Daily Threat Briefing: Australia – 12 February 2026

Executive Summary

The Australian cyber threat landscape for the last 24 hours has been dominated by a concerning breach of the national Early Warning Network (EWN) and a historic regulatory penalty in the FinTech sector. These events signal a shift from pure data theft to systemic disruption and regulatory accountability. Simultaneously, technical teams must urgently address critical vulnerabilities in AI agents and workflow automation tools that are being actively exploited in the wild.

Here is your deep dive into the threats impacting Australian organisations over the last 24 hours.

Sector Spotlight

Government & Critical Infrastructure: Trust Under Fire In a disturbing development confirmed yesterday (11 February), the Early Warning Network (EWN)—used by councils and emergency services to alert Australians to disasters—suffered a security breach. Threat actors gained unauthorised access to the broadcasting portal, sending false alerts to a subset of subscribers. While EWN officials state that only "white page" data (names and addresses) was accessed, the incident highlights a critical vulnerability in our national notification infrastructure. The ability for adversaries to hijack trusted communication channels poses a severe risk to public safety and trust.

FinTech: A $2.5 Million Warning The Federal Court has handed down a landmark penalty against fixed-income specialist FIIG Securities, ordering them to pay $2.5 million for cybersecurity failures related to a 2023 breach. This is the first time civil penalties have been applied purely for cyber resilience failures under Australian Financial Services (AFS) licence obligations. The court cited a lack of multi-factor authentication (MFA) and inadequate incident response testing. Key Takeaway: For Australian FinTechs, "tick-box" compliance is dead. The ASIC 2026 Outlook, released last week, explicitly flags "Agentic AI" fraud as the next frontier, warning that autonomous AI agents could be manipulated to authorise fraudulent transactions.

Healthcare: Psychological Warfare Epworth HealthCare remains in a standoff with the 0APT ransomware gang, which claims to have exfiltrated 920GB of sensitive surgical and billing records. As of today, Epworth maintains there is "no verified evidence" of the breach, suggesting this may be a "phantom" extortion attempt—a growing tactic where gangs bluff to force a payout. This follows the MediSecure fallout, reinforcing the immense pressure on the sector.

Education: The Long Tail of Breach The Victorian Department of Education is managing the escalating fallout of a massive breach confirmed in January, now known to impact all 1,700 government schools. Additionally, Loyola College is dealing with a confirmed ransomware attack by the Interlock gang, who have leaked nearly 600GB of data, including student passports, to the dark web.

Vulnerability Watch: What to Patch Now

1. AI Systems: OpenClaw 1-Click RCE (CVE-2026-25253) A critical vulnerability has been disclosed in OpenClaw (formerly Moltbot), a popular open-source AI agent used by developers. The flaw allows unauthenticated remote code execution (RCE) via a single malicious link.

  • Risk: Attackers can steal authentication tokens and hijack the AI agent to execute commands on the host machine.
  • Status: Active exploitation observed. Patch immediately to version 2026.1.29 or later.

2. SaaS & Cloud: Microsoft Office Zero-Day (CVE-2026-21509) Microsoft has issued an out-of-band patch for a "Security Feature Bypass" vulnerability in Office 365 and Office 2019/2021.

  • Risk: Allows attackers to bypass the "Mark of the Web" and Protected View, enabling malicious macros to run without user warning.
  • Intel: This is being actively exploited by state-sponsored actor APT28 (Fancy Bear) in campaigns targeting government and critical sectors.

3. Workflow Automation: n8n RCE (CVE-2026-21858) A critical RCE vulnerability in n8n, a workflow automation tool used to glue together SaaS apps, is being targeted. If you self-host n8n, ensure it is behind a VPN or strictly authenticated, as it often holds API keys for your entire SaaS stack (Salesforce, Slack, Google Workspace).

Strategic Outlook

The events of the last 24 hours confirm that we are entering an era of "Cyberthuggery"—where disruption and psychological pressure (as seen with Epworth and EWN) are becoming as valuable to attackers as data theft. With the launch of the Essential Eight Certification service yesterday, organisations have a new mechanism to prove their resilience, but compliance must be backed by genuine defensive depth.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote