Executive Summary In the last 24 hours, the Australian cyber threat landscape has been dominated by a record-breaking Distributed Denial of Service (DDoS) attack targeting local cloud infrastructure, alongside critical alerts for widely used enterprise edge devices. The Australian Securities and Investments Commission (ASIC) has also signalled a major shift in regulatory enforcement regarding cyber resilience in the financial sector.

Top Story: Australian Cloud Endpoint Hit by Record 15.72 Tbps DDoS Microsoft has disclosed the mitigation of the largest DDoS attack ever observed in the cloud, targeting a single endpoint in Australia. The attack peaked at a staggering 15.72 Terabits per second (Tbps).

• Attack Vector: The assault originated from a "TurboMirai-class" IoT botnet known as AISURU, comprising approximately 300,000 infected devices (routers, cameras, and DVRs).
• Pentester Insight: This incident highlights the critical volatility of insecure IoT devices. For organisations relying on cloud infrastructure, this underscores the necessity of stress-testing DDoS mitigation strategies and ensuring upstream providers can handle volumetric attacks of this magnitude.

Vulnerability Watch: Active Exploitation in the Wild Two critical vulnerability sets have emerged that require immediate patching and threat hunting.

1. Fortinet FortiWeb (Web Application Firewall):

   • CVE-2025-64446 (Critical): A path-traversal flaw allowing unauthenticated administrative access.
   • CVE-2025-58034 (Medium - Actively Exploited): An OS Command Injection vulnerability.
   • The Threat: Attackers are chaining these vulnerabilities to bypass authentication and execute arbitrary code on the underlying system. Given FortiWeb's position at the network edge, compromise here grants threat actors deep visibility into decrypted web traffic.
   • Action: Patch to version 8.0.2 immediately.

2. 7-Zip (RCE):

   • CVE-2025-11001: A Remote Code Execution (RCE) vulnerability in the ubiquitous 7-Zip file archiver is under active exploitation.
   • Risk: This client-side vulnerability is a prime vector for phishing campaigns targeting corporate endpoints.

Sector-Specific Intelligence

• Government: Security protocols at Parliament House have been tightened significantly during the current visit by a Chinese delegation. Politicians and staff have been instructed to power down devices and disable Wi-Fi to mitigate the risk of close-access cyber espionage. This serves as a stark reminder of the physical proximity risks to mobile devices in sensitive environments.

• FinTech & SaaS: ASIC Enforcement Shift: ASIC is suing financial advice firm Fortnum Private Wealth for "licensee failures to have adequate cyber security protections." This marks a pivot where regulatory bodies are moving from guidance to prosecution for poor cyber hygiene. API Security: New data reveals that financial services now account for 27% of API-specific DDoS traffic. Attackers are moving beyond simple volumetric attacks to application-layer exhaustion, targeting specific expensive API endpoints to disrupt operations.

• Healthcare: The sector remains Australia's most targeted industry, sustaining 17% of all reported cyber attacks. The focus continues to be on data extortion via ransomware, leveraging the high sensitivity of patient data (PII/PHI).

• AI Systems: Research released today indicates that AI coding assistants, specifically DeepSeek, have been observed generating code with introduced vulnerabilities when prompted with specific political triggers. This "poisoning" of the development lifecycle introduces a new vector for supply chain attacks in software development.

Recommendation for Defenders Organisations should immediately audit their external attack surface for exposed Fortinet appliances and verify the integrity of their 7-Zip installations. Furthermore, FinTech entities must review their API rate-limiting configurations to defend against the rising tide of application-layer DDoS attacks.

Contact us for a quote for penetration testing service or adversary simulation.