Executive Summary As we analyse the threat landscape over the past 24 hours, the Australian cyber environment is experiencing a highly aggressive pivot by sophisticated threat actors. From the weaponisation of generative AI and agentic browsers to targeted extortion campaigns across our critical sectors, adversaries are actively bypassing traditional perimeter defences. With Australia’s new mandatory ransomware reporting laws and the Cyber Security (Security Standards for Smart Devices) Rules 2025 now in full enforcement, organisations face both heightened regulatory scrutiny and an unforgiving threat environment.

Sector Threat Analysis

Healthcare & IoT The healthcare sector remains under intense siege from ransomware syndicates. In recent days, the 'Termite' ransomware group compromised Genea Fertility, while the emerging '0APT' gang targeted Epworth HealthCare, claiming the exfiltration of over 920 GB of highly sensitive patient and billing records. The Australian Signals Directorate (ASD) continues to warn of high intrusion success rates in this sector, largely facilitated by unpatched Internet of Things (IoT) medical devices. These endpoints frequently lack robust Endpoint Detection and Response (EDR) agents, providing attackers with an initial foothold. Encouragingly, as of 04 March 2026, Australia’s mandatory cybersecurity standards for smart devices are in effect, formally banning universal default passwords and enforcing strict vulnerability disclosure requirements for IoT devices.

SaaS Providers & Government Third-party supply chain risks continue to undermine Australian data sovereignty. In the last 24 hours, threat intelligence confirmed a major cloud data breach involving a global legal intelligence SaaS provider, severely impacting Australian law firms and government agencies. The threat actor, 'FulcrumSec', successfully breached the provider’s AWS environment by exploiting "React2Shell," a critical vulnerability in an unpatched React front-end web application. Meanwhile, government networks remain on high alert following an emergency advisory from the Australian Cyber Security Centre (ACSC) regarding the active exploitation of a maximum-severity zero-day in Cisco SD-WAN controllers (CVE-2026-20127) by the advanced threat actor UAT-8616.

FinTech & Cloud FinTech platforms are being aggressively targeted for data theft. The Australian alternative lending platform 'youX' recently suffered a massive breach, exposing 141 GB of data and over 600,000 loan applications. This compromise was traced back to a suspected MongoDB server leak (CVE-2025-14847) caused by severe cloud misconfigurations. In parallel, penetration testers are observing active exploitation of a critical authentication bypass in Fortinet FortiCloud SSO APIs (CVE-2025-59719), which acts as a master key for attackers to hijack multi-tenant cloud architectures. Furthermore, the Australian Securities and Investments Commission (ASIC) is enforcing strict cybersecurity compliance, demonstrated by a recent AUD 2.5 million penalty to a securities firm for control failures.

Education / EdTech Educational institutions and supporting platforms remain highly lucrative targets for extortion. The 'KillSec' ransomware group has actively claimed breaches against the Australian educational support platform Thanks For the Help (TFTH) and the Albright Institute. Attackers are increasingly leveraging compromised credentials via Phishing-as-a-Service (PHaaS) frameworks to bypass basic Multi-Factor Authentication (MFA) in university and EdTech portals.

eCommerce Digital retail and supply chains face cascading disruptions from double-extortion campaigns. The 'Kairos' ransomware group has successfully disrupted operations at the Seagrass Boutique Hospitality Group and heavily impacted the operational technology networks of major poultry supplier Hazeldenes, demonstrating the interconnected vulnerability of Australia's eCommerce and physical supply chain ecosystems.

Emerging Vulnerabilities: Web Apps, APIs, and AI Systems The last 24 hours have underscored a terrifying evolution in autonomous attack vectors:

• Agentic AI Exploits: Threat actors are heavily targeting AI-connected APIs. Security researchers at Zenity Labs recently disclosed "PleaseFix," an inherent vulnerability in AI-powered "agentic" web browsers like Perplexity's Comet. Attackers are exploiting these systems by embedding malicious prompt injections inside calendar invitations. When processed, the AI agent inherits the user's authenticated context, allowing it to silently exfiltrate files and API secrets without triggering traditional web application firewalls.
• DevSecOps & CI/CD Under Fire: We are tracking autonomous AI bots, such as "hackerbot-claw," actively exploiting GitHub Actions misconfigurations to achieve Remote Code Execution (RCE) and exfiltrate write-scoped tokens. Furthermore, the ModelScope MS-Agent bug (CVE-2026-2256) is being weaponised to execute OS commands via improper input sanitisation.
• Browser & Mobile Flaws: Google has confirmed the active, targeted exploitation of a Qualcomm Android graphics component flaw (CVE-2026-21385), adding it to the CISA Known Exploited Vulnerabilities (KEV) catalog on 03 March 2026. Additionally, a high-severity elevation of privilege vulnerability in Google Chrome’s Gemini AI implementation (CVE-2026-0628) was detailed, highlighting the growing attack surface introduced by embedded AI tooling.

Conclusion The pivot toward cloud identity abuse, AI-driven exploit development, and the targeting of unpatched APIs requires Australian organisations to adopt a strict "assume breach" mentality. Defenders must prioritise rigorous web application testing, comprehensive cloud IAM audits, and the robust sanitisation of data interacting with emerging LLM and AI agents.

Contact us for a quote for penetration testing service or adversary simulation.