Welcome to today’s threat intelligence update. Over the past 24 hours, our penetration testing and threat intelligence teams have analysed a surge in sophisticated cyber attacks targeting Australian organisations. Threat actors are increasingly shifting their focus towards exploiting misconfigurations in cloud environments, insecure APIs, and emerging AI technologies.

Below is a deep-dive analysis of the current threat landscape, prominent adversaries, and actively exploited vulnerabilities across key Australian sectors.

Sector Threat Analysis

Healthcare & IoT The Australian healthcare sector is currently facing heightened reconnaissance from ransomware syndicates. In the last 24 hours, we have observed a spike in attacks targeting connected medical devices and hospital IoT infrastructure. Threat actors are exploiting default credentials and unpatched firmware in smart ward monitors to establish a foothold. Once inside, they are leveraging lateral movement techniques to target insecure internal APIs connected to electronic health record (EHR) systems, aiming for bulk patient data exfiltration before deploying ransomware.

SaaS Providers & Cloud Environments A prominent supply chain threat has emerged for local SaaS providers. We have tracked an active campaign exploiting cloud identity and access management (IAM) misconfigurations. Attackers are abusing overly permissive roles in AWS and Azure environments to steal OAuth tokens. This has allowed unauthorised access to multi-tenant architectures, posing a significant risk of cross-tenant data leakage. SaaS businesses must prioritise the auditing of their cloud infrastructure and implement least-privilege access controls immediately.

FinTech & AI Systems In the FinTech space, adversaries are moving beyond traditional web application attacks and targeting the underlying AI and machine learning models used for fraud detection and algorithmic trading. We have noted isolated incidents of "prompt injection" and adversarial data poisoning attacks directed at customer-facing, AI-driven financial chatbots. By feeding maliciously crafted inputs, attackers are attempting to bypass AI guardrails to extract sensitive algorithmic logic and internal system APIs.

eCommerce & Web Applications eCommerce platforms remain a highly lucrative target. Over the last day, we have detected a resurgence in Magecart-style digital skimming campaigns targeting Australian online retailers. Attackers are exploiting newly discovered Cross-Site Scripting (XSS) vulnerabilities and insecure third-party plugins in popular web application frameworks. Furthermore, modern headless eCommerce setups are seeing their GraphQL APIs targeted, where attackers use introspection queries to map out backend infrastructure and exploit broken object level authorisation (BOLA) flaws.

Education / EdTech With the academic semester in full swing, EdTech platforms and universities are facing aggressive credential stuffing and password spraying attacks. Advanced Persistent Threat (APT) groups are leveraging compromised session cookies to bypass Multi-Factor Authentication (MFA) on student portals. Additionally, unpatched legacy web applications used for online assessments are being targeted via SQL injection (SQLi) to harvest student personally identifiable information (PII).

Government State-sponsored threat actors continue to probe Australian federal and state government external attack surfaces. Intelligence indicates a concentrated effort to identify and exploit zero-day vulnerabilities in perimeter edge devices, specifically targeting VPNs and firewalls. The focus appears to be on establishing long-term, undetected persistence within government cloud tenancies to monitor communications and exfiltrate policy documents.

Vulnerability & Technology Spotlight

To summarise the technical attack vectors observed in the wild today:

• Web Applications: Widespread exploitation of DOM-based XSS and unauthenticated remote code execution (RCE) flaws in outdated content management systems (CMS).
• APIs: Broken Object Level Authorisation (BOLA) and Mass Assignment vulnerabilities are heavily targeted, particularly in FinTech and Healthcare endpoints, allowing attackers to manipulate data belonging to other users.
• Cloud: IAM privilege escalation and the exploitation of exposed Server-Side Request Forgery (SSRF) vulnerabilities to query cloud metadata APIs and extract temporary access credentials.
• AI Systems: Sophisticated prompt injection attacks designed to subvert the intended behaviour of Large Language Models (LLMs) integrated into customer support and SaaS platforms.

Proactive Defence is Essential

The velocity at which threat actors are weaponising new vulnerabilities means that compliance-based security is no longer sufficient. Australian organisations must adopt an offensive security mindset to identify and remediate these critical flaws before they are exploited in the wild. Continuous testing of your web applications, APIs, cloud deployments, and AI integrations is paramount to safeguarding your operations and customer data.

Contact us for a quote for penetration testing service or adversary simulation.