Executive Summary The Australian cyber threat landscape has intensified over the last 24 hours with significant geopolitical moves and critical infrastructure attacks. The Federal Government, in coordination with the US and UK, has officially sanctioned Russian "bulletproof" hosting providers facilitating ransomware campaigns against Australian targets. Meanwhile, the defence supply chain is under scrutiny following a confirmed breach at a major naval contractor, and network defenders are racing to patch actively exploited zero-days in Fortinet and Citrix appliances.

Here is your daily deep dive into the threats shaping our digital environment.

Sector Intelligence

Government & Defence: Supply Chain in the Crosshairs

The most critical update today involves IKAD Engineering, a key contractor for the Hunter Class frigate and Collins Class submarine programs. The J Group ransomware gang has claimed responsibility for a breach, alleging they maintained undetected access for five months—a "staycation in the defence supply chain"—before exfiltrating 800GB of data. While IKAD states no classified data was lost, this highlights a severe visibility gap in third-party risk management.

Simultaneously, the Australian Government has imposed sanctions on Media Land LLC and ML.Cloud, along with key individuals Aleksandr Volosovik and Kirill Zatolokin. These entities are accused of providing the backend infrastructure for ransomware groups like Qilin and Medusa, which have relentlessly targeted Australian schools and hospitals this year.

• Threat Actor Watch: Volt Typhoon (China-nexus) continues to probe Australian critical infrastructure, specifically telecommunications and energy grids, likely for pre-positioning rather than immediate disruption.

SaaS & Cloud Providers: The Fortinet Crisis

SaaS providers and enterprises using Fortinet FortiWeb WAFs must act immediately. A critical vulnerability (CVE-2025-64446) is being actively exploited in the wild. This path traversal flaw allows unauthenticated attackers to create administrative accounts via the API, effectively handing over full control of the device.

• Impact: Full device compromise, potential lateral movement into cloud environments.
• Status: CISA has mandated US federal agencies patch this by today, 21 November 2025. Australian organisations should follow suit immediately.

Healthcare: Relentless Ransomware

Healthcare remains the most targeted sector in 2025, accounting for 17% of all significant cyber incidents. The sanctions against Russian hosting firms are a direct response to attacks on this sector, but operational risks remain high. Hospitals are advised to review their exposure to the Citrix NetScaler zero-day (CVE-2025-5777), which is currently being used to deploy ransomware payloads.

FinTech & DeFi: Smart Contract Failures

The decentralised finance (DeFi) sector has seen over $3.1 billion in losses this year. In the last 24 hours, analysis has surfaced regarding the Abracadabra protocol hack ($1.8m loss), caused by a state management flaw in a smart contract. For Australian FinTechs, this reinforces the need for rigorous code audits and formal verification before deployment, especially as high-speed chains like Solana gain traction.

IoT & Mobile: Commercial Spyware

A sophisticated spyware campaign dubbed "LANDFALL" has been uncovered targeting Samsung Galaxy devices. It exploits a zero-day in the image-processing library (CVE-2025-21042). The malware is delivered via malicious DNG files on WhatsApp, affecting high-profile targets in the corporate and government sectors.

Vulnerability Watch: Critical Exploits

We are tracking the following vulnerabilities actively exploited in the Australian wild:

1. Fortinet FortiWeb (CVE-2025-64446)

   • Type: Path Traversal / Auth Bypass.
   • Severity: Critical (CVSS 9.8).
   • Action: Update to version 8.0.2+ immediately. If patching is impossible, disable the management interface on public-facing IPs.

2. Windows Kernel (CVE-2025-62215)

   • Type: Privilege Escalation.
   • Severity: High.
   • Context: Actively used by attackers to gain SYSTEM privileges after initial foothold (often via phishing).

3. Fortinet FortiWeb (CVE-2025-58034)

   • Type: OS Command Injection.
   • Severity: Critical.
   • Context: Often chained with the auth bypass above to execute arbitrary code.

Pen Tester’s Perspective: The Rise of "Agentic" Threats

By Lean Security

The breach of IKAD Engineering is a textbook example of why perimeter defences are insufficient. The attackers didn't just smash and grab; they dwelt. They understood the network better than the administrators.

Furthermore, we are seeing a shift towards Agentic AI in offensive operations. Automated agents are now capable of chaining vulnerabilities (like the Fortinet auth bypass followed by command injection) at machine speed, drastically reducing the "time-to-compromise."

Recommendation: Organisations must move beyond annual compliance checks.

1. Simulate the Supply Chain Breach: Don't just test your perimeter; test your reaction when a trusted vendor is compromised.
2. API Security: The Fortinet exploit targeted an API endpoint. Ensure your API security testing covers logic flaws and authorisation bypasses, not just standard injections.
3. Hunt for Persistence: If you run FortiWeb, assume compromise. Check logs for new, unrecognised admin accounts created in the last 30 days.

Contact us for a quote for penetration testing service or adversary simulation.