Australia’s Cyber Siege: Healthcare Ransomware, API Exploits, and the Holiday Scam Surge

The last 24 hours have underscored a critical reality for Australian CISOs and security teams: the separation between "sector-specific" threats is vanishing. From the 15.72 Tbps DDoS attack aimed at Australian infrastructure to the targeted ransomware campaigns crippling regional healthcare, the tempo of operations is accelerating as we approach the holiday season.

As a penetration testing team, we are closely monitoring active exploitation in the wild. Below is your deep-dive briefing on the threats shaping the Australian landscape today.

Sector Intelligence: Healthcare & Government in the Crosshairs

Healthcare: The "Beast" Claims a Victim Regional healthcare remains a primary target. The Outback Pharmacies group has been listed as a victim by the "Beast" (aka Gigakick) ransomware gang. Threat actors claim to have exfiltrated 150GB of sensitive data, including patient treatment plans, medical history, and financial records. This incident aligns with the broader trend of attackers targeting regional providers who may lack the Tier-1 security architecture of metropolitan hospitals.

  • Strategic Shift: In response to this escalation, the Federal Government has announced a $6.4 million grant to establish a dedicated Healthcare Information Sharing and Analysis Centre (CI-ISAC). The goal is clear: stop the "spillover" effect where breaches in healthcare pivot to energy or transport sectors.

Government: Geopolitics & Massive DDoS Mitigation Yesterday, Australia officially listed the Islamic Revolutionary Guard Corps (IRGC) as a state sponsor of terrorism following intelligence on orchestrated attacks in Sydney and Melbourne. This geopolitical move often precipitates retaliatory cyber campaigns; government agencies and critical infrastructure providers should remain on high alert for hacktivist activity.

On the infrastructure front, Microsoft confirmed the mitigation of a record-breaking 15.72 Tbps DDoS attack targeting an Australian endpoint. The attack was attributed to the Aisuru botnet, a TurboMirai-class IoT botnet. This confirms that adversaries are weaponising compromised IoT devices at an unprecedented scale to attempt brute-force disruptions of Australian cloud resources.

Education: The Western Sydney University Saga Continues The situation at Western Sydney University (WSU) offers a sobering lesson in threat persistence. Despite the arrest of a former student on 20 cybercrime charges, attacks against the university have continued. This suggests WSU is battling multiple threat actors simultaneously—potentially an insider threat acting independently of external ransomware groups. This highlights the complexity of attribution and the necessity of "zero trust" internal architectures.

Vulnerability Spotlight: Active Exploitation in the Wild

For security engineers and penetration testers, the following vulnerabilities require immediate attention. Exploits are circulating, and we are seeing active scanning against Australian IP ranges.

1. Critical FortiWeb Exploits (Web Application Firewalls) Fortinet has patched two severe vulnerabilities in its Web Application Firewall (WAF) that are being chained by attackers:

  • CVE-2025-64446 (CVSS 9.1): A critical path traversal vulnerability allowing unauthenticated remote code execution (RCE).
  • CVE-2025-58034 (CVSS 6.7): An OS command injection flaw.
  • Attack Vector: We are observing campaigns where attackers use the path traversal flaw to bypass authentication and then pivot to command injection to gain root access. Patch immediately to version 8.0.2 or higher.

2. Oracle Identity Manager API Bypass (CVE-2025-61757) This CVSS 9.8 vulnerability is a textbook example of API insecurity. Attackers are bypassing authentication by simply appending specific strings like ;.wadl or ?WSDL to API endpoints.

  • The Threat: This allows adversaries to manipulate identity governance flows and escalate privileges without valid credentials. If you rely on Oracle for IAM, verify your exposure immediately.

3. NPM Supply Chain Attack ("Shai-Hulud 2.0") A sophisticated supply chain attack has been detected targeting developers using popular packages like Zapier and Postman. The "Shai-Hulud 2.0" campaign injects malicious code during the preinstall phase, exfiltrating CI/CD secrets and developer credentials.

  • Action: Audit your development pipelines and lock dependency versions to known good states.

FinTech & eCommerce: The AI-Driven Holiday Scam Wave

As the Black Friday/Cyber Monday window opens, AI-driven fraud is surging. A new report indicates Australian shoppers are losing an average of AUD $445 per incident. The new vector? AI-generated "deal sites" that mimic legitimate brands with perfect spelling and high-quality graphics, specifically targeting users of "Buy Now, Pay Later" services.

Simultaneously, a massive phishing campaign impersonating Centrelink and Medicare (MyGov) is hitting inboxes, aiming to harvest credentials during this high-traffic period.

Summary & Mitigation

The threat landscape is currently dominated by extortion (Ransomware) and infrastructure stress tests (DDoS).

  1. Patch FortiWeb and Oracle IAM interfaces immediately.
  2. Geo-block traffic from high-risk regions if your business logic allows, particularly to mitigate botnet volumes.
  3. Adversary Simulation: With the WSU incident proving that "insiders" and "outsiders" can attack simultaneously, validating your detection capabilities against a multi-vector attack is crucial.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote