Daily Threat Briefing: Australia – 13 February 2026

Executive Summary

The last 24 hours in the Australian cyber threat landscape have been dominated by the escalating weaponisation of Generative AI, significant regulatory enforcement in the financial sector, and critical vulnerabilities in widely used SaaS automation tools. Nation-state actors, particularly the group identified as Salt Typhoon, continue to persistently target critical infrastructure, while the healthcare and education sectors face a fresh wave of data extortion campaigns.

Sector-Specific Updates

  • Healthcare The sector remains under heavy fire. Diabetes WA has been identified as the latest victim of a cyber attack, with reports emerging of sensitive patient data exfiltration. This incident follows closely on the heels of the attack on an Adelaide women’s health clinic earlier this year. Furthermore, security researchers have flagged a disturbing trend of AI-generated deepfake advertisements impersonating leading Australian medical specialists to promote fraudulent supplements, posing a significant public health and trust risk.

  • FinTech & Financial Services A landmark regulatory precedent has been set. The Federal Court has ordered Fiig Securities to pay a $2.5 million penalty for cybersecurity failures that left client data exposed. This is a clear signal to the FinTech sector that inadequate cyber resilience will incur severe financial and reputational costs. Additionally, CommBank research released this week highlights that while 89% of Australians feel confident spotting scams, only 42% can actually distinguish AI-generated banking fraud, signalling a need for stronger biometric anti-spoofing measures in banking apps.

  • Education / EdTech The education sector is currently a primary target for ransomware groups. The Albright Institute of Language and Business has been hit by a cyber attack claimed by the threat actor KillSec, who allege to have stolen personal and business data. This incident compounds the ongoing fallout from the massive Victorian Department of Education data breach confirmed late last month, which impacted all 1,700 government schools.

  • Government & Critical Infrastructure A new report reveals a critical visibility gap: only 35% of federal entities fully reported cyber incidents to the Australian Signals Directorate (ASD) in the last financial year. This underreporting hampers national situational awareness. Meanwhile, intelligence reports confirm that Salt Typhoon, a sophisticated China-linked threat actor, has been actively compromising Australian critical networks by exploiting vulnerabilities in edge devices (routers and firewalls) to maintain long-term stealthy persistence.

  • SaaS Providers A Critical severity vulnerability (CVE-2026-21858) in the n8n workflow automation platform is being actively exploited. This Unauthenticated Remote Code Execution (RCE) flaw allows attackers to take full control of automation servers. SaaS providers and users utilising n8n for backend workflows must patch immediately. Additionally, unsecure MongoDB instances continue to be a vector for data leaks, with a new wave of automated attacks identifying exposed databases globally.

  • eCommerce With Valentine's Day approaching, the Australian Federal Police (AFP) and KnowBe4 have issued urgent warnings regarding "industrial-scale" romance scams powered by deepfake video and voice technology. These AI agents can hold real-time video calls, bypassing traditional "proof of life" checks used by dating and eCommerce platforms to verify user identity.

  • IoT (Internet of Things) The threat surface for IoT is expanding through "agentic AI". New analysis suggests that AI agents, capable of autonomous decision-making and interacting with IoT devices, are being weaponised to launch attacks at machine speed. Attackers are moving away from simple malware to "living off the land" techniques on compromised IoT edge devices to evade detection.

Technical Deep Dive: Exploited Vulnerabilities

  • CVE-2026-21858 (n8n RCE): Exploitation is trivial and unauthenticated. Attackers are using this to inject malicious workflows that execute system commands, effectively turning automation servers into botnet nodes or crypto miners.
  • Edge Device Compromise: Threat actors like Salt Typhoon are exploiting legacy vulnerabilities in Cisco and Fortinet edge devices to deploy custom rootkits. These rootkits survive firmware upgrades and allow traffic mirroring, enabling espionage without touching the internal endpoints.

Strategic Recommendations

Organisations must urgently pivot from passive defence to active validation. The rise of deepfakes renders standard identity verification obsolete; consider implementing challenge-response authentication for high-value transactions. For SaaS and Cloud environments, immediate patching of automation tools like n8n and rigorous review of MongoDB access controls are mandatory. Finally, government agencies must improve incident reporting pipelines to the ASD to ensure a coordinated national defence.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote