Executive Summary

In the last 24 hours, the Australian cyber threat landscape has been dominated by significant escalations in the Education and Healthcare sectors, alongside critical supply chain compromises affecting widely used software. Of particular concern is the shift in threat actor tactics towards "disruption over data theft," as highlighted by intelligence warnings regarding state-sponsored "cyberthugs." Today’s briefing analyses these developments to help your organisation stay resilient.

Sector-Specific Updates

• Education & EdTech The Victorian Department of Education has confirmed a major data breach impacting all 1,700 government schools. Unauthorised third-party access in January 2026 exposed the personal information of current and former students, marking one of the largest sector-specific breaches in recent history. Simultaneously, Loyola College is managing the fallout of a ransomware attack by the Interlock gang, who have leaked nearly 600GB of data, including passports and financial records, to the dark web.

• Healthcare Epworth HealthCare is currently investigating claims by a ransomware group alleging the theft of 920GB of sensitive data. While Epworth has stated there is currently "no evidence" of the breach, this discrepancy often precedes the release of proof-of-concept data by extortionists. Across the Tasman, Manage My Health released a critical update today (06 Feb) regarding their recent breach; the platform’s compromised feature has been secured following unauthorised access, though investigations remain active.

• SaaS & Software Supply Chain A sophisticated supply chain attack targeting Notepad++ has been uncovered. State-sponsored actors compromised the open-source editor's update infrastructure (specifically the WinGUp updater) between June and December 2025 to deliver malicious binaries. Organisations using unverified repositories or older versions are at high risk. Additionally, a critical vulnerability in the n8n workflow automation platform (CVE-2026-21858) is being actively exploited, allowing unauthenticated remote code execution (RCE).

• eCommerce & Insurance Australian insurance provider Prosura has temporarily shut down key online services after detecting unauthorised internal access. Attackers used this access to send fraudulent emails to customers regarding policies, likely a precursor to a targeted phishing or invoice fraud campaign.

• Government & Critical Infrastructure Intelligence warnings issued in the last 24 hours highlight a strategic pivot by state-sponsored actors (linked to groups like Vault Typhoon) from espionage to "cyberthuggery"—aiming for mass disruption of public services rather than just data exfiltration. This follows the Australian Government's decisive ban on the DeepSeek AI model from government devices due to data privacy concerns.

Technical Focus: Vulnerabilities in Web, Cloud, and AI

• n8n Workflow Automation RCE (CVE-2026-21858):

  • Severity: Critical
  • Vector: Unauthenticated Remote Code Execution.
  • Impact: Attackers can execute arbitrary code on the host server without credentials. This is particularly dangerous for SaaS providers integrating n8n for backend automation.
  • Action: Patch immediately to the latest stable release and restrict public access to workflow endpoints.

• AI Infrastructure Hijacking:

  • New reports indicate cybercriminals are increasingly hijacking legitimate AI hosting services to deploy malicious models or crack password hashes using rented GPU power. This "model poisoning" and resource theft represents a growing vector for AI-driven platforms.

• WatchGuard Firebox (CVE-2025-14733):

  • Active exploitation continues against unpatched WatchGuard appliances. Ensure firmware is updated to prevent perimeter compromise.

Strategic Recommendations

1. Verify Software Integrity: in light of the Notepad++ incident, enforce hash verification for all software updates and audit developer tools within your environment.
2. Education Sector Alert: Schools and EdTech providers should immediately review third-party access logs and enforce MFA on all administrative accounts.
3. Threat Hunting: Scan for indicators of compromise related to the n8n RCE if your organisation utilises workflow automation tools.

Contact us for a quote for penetration testing service or adversary simulation.