Daily Threat Briefing: Australia – 02 December 2025

Executive Summary

The last 24 hours have seen a significant surge in ransomware activity and critical infrastructure targeting across Australia. The Australian Cyber Security Centre (ACSC) and industry watchdogs have issued multiple alerts regarding active exploitation of network edge devices. Prominent threat actors, including KillSec, Space Bears, and RipperSec, have claimed successful breaches against Australian targets in the Government, FinTech, and Education sectors.

Organisations are urged to prioritise patching critical vulnerabilities in Cisco and Microsoft infrastructure immediately, as threat actors are weaponising these flaws for initial access.

Sector-Specific Threat Intelligence

Government & Public Sector

  • Muswellbrook Shire Council Data Leak: Following a ransomware incident last month, the SafePay ransomware gang has reportedly published 175GB of stolen data. This highlights the persistent risk of "double extortion" where backups alone are insufficient to prevent data exposure.
  • Legal Practice Board of Western Australia: Investigations into the May cyber incident continue, with reports indicating the Dire Wolf group may have re-published sensitive datasets on the dark web despite previous takedown efforts.

FinTech & Financial Services

  • Austin’s Financial Solutions Breach: The Kairos ransomware group has claimed responsibility for a significant breach of the NSW-based wealth management firm, allegedly exfiltrating 147GB of sensitive financial data, including employee passports and payroll records.
  • Vroom by YouX (API/Cloud Exposure): A critical lapse in cloud security was identified involving a non-password-protected database belonging to the FinTech lender. This exposure left thousands of driver’s licences and PII records vulnerable—a stark reminder of the dangers of API misconfigurations and improper access controls in cloud environments.

Education (EdTech)

  • University of NSW Targeted: The hacktivist group RipperSec has claimed a distributed denial-of-service (DDoS) and potential defacement attack on the university’s physics department website. Educational institutions remain a prime target for politically motivated disruption.

Healthcare & Community Services

  • Christian Community Aid Ransomware: The Space Bears ransomware gang has listed this community support organisation as a victim. With the healthcare sector already under strain, attacks on support services can have devastating downstream effects on vulnerable community members.

SaaS & Technology Providers

  • Hexicor Breach: The KillSec ransomware gang has targeted IT services provider Hexicor, stealing client folders and security data (hashed passwords). This supply chain attack poses a risk to Hexicor's downstream clients, emphasising the need for rigorous third-party risk management.

Critical Vulnerabilities & Exploits (CVEs)

Penetration testers and defenders must be aware of the following vulnerabilities actively being exploited in the Australian wild:

  1. Cisco ASA & FTD (CVE-2025-20333 & CVE-2025-20363):

    • Severity: Critical (CVSS 9.8)
    • Impact: Remote Code Execution (RCE) and unauthorised access.
    • Status: The ACSC warns that threat actors are chaining these vulnerabilities to bypass authentication on VPN web servers. Immediate patching of edge firewalls is mandatory.

  2. Microsoft WSUS (CVE-2025-59287):

    • Severity: Critical
    • Impact: A vulnerability in the Windows Server Update Service allows attackers to compromise internal update mechanisms. This is a high-priority patch for enterprise environments.

  3. SonicWall SSL VPN (CVE-2024-40766):

    • Status: continued active exploitation by the Akira ransomware group. Despite being an older CVE, unpatched devices remain a primary entry point for ransomware operators in Australia.

Strategic Recommendations

  • Audit External Attack Surface: Immediately verify that no development databases or APIs are exposed to the public internet without authentication (as seen in the Vroom incident).
  • Patch Edge Devices: Prioritise Cisco and SonicWall VPN/Firewall updates.
  • Adversary Simulation: With groups like KillSec and Kairos bypassing traditional defences, organisations should conduct red teaming exercises to test their resilience against modern ransomware TTPs (Tactics, Techniques, and Procedures).

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote