Daily Threat Briefing: Critical WatchGuard Exploits & Holiday Ransomware Spikes – 24 December 2025

Executive Summary

As we head into the Christmas break, the Australian cyber threat landscape has escalated significantly over the last 24 hours. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD's ACSC) has issued a critical alert regarding active exploitation of WatchGuard Firebox devices. This comes alongside a surge in ransomware activity targeting the education and government sectors, with threat actors looking to capitalise on reduced staffing levels during the holiday period.

For security teams, the priority today is patching edge devices and ensuring on-call rotations are robust for the next 48 hours.

Sector-Specific Updates

Government

  • ACT IT Systems Exposed: A scathing report released yesterday (23 December) by the ACT Audit Office has highlighted severe IT control weaknesses across multiple government agencies. The audit found that 68% of identified issues related to information security controls, specifically user access management and logging. This leaves agencies highly susceptible to fraud and unauthorised data exfiltration, a critical concern given the sensitive citizen data held.
  • Critical Infrastructure Alert: The ASD has reiterated warnings regarding Salt Typhoon, a sophisticated state-sponsored actor targeting telecommunications infrastructure. Australian gov-tech providers are urged to review logs for "living off the land" techniques, particularly involving Cisco and Fortinet edge devices.

Education & EdTech

  • Ransomware Hits Schools: The Fog ransomware gang has claimed responsibility for an attack on Waverley Christian College in Victoria. This follows a trend of late-year attacks on educational institutions when IT resources are often winding down.
  • SaaS Platform Targeted: Australian educational support platform 'Thanks For the Help' (TFTH) has been listed as a victim by the KillSec ransomware group. This highlights the growing risk to EdTech SaaS providers who hold aggregated student data.

Healthcare

  • Persistent Targeting: Following the CyberCX 2025 Threat Report, healthcare remains the most targeted non-government sector in Australia.
  • Data Integrity Risks: Recent incidents involving Funksec (who targeted the Fresh Produce Safety Centre) demonstrate that even peripheral health-related non-profits are in the crosshairs. While the data leaks have been minor so far, the entry vectors often involve unpatched web applications and third-party API integrations.

eCommerce & FinTech

  • API Security Crisis: New data indicates that 95% of Australian organisations experienced an API security incident this year. For eCommerce platforms bracing for Boxing Day sales, Broken Object Level Authorisation (BOLA) remains the top vulnerability.
  • Gaming Sector Breach: Ainsworth Game Technology has been targeted by the Medusa ransomware group, with claims of over 800GB of data stolen. FinTechs and gaming operators should be on high alert for similar extortion attempts.

Emerging Vulnerabilities: Web, Cloud & AI

1. WatchGuard Firebox (CVE-2025-14733) – CRITICAL

  • Status: Active Exploitation.
  • Details: A critical authentication bypass vulnerability allows unauthenticated remote attackers to gain administrative access to the device.
  • Action: Apply the hotfix immediately. If patching is not possible, restrict WAN access to the management interface.

2. Fortinet FortiCloud (CVE-2025-59718 & CVE-2025-59719)

  • Status: High Risk.
  • Details: These vulnerabilities allow for SSO Login Authentication Bypass. Attackers can hijack sessions to gain entry into cloud management consoles.
  • Action: Verify all admin accounts have MFA enforced and review audit logs for suspicious logins from unknown IPs.

3. AI System Threats

  • Adversarial AI: We are observing an uptick in "deepfake" social engineering attempts targeting finance teams for end-of-year invoice payments. Generative AI is being used to craft highly convincing phishing lures that bypass traditional email filters.

Threat Actor Activity

  • Funksec: This group is currently active and opportunistic, targeting small to medium Australian enterprises (SMEs) with "double extortion" tactics—encrypting data and threatening to leak it.
  • Pro-Russia Hacktivists: As flagged by the ACSC, these groups are conducting low-sophistication but high-impact DDoS attacks against critical infrastructure to disrupt holiday operations.
  • Magecart / Digital Skimmers: With the Boxing Day sales approaching, eCommerce providers must ensure their Content Security Policies (CSP) are strict to prevent malicious JavaScript injection into checkout pages.

Recommendation

The "skeleton crew" approach to holiday staffing is a known vulnerability that adversaries exploit. Ensure your incident response plans are accessible and that key personnel are reachable.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote