Daily Threat Briefing: Australia’s Holiday Cyber Surge & Critical Sector Alerts

Executive Summary

As we wrap up the Black Friday weekend and move into the holiday season, the Australian cyber threat landscape has seen a significant escalation in activity over the last 24 hours. Our deep dive into the latest intelligence reveals a coordinated surge in campaigns targeting the government, healthcare, and retail sectors. Advanced Persistent Threats (APTs) and opportunistic criminal gangs are leveraging AI-driven automation to exploit new vulnerabilities in web applications and APIs.

Below is a detailed breakdown of the critical threats, exploited vulnerabilities, and active threat actors impacting Australian organisations today.

Sector-Specific Threat Intelligence

1. Government & Healthcare: The "MyGov" Impersonation Wave

In the last 24 hours, a massive phishing and credential harvesting campaign has been detected targeting Australian government services.

  • The Threat: A high-volume email campaign purporting to be from Centrelink and Medicare is currently active, affecting over 270,000 Australians. These emails utilise sophisticated social engineering, claiming "benefit suspensions" or "tax refunds" to drive urgency.
  • Technical Insight: The attack vectors are linked to stolen legacy data used to craft highly convincing lures. The redirected sites are hosting AiTM (Adversary-in-the-Middle) phishing kits capable of bypassing standard Multi-Factor Authentication (MFA) by capturing session tokens in real-time.
  • Healthcare Alert: CyberCX reports indicate that the healthcare sector remains the top target (17% of all attacks). Threat actors are currently focusing on non-hospital clinical providers—such as GP clinics and allied health services—exploiting "tech debt" and unpatched legacy systems to pivot into larger health networks.

2. eCommerce & Retail: The Post-Black Friday Fallout

As transaction volumes peaked this weekend, so did the attacks on digital retail infrastructure.

  • Active Exploits: We are observing active exploitation of critical vulnerabilities in major eCommerce platforms. Specifically, CVE-2025-54236 (Magento) and CVE-2025-47569 (WooCommerce Ultimate Gift Card plugin) are being weaponised to inject Magecart-style digital skimmers.
  • AI-Driven Fraud: Retailers are facing a wave of AI-generated fake reviews and "synthetic" identities used to test stolen credit card data (carding) at scale. Malicious domains mimicking major Australian retail brands have surged, hosted on bulletproof networks to resist takedowns.

3. SaaS & Cloud: API Insecurity at the Forefront

Australia currently holds the unenviable title of having the highest frequency of API security incidents in the APAC region.

  • The Incident: Intelligence suggests a recent breach of an Australian SaaS loan management provider involved the threat actor "Scattered Spider". This group is known for sophisticated social engineering of helpdesk staff to gain initial access.
  • Attack Vector: The breach likely exploited an unsecured API endpoint (Broken Object Level Authorization - BOLA) that allowed the exfiltration of sensitive financial data without triggering traditional perimeter alarms.

4. IoT & Smart Infrastructure: The Home Front

With the rapid adoption of smart home devices, the attack surface has expanded into Australian homes and energy grids.

  • Solar Inverter Risks: New reports highlight a critical risk in solar inverters, which are being targeted to potentially disrupt local energy grids.
  • Smart Home Attacks: Australian households are now facing an average of 29 cyber attacks per day. The primary vectors are weak default credentials and unpatched firmware in smart TVs and IP cameras, which are being enslaved into botnets for DDoS attacks.

Technical Deep Dive: Critical Vulnerabilities

Penetration testers and security teams must urgently validate the following vulnerabilities in their environments:

  • Fortinet FortiWeb (CVE-2025-58034 & CVE-2025-64446): These critical OS command injection vulnerabilities are being actively chained by attackers to bypass authentication and execute remote code. Immediate patching is mandatory.
  • Oracle E-Business Suite (CVE-2025-61882): A new flaw allowing remote code execution is being targeted, particularly within the supply chains of large enterprises.
  • API Misconfigurations: With 95% of Australian organisations reporting API incidents, teams must audit for "Zombie APIs" (outdated, undocumented endpoints) which are currently a preferred entry point for data exfiltration.

Emerging Threat Actors

  • Scattered Spider: Continuing their aggressive targeting of SaaS and identity providers (Okta, Microsoft Entra ID) via social engineering.
  • State-Sponsored Activity: There is elevated chatter regarding APT groups linked to China and Iran targeting Australian research institutes and education sectors (specifically universities) to harvest intellectual property and population-level data.

Recommendations for Australian Organisations

  1. Validate your External Attack Surface: ensure no shadow IT or forgotten API endpoints are exposed.
  2. Patch Critical Appliances: Prioritise Fortinet and eCommerce plugins immediately.
  3. Strengthen Identity Security: Move to FIDO2/WebAuthn hardware keys where possible to neutralise AiTM phishing attacks targeting MyGov and corporate logins.
  4. Review Third-Party Risk: Audit SaaS providers for compliance with the latest "Smart to Secure" guidelines.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote