Australia Cyber Threat Briefing: AI-Driven API Attacks, FinTech Fallout & The Rise of "0APT"

Weekly Threat Briefing: 16–22 February 2026

As we close out the third week of February 2026, the Australian cyber landscape is being defined by a sophisticated pivot towards AI-enabled API exploitation and high-impact ransomware campaigns targeting the FinTech and Healthcare sectors. The "blast radius" of AI systems is widening, with the Model Context Protocol (MCP) emerging as a critical new attack surface.

Here is your deep dive into the threats impacting Australian organisations over the last 7 days.

Sector Spotlight

FinTech: Massive Data Breach at youX

In a significant blow to the Australian alternative lending sector, FinTech platform youX confirmed a major data breach this week. Threat actors have claimed to compromise a MongoDB Atlas cluster, exfiltrating approximately 141 gigabytes of sensitive data.

  • Impact: The breach potentially exposes over 600,000 loan applications across nearly 100 lenders.
  • Data Exposed: Driver’s licences, bank documents, and PII.
  • Vector: Preliminary reports suggest a misconfigured cloud database was exploited, possibly leveraging the recently disclosed MongoDB Server Leak vulnerability (CVE-2025-14847).

Healthcare: Ransomware Resurgence (Termite & 0APT)

The healthcare sector remains under siege, with two major incidents dominating the headlines:

  • Genea Fertility: Following suspicious activity detected in mid-February, the Termite ransomware group has claimed responsibility for an attack on this major IVF provider. While Genea disabled systems to contain the breach, fears remain regarding the theft of highly sensitive patient management data (PII and PHI).
  • Epworth HealthCare: The emerging 0APT ransomware gang has listed Epworth as a victim, claiming possession of 920GB of data, including surgical records and billing details. This incident highlights the growing trend of "psychological pressure" tactics, where threat actors threaten to release sensitive medical diagnoses to force payment.

Government & Education

  • Fairfield City Council (NSW): Formally notified residents of a data breach this week (stemming from a late 2025 incident), confirming unauthorised access to staff and resident information.
  • Victorian Department of Education: Continues to manage the fallout from the January breach impacting 1,700 schools, with new phishing campaigns impersonating the department now circulating.

IoT: The "PolarEdge" Botnet

A new botnet dubbed "PolarEdge" has been identified recruiting Cisco RV series routers. Active since late 2025, the botnet has grown to over 2,000 infected devices in Australia, leveraging older command injection flaws to deploy web shells for persistent access.

Vulnerability Watch: Web, Cloud & AI

The last week has seen active exploitation of critical vulnerabilities, particularly in cloud-native and AI-integrated systems.

1. React2Shell (CVE-2025-55182) – CVSS 10.0

  • Status: Active Exploitation.
  • Details: Dubbed "React2Shell," this unauthenticated Remote Code Execution (RCE) flaw in React Server Components is being called a watershed moment for web security.
  • Risk: It allows attackers to execute privileged JavaScript code with SYSTEM-level access. Approximately 39% of cloud environments are estimated to have vulnerable instances.
  • Action: Immediate patching of React versions 19.x and downstream frameworks like Next.js is mandatory.

2. Fortinet FortiCloud SSO (CVE-2025-59719)

  • Status: Critical.
  • Details: An authentication bypass vulnerability in FortiCloud SSO allows attackers to log in as legitimate users without credentials.
  • Risk: This is a "keys to the kingdom" flaw for managed service providers (MSPs) and organisations relying on Fortinet for network security management.

3. The AI Threat: Model Context Protocol (MCP)

  • Emerging Threat: Research released this week indicates a 270% increase in vulnerabilities related to the Model Context Protocol (MCP).
  • Context: MCP is becoming the standard for connecting AI agents to data sources. Attackers are exploiting over-permissioned agents to perform "Shadow AI" data exfiltration, bypassing traditional endpoint security.

Recommendations

  1. Immediate Patching: Prioritise React2Shell (CVE-2025-55182) and Fortinet SSO patches. These are currently the primary vectors for initial access.
  2. Database Hardening: Review all MongoDB instances for public exposure and ensure strict access controls are in place to prevent incidents like the youX breach.
  3. AI Governance: Audit the use of AI agents and MCP integrations within your environment. Ensure "Shadow AI" tools are not granted excessive permissions to internal APIs.
  4. Adversary Simulation: With groups like Termite and 0APT aggressively targeting Australian healthcare and finance, test your resilience against their specific TTPs (Tactics, Techniques, and Procedures).

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote