2025 32706), and a remote code execution issue in the Microsoft Scripting Engine (CVE 2025 30397).

The update also resolved two other publicly disclosed flaws (CVE 2025 26685 and CVE 2025 32702) plus eleven critical-severity bugsincluding remote code execution and privilege escalation—in addition to 59 important severity issues such as denial-of-service, information disclosure, and security feature bypass weaknesses.

Users are urged to apply the patches immediately, especially for devices vulnerable to the active zero‑days, to ensure robust protection.

“FileFix 2.0” Exploit Bypasses Browser Security

A fresh variant of the ClickFix social engineering attack, dubbed FileFix 2.0, leverages how modern browsers like Chrome and Edge save HTML pages to bypass the Windows Mark of the Web (MoTW) safeguard. Discovered by researcher mr.d0x, the technique tricks users into saving HTML files (e.g., “Save Backup Codes”) that appear harmless but secretly execute malicious scripts or disguise themselves as HTA files when saved, enabling attackers to deploy malware through social engineering.

By exploiting how browsers set default filenames based on contents, attackers can craft pages that, once saved, drop dangerous .hta files without raising user suspicion.

The method enhances the traditional ClickFix tactic where users are deceived into running scripts via fake browser alerts by eliminating MoTW warnings. The attack relies solely on user interaction to initiate the download, sidestepping browser filters like Safe Browsing.

Security experts recommend disabling .hta execution (e.g., restrict mshta.exe) and monitoring for unusual browser activity like child processes (cmd.exe, powershell.exe, or mshta.exe) to mitigate this emerging threat.

If you would like to discover how Secora Consulting can assist you in keeping your business secure, please get in touch by filling out the form below 👇.