As we approach the holiday season, the Australian cyber threat landscape has intensified, with November 2025 marking a significant surge in ransomware activity and sophisticated supply chain attacks. The Australian Signals Directorate (ASD) and private sector intelligence indicate that threat actors are increasingly capitalising on reduced staffing levels during weekends and public holidays, a trend expected to escalate as we head into December.

This month’s briefing analyses critical incidents and emerging vulnerabilities across key sectors, highlighting the urgent need for robust defence mechanisms in web applications, cloud environments, and AI systems.

Sector-Specific Threat Intelligence

Healthcare

The healthcare sector remains a primary target for extortion. In November, the Point Lonsdale Medical Group in Victoria confirmed a cyber attack resulting in the unauthorised access of personal information. This incident follows a broader trend of ransomware groups, such as INC Ransom, aggressively targeting medical centres and allied health providers. The critical nature of patient data makes these organisations prime targets for "double extortion" tactics, where attackers encrypt data and threaten to release it publicly.

Education & EdTech

Western Sydney University continues to manage the fallout from a major data breach revealed recently, which exposed sensitive data including tax file numbers, payroll figures, and health information. Forensic investigation suggests the unauthorised access occurred between June and September 2025, but the repercussions are currently being felt across the sector. This highlights the persistent persistence of threat actors within academic networks, often undetected for months.

Government

State-sponsored espionage remains a top concern. On 24 November 2025, federal parliamentarians and staff at Parliament House were issued a strict warning to disable Wi-Fi and Bluetooth on their devices during a high-profile visit by a foreign delegation. This precautionary measure underscores the heightened risk of close-access technical attacks and data interception targeting government officials.

Additionally, the Crisis24 OnSolve CodeRED platform, used by emergency services, faced disruptions due to a cyber attack claimed by the INC ransomware gang. This attack on critical emergency notification infrastructure demonstrates the willingness of cybercriminals to endanger public safety for financial gain.

SaaS & AI Systems

November saw a notable incident involving OpenAI and analytics provider Mixpanel. OpenAI severed ties with the vendor after a security lapse exposed non-content data associated with some API users, such as email addresses and organisation IDs. While no chat logs or API keys were compromised, this incident serves as a stark reminder of third-party supply chain risks in the AI ecosystem.

Furthermore, a breach at customer success platform Gainsight reportedly impacted Salesforce customer tokens, forcing companies to rotate credentials rapidly. For SaaS providers, these events highlight the fragility of trust in interconnected cloud ecosystems.

FinTech

The Australian Cyber Security Centre (ACSC) issued alerts this month regarding scammers impersonating police to target cryptocurrency users. These sophisticated social engineering campaigns aim to steal seed phrases and wallet funds. Financial institutions are also grappling with a rise in AI-driven fraud, where deepfake voice technology is used to bypass biometric authentication in phone banking.

IoT & Automotive

Vulnerabilities in connected vehicles took centre stage with the disclosure of a flaw in Subaru’s Starlink multimedia technology (CVE-2025-xxxx), which could potentially allow third parties to access user accounts. As vehicles become increasingly software-defined, the attack surface for IoT significantly expands, necessitating rigorous penetration testing of embedded systems and APIs.

Vulnerability Spotlight: Exploited & Critical CVEs

Organisations should prioritise patching the following vulnerabilities, which have been active or critical in November 2025:

Oracle Identity Manager (CVE-2025-61757): A critical pre-authentication Remote Code Execution (RCE) vulnerability. Security researchers have observed this being exploited as a zero-day. Immediate patching is required for all identity governance implementations.
Microsoft WSUS (CVE-2025-59287): A critical flaw in Windows Server Update Services allows attackers to intercept and manipulate updates. This is particularly dangerous for enterprise environments relying on internal update servers.
Node-forge (CVE-2025-12816): A high-severity vulnerability in this popular JavaScript cryptography library can allow attackers to bypass signature verifications. Developers using this package in their web applications must upgrade immediately to prevent cryptographic bypass attacks.

Strategic Recommendations

As we enter the holiday period, Australian organisations must assume that "off-hours" are target hours. We recommend:

** enforcing 24/7 monitoring** or managed detection and response (MDR) coverage during the holidays.
Reviewing third-party access auditing, especially for SaaS integrations (like the OpenAI/Mixpanel case).
Conducting adversary simulation to test resilience against ransomware encryption and data exfiltration tactics.

Contact us for a quote for penetration testing service or adversary simulation.