Daily Threat Briefing: Russian Sanctions, Salesforce Supply Chain Risks & Critical WSUS Exploits

Executive Summary

The last 24 to 48 hours have seen significant shifts in the Australian cyber threat landscape, dominated by a major government crackdown on ransomware facilitators and a developing supply chain incident affecting the Salesforce ecosystem.

In a coordinated move with the US and UK, the Australian Government has imposed sanctions on Russian individuals and entities providing "bulletproof hosting" to gangs like LockBit and Clop. Meanwhile, organisations relying on Salesforce are on high alert following confirmed unauthorized activity linked to third-party Gainsight applications, with threat actors claiming widespread access.

On the vulnerability front, a critical Microsoft WSUS flaw (CVE-2025-59287) is seeing active exploitation, demanding immediate attention from system administrators.

Sector-Specific Updates

Government & Critical Infrastructure

  • New Cyber Sanctions Imposed: As of 20–21 November 2025, Australia has sanctioned Russian cybercrime service providers Media Land LLC and ML Cloud, along with individuals Aleksandr Volosovik and Kirill Zatolokin. These entities are accused of providing the infrastructure that enables major ransomware groups (including LockBit and Blacksuit) to target Australian critical infrastructure and businesses. This marks a pivotal shift in holding enablers accountable.

SaaS & FinTech

  • Salesforce / Gainsight Supply Chain Incident: Salesforce has confirmed an investigation into "unusual activity" involving Gainsight-published applications. While Salesforce’s own platform reportedly remains secure, the breach of this third-party integration has led to the revocation of access tokens.
  • Threat Actor Activity: A group calling themselves "Scattered LAPSUS$ Hunters" (potentially linked to ShinyHunters) is claiming to have compromised hundreds of organisations via this vector. Australian SaaS consumers and FinTech firms using these integrations should immediately audit their connected apps and access logs.

Defence & Engineering

  • IKAD Engineering Breach: New details have emerged regarding the ransomware attack on IKAD Engineering, a key player in the defence supply chain (Hunter Class frigates, Collins Class submarines). The "J Group" ransomware gang claims to have exfiltrated 800GB of data after maintaining undetected access for five months. While IKAD states no classified information was compromised, this incident highlights the critical risk of "staycation" attacks where adversaries dwell in networks for extended periods.

Healthcare

  • Targeted Phishing Campaigns: The healthcare sector remains a prime target for credential harvesting.
    • Point Lonsdale Medical Group and the Sydney Centre for Ear, Nose & Throat (SCENT) have both recently warned patients of data breaches stemming from compromised email accounts. These incidents were triggered by phishing attacks, reinforcing the need for robust email security and staff training in medical practices.

Vulnerability Watch: Web, Cloud & API

Penetration testers and defenders must prioritise the following critical vulnerabilities which are either being actively exploited or pose an imminent high risk to Australian networks.

1. Microsoft WSUS – Remote Code Execution (Critical)

  • CVE: CVE-2025-59287
  • CVSS: 9.8 (Critical)
  • Status: Active Exploitation Detected.
  • Impact: Allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges. If you have not patched your Windows Server Update Services (WSUS) following the late October alerts, your internal network is at severe risk of compromise.

2. Oracle Identity Manager – Pre-Auth RCE

  • CVE: CVE-2025-61757
  • Disclosed: 20 November 2025
  • Impact: A pre-authentication Remote Code Execution vulnerability has been discovered in Oracle Identity Manager. This is particularly dangerous for cloud identity environments, allowing attackers to bypass authentication entirely and gain control over identity management systems.

3. Fortinet FortiWeb – Command Injection

  • CVE: CVE-2025-58034 & CVE-2025-64446
  • Status: Active Exploitation.
  • Impact: Multiple flaws in FortiWeb appliances are actively being targeted. CVE-2025-58034 allows authenticated command injection, while other recent flaws allow for authentication bypass. Immediate patching is required for all edge security devices.

Conclusion

The convergence of state-level sanctions and supply chain compromises like the Gainsight incident underscores that cyber threats are becoming more multi-faceted. Australian organisations cannot solely rely on internal perimeter defences; third-party risk management and rapid patch management (especially for "set and forget" services like WSUS) are critical.

Organisations in the Defence and Healthcare sectors should operate with heightened vigilance regarding long-dwelling intruders and social engineering attempts.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote