Executive Summary

As we enter December, the Australian cyber threat landscape has escalated sharply. In the last 24 hours, security teams across the nation have faced a convergence of sophisticated state-sponsored activity, record-breaking DDoS attacks, and targeted supply chain compromises. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and global intelligence feeds indicate a critical surge in threats targeting SaaS environments and healthcare infrastructure.

This briefing covers the most significant threats, threat actors, and vulnerabilities identified over the weekend and into today, specifically tailored for Australian organisations.

Sector-Specific Threat Intelligence

1. Cloud & SaaS Providers: The "Scattered LAPSUS$ Hunters" Campaign

A highly sophisticated threat actor, tentatively dubbed "Scattered LAPSUS$ Hunters" (a suspected fusion of Scattered Spider and Lapsus$ TTPs), has launched a campaign targeting Salesforce instances.

• The Attack Vector: The group is exploiting SaaS supply chain vulnerabilities, specifically compromising third-party integrations like the Gainsight app to pivot into broader corporate environments.
• Impact: unauthorised access to customer data and potential lateral movement into connected cloud infrastructure.
• Recommendation: SaaS providers and users must immediately audit connected applications and review OAuth token permissions.

2. Healthcare: Ransomware Persistence

Healthcare remains the most targeted sector in Australia, accounting for 17% of all recent attacks.

• Recent Incident: Victorian-based Point Lonsdale Medical Group has disclosed a cyber attack resulting in unauthorised access to personal information. This follows the major breach at Western Sydney University which compromised sensitive health data.
• Threat Actor: Ransomware gangs such as Akira and SafePay are actively targeting Australian medical centres, often exploiting unpatched VPN concentrators to gain initial access.

3. eCommerce: Holiday Season "Vibe Scamming"

With the Black Friday and Cyber Monday sales period concluding, a new AI-driven threat known as "Vibe Scamming" has emerged.

• The Tactic: Threat actors are using Generative AI to analyse social media activity and shopping history to craft hyper-personalised phishing lures that mimic the "vibe" and tone of legitimate brands perfectly.
• Supply Chain Risk: Retailers are also warned of third-party breaches, similar to the recent incident involving fashion retailer Mango, where marketing providers were compromised to harvest customer details.

4. Government & Critical Infrastructure: Record DDoS Mitigation

In a concerning development for national resilience, Microsoft and local ISPs successfully mitigated the largest Distributed Denial-of-Service (DDoS) attack ever recorded against an Australian endpoint.

• The Attack: Peaking at 15.72 Terabits per second (Tbps), the attack was orchestrated by the AISURU botnet, a TurboMirai-class variant powered by hundreds of thousands of compromised IoT devices (routers, cameras, and DVRs).
• Implication: This signals a capability leap in botnet infrastructure, likely available via "DDoS-for-hire" platforms targeting government services.

5. FinTech: Crypto Drains & Police Impersonation

The ASD’s ACSC has issued a medium alert regarding a surge in scams where criminals impersonate Australian police officers.

• Modus Operandi: Victims are contacted regarding "fraudulent activity" and coerced into transferring cryptocurrency or handing over seed phrases for "verification."
• FinTech Impact: Platforms are urged to enhance fraud detection triggers for sudden high-value crypto outflows.

Vulnerability Watch: Web, API, and AI

Penetration testers and defenders must prioritise the following vulnerabilities which are currently being exploited in the wild:

• Fortinet FortiWeb (CVE-2025-58034):

  • Severity: High (CVSS 6.7 - Actively Exploited).
  • Type: OS Command Injection.
  • Risk: Allows authenticated attackers to execute unauthorised code via crafted HTTP requests. Immediate patching of version 7.x and 8.x appliances is mandatory.

• Google Chrome V8 (CVE-2025-13223):

  • Severity: High.
  • Type: Type Confusion.
  • Risk: Remote Code Execution (RCE) via malicious web pages. This is a critical vector for client-side attacks against corporate endpoints.

• AI System Exploitation:

  • Threat: Security researchers have identified a new Remote Access Trojan (RAT) disguising its Command and Control (C2) traffic as LLM Chat API requests. By mimicking legitimate traffic to AI models, these tools bypass standard network detection rules.

Strategic Recommendations

1. Harden SaaS Integrations: treating third-party SaaS apps as untrusted entities. Implement strict "least privilege" policies for API tokens.
2. Patch Edge Devices: Prioritise Fortinet and VPN gateway updates immediately to prevent ransomware ingress.
3. Botnet Resilience: Ensure DDoS mitigation services are stress-tested against terabit-scale floods.
4. AI Traffic Analysis: Update network monitoring rules to inspect payloads within AI API traffic for anomalous encoding or patterns.

Contact us for a quote for penetration testing service or adversary simulation.