Daily Threat Briefing: Anubis Targets Healthcare & Critical RCE in n8n Automation

Executive Summary

In the last 24 hours, the Australian cyber threat landscape has been dominated by a resurgence of targeted ransomware campaigns against the healthcare sector and critical vulnerability disclosures affecting widely used SaaS automation tools. The Anubis ransomware gang has claimed responsibility for breaching a Queensland medical practice, while a Critical-rated Remote Code Execution (RCE) vulnerability in the n8n workflow automation platform poses an immediate risk to SaaS providers and tech-driven enterprises.

Sector-Specific Threat Intelligence

Healthcare: Anubis Ransomware Aggression

The most concerning development overnight is the alleged compromise of Laidley Family Doctors in Queensland by the Anubis ransomware group.

  • The Incident: Anubis has listed the clinic on its dark web leak site, claiming to have exfiltrated sensitive patient data, including Medicare numbers, medical histories, and personal contact details.
  • The Actor: Anubis is employing a unique psychological pressure tactic. Their spokesperson, using the alias "Tobias Keller," poses as a journalist to "interview" victims and regulatory bodies, effectively weaponising media attention to force ransom payments.
  • Impact: This follows a pattern of Anubis targeting smaller Australian healthcare providers (such as the previous Pound Road Medical Centre incident), exploiting the often limited cyber resilience of regional medical practices.

SaaS & Cloud: Critical n8n RCE (CVE-2026-21858)

For SaaS providers and organisations relying on low-code automation, a new critical alert has been issued.

  • The Vulnerability: A Critical Unauthenticated Remote Code Execution (RCE) vulnerability (tracked as CVE-2026-21858) has been discovered in the n8n workflow automation platform.
  • The Risk: This flaw allows attackers to execute arbitrary code on the server without logging in. given n8n's role in connecting disparate APIs and databases, a compromise here could act as a supply-chain bridge into deeper corporate networks.
  • Action: Immediate patching or isolating n8n instances from the public internet is mandatory.

Education: Fallout from "Fog" Ransomware

The tertiary education sector continues to face headwinds. Following the University of Notre Dame Australia incident claimed by the Fog ransomware gang, chatter on underground forums indicates that Initial Access Brokers (IABs) are actively selling credentials for other Australian educational institutions. The market for ".edu.au" access remains lucrative due to the vast amounts of PII and research data held by these entities.

IoT & Infrastructure: WatchGuard & MongoDB Exploits

  • WatchGuard Firebox: The ASD’s ACSC has flagged active exploitation of CVE-2025-14733, a critical vulnerability in WatchGuard Firebox devices. This is being leveraged to gain initial access to corporate networks.
  • Database Leaks: Automated scanning for CVE-2025-14847 (a MongoDB server vulnerability) is spiking. Threat actors are using this to mass-exfiltrate data from misconfigured or unpatched cloud databases.

Emerging Trends & Threat Actor Behaviour

  • API Insecurity: A new industry report highlights that Australian enterprises currently face the highest frequency of API-related security incidents in the Asia-Pacific region. With FinTech and eCommerce relying heavily on API ecosystems, "Zombie APIs" (forgotten, unmonitored endpoints) are becoming the primary vector for data breaches.
  • Pro-Russia Hacktivism: The ASD has reiterated warnings regarding pro-Russia hacktivist groups shifting focus towards Australian critical infrastructure, likely in response to geopolitical stances. These attacks are typically DDoS or defacement but can mask more sophisticated intrusion attempts.

Recommendations

  1. Healthcare: Review third-party remote access policies and ensure immutable backups are in place to counter ransomware encryption.
  2. SaaS/DevOps: Audit all n8n instances immediately for CVE-2026-21858.
  3. General: Prioritise patching of edge devices (firewalls, VPNs) and conduct a discovery audit to identify and decommission unused APIs.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote