Daily Threat Briefing: Escalating Ransomware Campaigns and Critical Zero-Days Down Under

Welcome to today's threat briefing. Over the last 24 hours, the Australian cyber security landscape has witnessed a rapid escalation in targeted ransomware operations, third-party cloud compromises, and the active exploitation of new zero-day vulnerabilities. As threat actors continually analyse corporate digital footprints and adapt their behaviour, it is critical for Australian organisations to maintain a proactive defensive posture.

Below is an executive summary of the current and emerging cyber threats, prominent threat actors, and recent vulnerabilities impacting key Australian sectors.

Prominent Threat Actors & Emerging Threats

Ransomware-as-a-Service (RaaS) operations are currently dominating the Australian threat landscape. The INC Ransom syndicate and the Anubis ransomware group have been highly active over the past weekend. Concurrently, the Silent Ransom Group (SRG) is executing highly sophisticated, IT-themed social engineering campaigns specifically designed to facilitate initial access.

Sector Threat Breakdown

  • Healthcare: Following recent joint advisories from the Australian Cyber Security Centre (ACSC), INC Ransom has been named as a direct and ongoing threat to the healthcare sector. Attackers are heavily relying on compromised credentials to bypass perimeter defences and deploy encryption payloads.
  • Government: In the last 48 hours, Mastercom—a major telecommunications provider for local government infrastructure in New South Wales—was listed on INC Ransom's dark web leak site. Additionally, federal government agencies are dealing with downstream data exposures stemming from a significant supply-chain breach.
  • SaaS Providers & Cloud: The recent breach of global legal intelligence SaaS provider LexisNexis serves as a harsh reminder of cloud supply-chain risks. Threat actors exploited an unpatched vulnerability in the provider’s cloud environment, exposing sensitive data belonging to Australian law firms and government entities whose internal networks were otherwise secure.
  • IoT & Transport: Western Australian aviation operator Shine Aviation was compromised by the Anubis ransomware group, leaking 57GB of data. This breach, which included exposed employee access cards and aircraft certification records, highlights the cascading risks of connected Operational Technology (OT) and IoT ecosystems in regional transport.
  • FinTech & eCommerce: Following recent high-profile ransomware incidents at wealth management firms and digital platforms like 13cabs, FinTech and eCommerce applications remain prime targets. Double-extortion tactics are being used to threaten the release of sensitive financial data and source code.
  • Education/EdTech: Educational institutions managing massive fleets of student and staff devices are currently in the crosshairs. Threat actors are aggressively scanning for unpatched Mobile Device Management (MDM) portals to push malicious payloads across university networks.

Exploited Vulnerabilities in Focus (Web Apps, APIs, Cloud & AI)

Several critical vulnerabilities have been added to the Known Exploited Vulnerabilities (KEV) catalog in the last few days, requiring immediate triage:

  • Web Applications & APIs: We are tracking active in-the-wild exploitation of Ivanti Endpoint Manager Mobile (CVE-2026-1340) for unauthenticated code injection, as well as an Ivanti EPM Authentication Bypass (CVE-2026-1603). Threat actors are targeting these API endpoints to achieve remote code execution (RCE) on enterprise networks.
  • Cloud & Network Edge: An improper access control vulnerability in Fortinet FortiClient EMS (CVE-2026-35616) is being leveraged as a frequent initial access vector by ransomware affiliates to infiltrate corporate cloud architectures.
  • Web Browsers: A newly disclosed Google Chrome zero-day (CVE-2026-5281) affecting the WebGPU Dawn component is under active exploitation. This vulnerability allows an attacker to execute arbitrary code via crafted HTML pages, posing a massive risk to corporate endpoints.
  • AI Systems: A new survey of CTOs indicates that 39% view AI-driven attacks as imminent. Adversaries are using generative AI to scale highly convincing Business Email Compromise (BEC) and phishing campaigns. Furthermore, the unchecked integration of shadow AI tools by employees is introducing severe data governance blind spots that traditional Data Loss Prevention (DLP) controls were not designed to catch.

Summary

The events of the last 24 hours reinforce that robust vulnerability management and supply chain auditing are non-negotiable. Organisations must sanitise third-party dependencies, harden API endpoints, and strictly enforce patch management to counteract the weaponisation of these critical flaws.

Contact us for a quote for penetration testing service or adversary simulation.

Contact us for a quote