Daily Threat Briefing: Critical Ivanti Zero-Days, FinTech Breaches, and the Rise of LockBit 5.0

Executive Summary

The last 24 hours have seen a surge in high-impact activity targeting Australian organisations, particularly in the FinTech and Healthcare sectors. Of critical concern is the active exploitation of new zero-day vulnerabilities in Ivanti’s Endpoint Manager Mobile (EPMM), which poses a severe risk to government and enterprise mobile fleets. Simultaneously, the Australian lending platform youX has confirmed a significant data breach, and the Aeromedical Society of Australasia has become the latest victim of the resurrected LockBit 5.0 ransomware group.

This briefing outlines the urgent threats, exploited vulnerabilities, and regulatory shifts you need to know today.

Sector-Specific Deep Dives

1. SaaS & Cloud: Ivanti EPMM Under Siege

  • Threat: Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) are being actively exploited in the wild.
  • Impact: These flaws affect Ivanti Endpoint Manager Mobile (EPMM), allowing unauthenticated attackers to execute arbitrary code (RCE) and gain full control over mobile device management infrastructure.
  • Observation: Threat actors are using these exploits to install webshells and establish reverse shells. Given the widespread use of Ivanti in Australian government and enterprise environments, this is a CRITICAL patching priority.
  • Action: Immediate patching to the latest RPM versions (12.x.0.x or 12.x.1.x) is mandatory. Assume compromise if your instance has been internet-facing without mitigation.

2. FinTech: Data Breach at youX & Regulatory Warnings

  • Incident: Australian digital lending platform youX confirmed yesterday (19 February) that unauthorised third-party access has compromised its systems.
  • Data at Risk: Reports indicate threat actors claim to have exfiltrated 141 GB of data from a MongoDB Atlas cluster, potentially exposing loan applications, driver’s licences, and financial records.
  • Regulatory Context: This incident follows the landmark Federal Court ruling earlier this week against FIIG Securities, ordering a $2.5 million penalty for failing to maintain adequate cybersecurity measures. This signals a new era of enforcement by ASIC, where "tick-box" compliance is no longer a defence against liability.

3. Healthcare: LockBit 5.0 Targets Critical Services

  • Incident: The Aeromedical Society of Australasia, a key body for air medical transport professionals in Australia and New Zealand, has been listed on the LockBit 5.0 leak site.
  • Threat Actor: LockBit 5.0 (the latest iteration of the notorious RaaS group) is aggressively targeting healthcare and non-profit entities.
  • Risk: The potential leak of member data or operational details could disrupt critical medical transport coordination. This aligns with a broader trend of ransomware groups disregarding the "no-hospital" rule in 2026.

4. IoT & AI: The "Agentic" Threat

  • Emerging Trend: New research released yesterday by Barracuda and Arctic Wolf highlights a shift in tactics. 90% of recent ransomware incidents in 2025-26 involved firewalls exploited via known vulnerabilities.
  • AI Vector: We are observing an uptick in AI-driven social engineering, where deepfake voice and text are used to bypass biometric verification in FinTech applications. Additionally, "Shadow AI" remains a risk, with employees feeding sensitive corporate data into unvetted Large Language Models (LLMs), creating inadvertent data leaks.

Vulnerability Spotlight: The "Must-Patch" List

CVE ID Severity Affected Product Status
CVE-2026-1281 Critical (9.8) Ivanti EPMM Active Exploitation. RCE via legacy bash scripts.
CVE-2026-1340 Critical (9.8) Ivanti EPMM Active Exploitation. Authentication bypass.
CVE-2026-20700 High (7.8) Apple iOS/macOS Memory corruption allowing code execution.
CVE-2026-1731 Critical (9.9) BeyondTrust PRA Remote command injection.

Recommendations for Australian CISOs

  1. Hunt for Ivanti IOCs: Do not just patch. Proactively hunt for indicators of compromise (IOCs) such as unexpected child processes spawned by Apache or modified bash scripts in /mi/bin/.
  2. Review Third-Party Risk: The youX breach underscores the risk of third-party data handlers. Audit your suppliers' security posture, particularly those managing sensitive financial data.
  3. Harden Remote Access: With 65% of non-BEC breaches now starting with abused remote access tools, enforce strictly phishing-resistant MFA (FIDO2) for all external access points.
  4. Test Your Defences: Compliance is not security. The FIIG ruling proves that having a policy is insufficient if it is not operationally effective.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote