Introduction

As we settle into 2026, the Australian cyber threat landscape shows no signs of slowing down. The transition from December 2025 to January 2026 has been characterised by a volatile mix of critical infrastructure vulnerabilities and aggressive ransomware campaigns targeting the "edge" of corporate networks. This week, we have observed a sharp escalation in the exploitation of database and API vulnerabilities, alongside targeted attacks on the healthcare and education sectors.

This briefing provides a deep dive into the most significant cyber threats, incidents, and vulnerabilities impacting Australian organisations over the last 7 days.

Sector-Specific Threat Intelligence

• Healthcare: A Critical Target The healthcare sector remains under immense pressure. Following a challenging December, we have seen reports of a cyber attack affecting the Point Lonsdale Medical Group in Victoria, resulting in unauthorised access to sensitive patient information. This incident follows a major audit released in late 2025 which revealed systemic security bypasses within NSW Health districts, highlighting a culture of non-compliance that continues to leave patient data exposed. Threat actors are increasingly weaponising these gaps to extort providers.

• SaaS & Cloud Providers: The "MongoBleed" Crisis The most critical technical threat of the week is the "MongoBleed" vulnerability (CVE-2025-14847) affecting MongoDB servers. Despite a patch being available since late December, reports indicate that nearly 95% of exposed instances remain unpatched. Attackers are actively exploiting this to dump server memory and harvest credentials. Additionally, the supply chain risk to SaaS providers was underscored by the Hexicor breach. The KillSec ransomware gang targeted the IT services provider, exfiltrating client folders and hashed passwords, demonstrating how attackers use SaaS platforms as a pivot point to compromise downstream clients.

• FinTech: Ransomware and API Risks The financial sector faces dual threats from extortion and infrastructure flaws. Austin's Financial Solutions has fallen victim to the Kairos ransomware group, which allegedly stole and published 147GB of data, including employee passports and payroll records. Simultaneously, a critical vulnerability in IBM API Connect (CVE-2025-13915)—widely used by FinTechs to manage APIs for AI services—has been disclosed. This flaw allows authentication bypass, potentially giving attackers unauthorised access to sensitive banking APIs without valid credentials.

• Education / EdTech: Universities in the Crosshairs Australian universities continue to be prime targets. The University of New South Wales (UNSW) Physics Department was recently targeted by the hacktivist group RipperSec, causing service disruptions. Meanwhile, a breach at the University of Sydney involving an online IT code repository has exposed the fragility of development environments. The KillSec gang has also been observed pivoting to EdTech platforms, exploiting the high value of student data for extortion.

• Government & Critical Infrastructure Local government is not immune, with Muswellbrook Shire Council suffering a severe ransomware attack by the SafePay gang, leading to the publication of 175GB of internal data. At the network edge, critical vulnerabilities in WatchGuard Firebox (CVE-2025-14733) and Fortinet devices are being actively exploited to gain initial access to government and infrastructure networks.

• eCommerce & Retail As the festive season wraps up, scammers have ramped up activity targeting Australian consumers. A wave of fake Australia Post delivery messages and QR code scams has been intercepted, designed to steal personal and financial information. On the corporate side, Australian jeweller BECKS confirmed a cyber incident following claims by the SafePay ransomware group.

Vulnerability Spotlight: Web, API, and AI

• MongoBleed (CVE-2025-14847): A high-severity information disclosure flaw in MongoDB.

  • Risk: Allows unauthenticated attackers to read server memory, potentially exposing cleartext credentials and tokens.
  • Action: Patch immediately to the latest version (v8.0.17+).

• IBM API Connect (CVE-2025-13915): CVSS 9.8 (Critical).

  • Risk: Authentication bypass in the API gateway. This is particularly dangerous for organisations rushing to deploy AI services, as it breaks the assumption that the gateway enforces identity.
  • Action: Apply the patch for versions 10.0.8.x and 10.0.11.0 immediately.

• AI Weaponisation: We are observing a trend where threat actors use AI to "hyper-personalise" phishing campaigns and create "polymorphic" malware that changes its code to evade detection. Defenders must look beyond static signatures and focus on behavioural analysis.

Conclusion

The first week of 2026 serves as a stark reminder that basic hygiene—patching databases like MongoDB and securing network edges—remains the most effective defence against sophisticated adversaries. Organisations must also rigorously audit their third-party SaaS and API dependencies to mitigate supply chain risks.

Contact us for a quote for penetration testing service or adversary simulation.