Executive Summary

The Australian cyber threat landscape for Monday, 12 January 2026, is dominated by the fallout from the "MongoBleed" vulnerability and a coordinated surge in attacks targeting the healthcare and SaaS sectors. Over the weekend, threat actors have accelerated the weaponisation of critical flaws in workflow automation tools and API gateways. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has observed intensified scanning activity, and several high-profile domestic breaches have been confirmed.

Sector-Specific Threat Analysis

1. Healthcare: Under Siege from Ransomware and API Flaws The healthcare sector remains the primary target this week.

Manage My Health (MMH) Update: Following the initial breach notification, the "Kazu" ransomware gang has escalated their extortion attempts, threatening to leak 400,000 patient files if a $60k ransom is not paid. Approximately 6-7% of the platform's 1.8 million users are affected, with stolen data including medical correspondence and discharge summaries.
Laidley Family Doctors: In a separate incident, the Queensland-based clinic has been listed on the dark web leak site of the "Anubis" ransomware gang. The group claims to have exfiltrated sensitive patient history and Medicare details.
IoMT Vulnerability: We are tracking active exploitation of Broken Object Level Authorization (BOLA) flaws in HL7 interface engines used to connect Internet of Medical Things (IoMT) devices. Attackers are attempting to intercept patient telemetry data directly from bedside monitors.

2. SaaS Providers: "Critical" n8n RCE & MongoBleed SaaS platforms are facing a dual threat from infrastructure and application-level vulnerabilities.

n8n Workflow Automation: A maximum-severity vulnerability (CVE-2026-21858, CVSS 10.0) allows unauthenticated remote code execution (RCE) in self-hosted n8n instances. Attackers are exploiting this to take full control of automation servers. A secondary authenticated RCE (CVE-2026-21877) is also being leveraged against compromised accounts.
"MongoBleed" (CVE-2025-14847): This unauthenticated memory leak in MongoDB servers continues to be a major vector. Threat actors are scraping server memory to extract session tokens and PII from SaaS backends without requiring login credentials.

3. FinTech: AI-Driven Vishing & Insurer Breach

Prosura Data Breach: Australian insurer Prosura has taken its self-service portal offline following a breach exposing customer driving licences and policy data. This incident highlights the risk of "identity aggregation" targets.
"DeepVoice" Campaign: A sophisticated social engineering campaign is targeting Australian neo-banks. Attackers are utilising AI-generated voice clones of C-suite executives to bypass voice biometric authentication and authorise fraudulent high-value transfers.

4. Education / EdTech: AI Supply Chain Risk

Langflow Exploitation: EdTech platforms utilising the Langflow AI orchestration tool are being targeted via CVE-2025-3248. This vulnerability allows unauthorised Python code injection, effectively poisoning the "AI supply chain" and granting attackers access to underlying Large Language Model (LLM) data pipelines.
LMS Ransomware: A new ransomware strain is targeting third-party plugins in Learning Management Systems (LMS), disrupting summer semester coursework for several tertiary institutions.

5. Government: Supply Chain & Perimeter Defence

DFAT Disclosure: A critical vulnerability within the Department of Foreign Affairs and Trade (DFAT) was responsibly disclosed by an ethical hacker, preventing potential diplomatic data exposure.
WatchGuard Firebox: Government networks remain on high alert regarding CVE-2025-14733. Active exploitation of this perimeter vulnerability is being used as a beachhead for lateral movement into secure zones.

6. IoT: Telematics Targeted

Netstar Australia: The telematics provider has been listed by the "Black Shrantac" ransomware group. The alleged theft of GPS fleet tracking data poses significant operational risks to logistics and transport organisations relying on real-time monitoring.

Critical Vulnerabilities to Patch Immediately

CVE-2026-21858: n8n Workflow Automation (Unauthenticated RCE) - CVSS 10.0
CVE-2025-14847: MongoDB Server ("MongoBleed") - Memory Leak
CVE-2025-3248: Langflow AI (Code Injection)
CVE-2025-14733: WatchGuard Firebox (Auth Bypass)

Recommendations Organisations are urged to prioritise patching internet-facing automation tools and databases immediately. For FinTech and Healthcare entities, reviewing API gateway configurations for BOLA vulnerabilities and implementing phishing-resistant MFA (such as FIDO2 keys) is critical to countering the current wave of AI-enhanced attacks.

Contact us for a quote for penetration testing service or adversary simulation.