Publications

Greetings, This week, we released an exciting episode of the Share Today, Save Tomorrow podcast! Episode 49 – AUSCERT2026: Game On and Win! As we prepare to mark the 25th anniversary of the AUSCERT Cyber Security Conference in 2026, we’re counting down with a special giveaway. Hidden within this episode is a codeword, which you can enter using the form linked in the episode description. Entering the correct codeword will put you in the running to win a free registration to AUSCERT2026! This episode is available now on Spotify, Apple Podcasts, and Soundcloud. Researchers at Palo Alto Networks’ Unit 42 uncovered a sophisticated commercial-grade spyware campaign targeting users of Samsung Galaxy smartphones across 2024 and into early 2025. The malware, named “LANDFALL”, exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s image-processing library, allowing attackers to execute code via malicious DNG (Digital Negative) image files delivered through WhatsApp. Active for at least seven months, the campaign specifically targeted devices including the Galaxy S24, Z Fold 4 and Z Flip 4. Once infected, LANDFALL enabled extensive surveillance by harvesting audio, phone calls, SMS messages, camera photos and real-time location data. The infrastructure points to a commercial surveillance-tool vendor working with government clients, rather than a traditional cyber-crime gang. The discovery signals a growing trend of “zero-click” or minimal-interaction attacks that leverage vulnerabilities in image parsing libraries. Organisations and individuals should remain vigilant by applying patches promptly, restrict app permissions where possible and monitor for unusual device behaviour. Microsoft November 2025 Patch Tuesday fixes 1 zero-day, 63 flaws Date: 2025-11-11 Author: Bleeping Computer [AUSCERT has published security bulletins for these Microsoft updates] Today is Microsoft's November 2025 Patch Tuesday, which includes security updates for 63 flaws, including one actively exploited zero-day vulnerability. This Patch Tuesday also addresses four "Critical" vulnerabilities, two of which are remote code execution vulnerabilities, one is an elevation of privileges, and the fourth is an information disclosure flaw. Hackers exploited Citrix, Cisco ISE flaws in zero-day attacks Date: 2025-11-12 Author: Bleeping Computer [See AUSCERT Bulletins: https://portal.auscert.org.au/bulletins/ESB-2025.4160.4/ https://portal.auscert.org.au/bulletins/ESB-2025.4041.2/] An advanced threat actor exploited the critical vulnerabilities “Citrix Bleed 2" (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware. Amazon’s threat intelligence team, analyzing “MadPot” honeypot data, found that hackers leveraged the two security issues before the security issues were disclosed publicly and patches became available. Critical Triofox Vulnerability Exploited in the Wild Date: 2025-11-11 Author: Security Week [AUSCERT has shared IoCs related to CVE-2025-12480 via its MISP instance] A threat actor has exploited a critical vulnerability in Triofox to obtain remote access to a vulnerable server and then achieve code execution, Google warns. Designed to ease remote work and data management, Gladinet’s Triofox is a secure file sharing and remote access solution that can be integrated with existing IT infrastructure. Critical Cisco Firewall Flaws Exploited for Denial-of-Service Attacks Date: 2025-11-09 Author: Cyberwarzone [See AUSCERT bulletins: https://portal.auscert.org.au/bulletins/ESB-2025.6814.2/ & https://portal.auscert.org.au/bulletins/ESB-2025.6813.2/] Cisco firewalls, widely deployed across enterprises for their security infrastructure, are now facing a new wave of attacks exploiting previously identified critical vulnerabilities to launch denial-of-service (DoS) campaigns. This development intensifies concerns surrounding two security flaws for which Cisco released patches in late September. Have I Been Pwned Adds 1.96B Accounts From Synthient Credential Data Date: 2025-11-11 Author: Hackread Have I Been Pwned (HIBP), the popular breach notification service, has added another massive dataset to its platform. This time, 1.96 billion accounts connected to the Synthient Credential Stuffing Threat Data, in collaboration with the threat-intelligence firm Synthient. Users who subscribe to HIBP alerts, including this writer, received an email notification stating: “You’ve been pwned in the Synthient Credential Stuffing Threat Data data breach.” ESB-2025.8191 – Intel CIP Software: CVSS (Max): 8.8 Intel has addressed high-severity flaws in its Computing Improvement Program (CIP) software that could allow privilege escalation or information disclosure. ESB-2025.8224 – Zoom: CVSS (Max): 8.1 A high-severity CVE-2025-62484 vulnerability in Zoom Workplace clients allowed an unauthenticated network attacker to escalate privileges. Zoom recommends updating to version 6.5.10 or later on iOS/Android. ESB-2025.8281 – runc: CVSS (Max): 7.8 Dangerous flaws in runC could let attackers escape Docker containers and gain root access on the host. Fixes are available in updated runC versions. ASB-2025.0213 – Microsoft Windows: CVSS (Max): 9.8 Microsoft patched CVE-2025-62215, a Windows Kernel race-condition flaw that allowed authorized attackers to locally elevate privileges to SYSTEM. The zero-day was actively exploited. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 49: AUSCERT2026: Game On and Win! In this episode, we’re joined by AUSCERT’s Principal Analyst, Mark Carey-Smith, and Business Manager, Bek Cheb. Together, they discuss the upcoming AUSCERT2026 Cyber Security Conference, celebrating its 25th anniversary, and explore what “Game On!” means for the cyber security community. Competition Alert! As a way of thanking you for your continued support, we’ve got a special giveaway just for our listeners: 1. Listen out for the secret codeword in this episode. 2. Enter it in this form for your chance to win a free AUSCERT2026 registration! This episode was hosted by Bek Cheb.   The AUSCERT podcast can also be found on Spotify and Apple Podcasts.

Greetings, Time is running out to submit a tutorial proposal for AUSCERT2026! Submissions close Monday November 10, so be sure to get in now before it’s too late. If you have practical experience or a unique perspective on cyber security practices, this is your chance to lead an in-depth session and share your insights with peers from across the industry. We encourage submissions from professionals of all backgrounds and experience levels, whether you're a seasoned trainer or a first-time presenter. All successful applicants will receive complimentary conference registration, plus costs covered for flights and accommodation. In a recent update, SonicWall has confirmed that the September security breach involving unauthorised access to firewall configuration backup files was the work of a state-sponsored threat actor. The company enlisted cyber security firm Mandiant, to investigate the incident, which has now concluded with findings that the breach was limited to a specific cloud environment accessed via an API call. Mandiant determined that SonicWall’s core products, firmware, systems, tools, source code, and customer networks remained unaffected. The breach, first disclosed on September 17, exposed sensitive data stored in certain MySonicWall accounts. These configuration files contained credentials and tokens that could potentially simplify exploitation of customer firewalls. In response, SonicWall urged affected users to reset various credentials linked to their accounts and network configurations. By October 9, SonicWall clarified that all customers utilising its cloud backup service were impacted, though the breach was contained and did not compromise the integrity of its broader infrastructure. The company also emphasised that this incident was unrelated to separate attacks by the Akira ransomware gang, which targeted MFA-protected VPN accounts later that month. Critical WordPress Post SMTP Plugin Vulnerability Puts 400,000 Sites at Risk of Account Takeover Date: 2025-11-04 Author: GBHackers A critical vulnerability has been discovered in the Post SMTP WordPress plugin, affecting over 400,000 active installations across the web. The vulnerability, identified as CVE-2025-11833 with a CVSS score of 9.8, allows unauthenticated attackers to access sensitive email logs and execute account takeover attacks on vulnerable WordPress sites. Critical Flaw in Popular React Native NPM Package Exposes Developers to Attacks Date: 2025-11-05 Author: Security Week Software supply chain security firm JFrog has disclosed the details of a critical vulnerability affecting a popular React Native NPM package. React Native is an open source framework designed for creating applications that work across mobile, desktop and web platforms. The vulnerability discovered by JFrog researchers, tracked as CVE-2025-11953 and assigned a CVSS score of 9.8, impacts the React Native Community CLI NPM package (@react-native-community/cli), which provides command-line tools for building apps and which has roughly two million downloads every week. Australia warns of BadCandy infections on unpatched Cisco devices Date: 2025-10-31 Author: Bleeping Computer The Australian government is warning about ongoing cyberattacks against unpatched Cisco IOS XE devices in the country to infect routers with the BadCandy webshell. The vulnerability exploited in these attacks is CVE-2023-20198, a max-severity flaw that allows remote unauthenticated threat actors to create a local admin user via the web user interface and take over the devices. Hackers Exploit WSUS Flaw to Spread Skuld Stealer Despite Microsoft Patch Date: 2025-11-01 Author: Hackread A vulnerability in the Windows Server Update Service (WSUS) is being actively exploited by cybercriminals to plant Skuld Staler malware, according to new research from the cybersecurity firm Darktrace. This service, which helps companies manage Microsoft updates in a centralised manner across corporate networks, contains a flaw, identified as CVE-2025-59287, which Microsoft disclosed in October 2025. Because WSUS servers hold key permissions within a network, they are considered high-value targets. Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058) Date: 2025-11-04 Author: Zscaler Zscaler uncovered a vulnerability in Keras that exposed AI and machine learning environments to file access and network exploitation risks, highlighting the urgent need to secure the AI model supply chain. Through responsible disclosure and ongoing research, Zscaler helps enterprises stay protected from emerging AI threats with a Zero Trust approach. ESB-2025.7991/ – Apple iOS and iPadOS 18.7.2: CVSS (Max): 8.8 Apple has released iOS 18.7.2 and iPadOS 18.7.2 to address multiple security vulnerabilities—including several high-severity issues (up to CVSS 8.8)—that could allow data exposure, privilege escalation, or remote code execution. ESB-2025.7983 – Cisco Unified Contact Center Express: CVSS (Max): 9.8 Cisco has released critical patches for Unified Contact Center Express to fix two remote code execution and authentication bypass vulnerabilities (CVE-2025-20354, CVE-2025-20358) that could allow unauthenticated attackers to gain root privileges or execute arbitrary scripts remotely. ESB-2025.7947 – Radiometrics VizAir: CVSS (Max): 10.0 CISA has issued an advisory for multiple critical (CVSS 10.0) vulnerabilities in Radiometrics VizAir that allow unauthenticated remote attackers to alter weather and runway data, potentially disrupting airport operations and flight safety. ESB-2025.7914 – Tenable Identity Exposure: CVSS (Max): 9.9 Tenable has released Identity Exposure version 3.77.14 to address multiple high and critical vulnerabilities (up to CVSS 9.9) in third-party components including .NET, SQL Server, and curl. ESB-2025.7911/ – Google Android: CVSS (Max): 9.8* Google has released the November 2025 Android Security Bulletin addressing critical vulnerabilities, including a remote code execution flaw in the System component (CVSS 9.8), which could be exploited without user interaction. Stay safe, stay patched and have a good weekend! The AUSCERT team

Greetings, A new episode of the Share Today, Save Tomorrow podcast is out now! Episode 48: Cyber Resilience and AI Risk: Insurance, Regulation & Boardroom Strategy. Our host, Bek Cheb, is joined by two of WTW’s Cyber and Technology Risk team, Ben Di Marco & Leah Mooney, to expertly unpack the evolving landscape of AI governance, cyber risk, and insurance. They explore how voluntary guardrails are shaping future regulation, why cyber insurance is now essential (not optional), and the practical steps SMEs and large enterprises can take to boost resilience. This episode is available now on Spotify, Apple Podcasts, and YouTube! This week, it was reported that several Tasmanian government agencies have been affected by a cyber attack on a third-party system used to manage student data. The breach stems from VETtrak, a student management software platform developed by ReadyTech, which provides services to the Department for Education, Children and Young People, the state’s fire and emergency services, and the health department. ReadyTech first disclosed the incident to the ASX on October 17, confirming that the affected platform had been isolated while an investigation was underway. Although the Tasmanian government has stated there is currently no evidence that sensitive student information was accessed, ReadyTech later confirmed that cybercriminals had posted a small number of documents containing personal data online. The company has reported the breach to the Australian Federal Police and advised the public not to attempt to view or download the stolen material. Newly Patched Critical Microsoft WSUS Flaw Comes Under Active Exploitation Date: 2025-10-24 Author: The Hacker News [AUSCERT has published security bulletins for these Microsoft updates] Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week. QNAP warns of critical ASP.NET flaw in its Windows backup software Date: 2025-10-27 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ASB-2025.0173/] QNAP warned customers to patch a critical ASP.NET Core vulnerability that also impacts the company's NetBak PC Agent, a Windows utility for backing up data to a QNAP network-attached storage (NAS) device. Tracked as CVE-2025-55315, this security bypass flaw was found in the Kestrel ASP.NET Core web server and enables attackers with low privileges to hijack other users' credentials or bypass front-end security controls via HTTP request smuggling. 10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux Date: 2025-10-29 Author: The Hacker News Cybersecurity researchers have discovered a set of 10 malicious npm packages that are designed to deliver an information stealer targeting Windows, Linux, and macOS systems. "The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer that harvests credentials from system keyrings, browsers, and authentication services across Windows, Linux, and macOS," Socket security researcher Kush Pandya said. Chrome Zero-Day Exploitation Linked to Hacking Team Spyware Date: 2025-10-27 Author: Security Week The exploited Chrome vulnerability, tracked as CVE-2025-2783 and described as a sandbox escape issue, was caught in the wild in a sophisticated cyberespionage campaign attributed to a state-sponsored APT. Firefox was affected by a similar flaw, tracked as CVE-2025-2857. Dubbed Operation ForumTroll, the campaign targeted education, finance, government, media, research, and other organizations in Russia and used phishing emails masquerading as forum invitations to deliver personalized, short-lived links taking victims to websites containing the exploit for CVE-2025-2783. WordPress security plugin exposes private data to site subscribers Date: 2025-10-29 Author: Bleeping Computer The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows subscribers to read any file on the server, potentially exposing private information. The plugin provides malware scanning and protection against brute-force attacks, exploitation of known plugin flaws, and against database injection attempts. Identified as CVE-2025-11705, the vulnerability was reported to Wordfence by researcher Dmitrii Ignatyev and affects versions of the plugin 4.23.81 and earlier. ESB-2025.7820 – Splunk: Splunk AppDynamics Private Synthetic Agent: CVSS (Max): 9.8 Splunk remedied common vulnerabilities and exposures (CVE-2022-48622, CVE-2024-45159) in Third Party Packages in Splunk AppDynamics Private Synthetic Agent version 25.7.0 and higher. ESB-2025.7801 – Ubuntu: Squid: CVSS (Max): 10.0 Leonardo Giovannini discovered that Squid failed to redact HTTP Authentication credentials in a default configuration. An attacker could possibly use this issue to obtain sensitive information. ESB-2025.7733 – SUSE: MozillaFirefox: CVSS (Max): 9.8 The Firefox Extended Support Release 140.4.0 ESR update addresses multiple security vulnerabilities, including use-after-free, out-of-bounds access, information leaks, and potential code execution issues. It also includes fixes for several memory safety bugs in Firefox and Thunderbird. ESB-2025.7722 – SUSE: govulncheck-vulndb: CVSS (Max): 9.9 This update adds or updates a large set of new Go CVE Numbering Authority (CNA) identifiers each mapped to corresponding CVE and/or GHSA aliases, expanding the vulnerability database index for Go modules. ESB-2025.7712 – Debian: thunderbird: CVSS (Max): 9.8 Multiple security issues were discovered in Thunderbird, which could result in the execution of arbitrary code. Stay safe, stay patched and have a good weekend! The AUSCERT team

Brand Protection from Phishing at Scale with AUSCERT’s Takedown Service A major public-facing institution experiences a surge in phishing attempts during key financial times of the year. Its digital identity is frequently exploited by threat actors who impersonate it to extract sensitive information from individuals. Challenge High Volume of Phishing Attempts: A surge in phishing websites exploiting the institution’s renowned name at specific times. Sophisticated Lures: Many campaigns used official-looking domains and cloned websites to deceive users. Urgency to Protect the Brand and the Public: Public trust and safety depended on removing malicious content quickly. Limited Internal Takedown Resources: The institution had good detection capabilities, but takedown requests would have been too time-consuming for them. Solution 1. Direct Reporting Channel The institution securely submitted suspected phishing URLs, screenshots, and email headers to AUSCERT using an encrypted, member-only channel. During peak financial milestones, submissions rose to hundreds per week. 2. Triage & Verification AUSCERT analysts manually verified each submission for validation. Automation was supplemented with human analysis to confirm malicious behaviour and avoid false positives. 3. Takedown Execution AUSCERT initiated takedowns by contacting: Hosting providers and registrars. Domain authorities. Third-party abuse contacts across global networks. Where possible, they also used CERT partnerships and API integrations for rapid removal. 4. Threat Intelligence Sharing All verified malicious domains and infrastructure were added to AUSCERT’s Malicious URL Feed, protecting other members in real time. They were also added to Google Safe Browsing and Netcraft. 5. Follow-Up & Feedback The institution received status updates on takedown progress and closure, including success confirmations and timelines, allowing for clear internal reporting. Outcome Dozens of phishing sites removed weekly, in particular during key financial milestones. Fast turnaround on phishing domain deactivation, reducing public harm and reputational risk, and enhancing brand protection. Community-wide defence by integrating takedown IOCs into AUSCERT’s threat feeds. Scalable support that delivers on brand protection. Reliance on AUSCERT’s strong network of international partnerships. Possibility to have comprehensive overview of takedown statistics.

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 48: Cyber Resilience and AI Risk: Insurance, Regulation & Boardroom Strategy In this episode of Share Today, Save Tomorrow, we are joined by two of WTW’s Cyber and Technology Risk team, Ben Di Marco & Leah Mooney, to expertly unpack the evolving landscape of AI governance, cyber risk, and insurance. They explore how voluntary guardrails are shaping future regulation, why cyber insurance is now essential (not optional), and the practical steps SMEs and large enterprises can take to boost resilience. The discussion highlights the importance of cross-functional collaboration, board-level engagement, and clear risk communication to navigate a complex threat environment. Whether you’re in cyber security, risk, or leadership, this episode offers valuable insights to help you stay ahead of regulatory change and emerging digital risks. This episode was hosted by Bek Cheb. The AUSCERT podcast can also be found on Spotify, Apple Podcasts, and our YouTube channel!

Greetings, Today we officially opened our Call for Tutorials for the AUSCERT2026 Conference, and we can’t wait to see the incredible submissions that come through. The standard rises every year, and we know 2026 will be no exception. Submissions close 10 November, so get in early! For details on tutorial categories and submission tips, head to our conference website. In case you missed it, we’ve also revealed our AUSCERT2026 theme: Game On! Step into the cyber arena where defenders are the most valuable players, tactics are everything, and every move matters. Game On! embodies the fast-paced, high-stakes nature of cyber security today where teamwork, quick thinking, and domain mastery are the keys to victory. With the threat landscape as our playing field, AUSCERT2026 challenges players to level up, unite under pressure, and face adversaries head-on. Featuring the International Cyber Championships, next year’s conference promises high-impact learning, fierce collaboration, and game-changing moments. Because in this arena, the stakes are real and it’s Game On! We look forward to welcoming you 19-22 May 2026 at The Star Gold Coast, Australia. Keep an eye out, registrations will open in January! AWS outage crashes Amazon, Prime Video, Fortnite, Perplexity and more Date: 2025-10-20 Author: Bleeping Computer AWS outage has taken down millions of websites, including Amazon.com, Prime Video, Perplexity AI, Canva and more. The outage started approx 30 minutes ago and it's affecting consumers in all regions, including the United States and Europe. According to AWS Health page, Amazon is aware of major disruption affecting multiple services. Oracle Releases October 2025 Patches Date: 2025-10-21 Author: Security Week [AUSCERT has published security bulletins for these Oracle updates] Oracle on Tuesday released 374 new security patches as part of its October 2025 Critical Patch Update (CPU), including over 230 fixes for vulnerabilities that are remotely exploitable without authentication. There appear to be roughly 260 unique CVEs in Oracle’s October 2025 CPU advisory, including a dozen critical-severity flaws. CISA Adds Microsoft, Oracle Vulnerabilities To KEV Catalog Date: 2025-10-20 Author: The Cyber Express The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added five CVEs to its Known Exploited Vulnerabilities (KEV) catalog today, including Microsoft, Apple and Oracle vulnerabilities. Hidden "Glassworm" malware spreads through infected VS Code extensions Date: 2025-10-21 Author: iTnews A new malware worm campaign has infected multiple Microsoft Visual Studio Code extensions using invisible Unicode characters to hide malicious code from both reviewers and security tools, security researchers say. The worm, named Glassworm, compromised seven extensions on the OpenVSX marketplace on October 17, reaching more than 10,700 downloads. Email Bombs Exploit Lax Authentication in Zendesk Date: 2025-10-17 Author: Krebs on Security Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously. Zendesk is an automated help desk service designed to make it simple for people to contact companies for customer support issues. Earlier this week, KrebsOnSecurity started receiving thousands of ticket creation notification messages through Zendesk in rapid succession, each bearing the name of different Zendesk customers, such as CapCom, CompTIA, Discord, GMAC, NordVPN, The Washington Post, and Tinder. ESB-2025.7610 – Atlassian Products: CVSS (Max): 10.0 14 high-severity vulnerabilities which have been fixed in new versions of Atlassian products. ASB-2025.0198 – Oracle Communications Applications: CVSS (Max): 9.8 This Critical Patch Update contains 64 new security patches for Oracle Communications Applications. 46 of these vulnerabilities may be remotely exploitable without authentication. ESB-2025.7565 – Rockwell Automation 1783-NATR: CVSS (Max): 10.0 This upgrade patches vulnerabilities where successful exploitation could result in a denial-of-service, data modification, or in an attacker obtaining sensitive information. ESB-2025.7544 – Samba: CVSS (Max): 10.0 USN-7826-1 fixed vulnerabilities in Samba where an authenticated attacker could possibly use this vulnerability to obtain sensitive information. ESB-2025.7495 – Tenable Identity Exposure: CVSS (Max): 9.9 Tenable Identity Exposure leverages third-party software to help provide underlying functionality. One of the third-party components (.NET) was found to contain vulnerabilities. Stay safe, stay patched and have a good weekend! The AUSCERT team

As artificial intelligence (AI) continues to transform the cyber landscape, access to practical, trustworthy guidance is imperative. These assets empower organisations to stay ahead of emerging threats, foster a culture of responsible innovation, and contribute to a safer digital future for all. The following resources are freely available for download: Artificial Intelligence Perspective – Executive Briefing Pack AI Policy Statement and Guidelines for Staff Developed by the Cyber Leaders Network’s Artificial Intelligence working group, these resources were created to help organisations confidently navigate and implement responsible AI practices. The Cyber Leaders Network brings together cyber security professionals from across industries to collaborate, share best practices, and exchange insights on emerging challenges. Coordinated by AUSCERT, the Network provides a trusted forum for leaders to collectively strengthen Australia’s cyber resilience. All resources are shared under a Creative Commons Attribution 4.0 International License (CC BY 4.0), allowing you to share and adapt the material with appropriate credit to the AUSCERT Cyber Leaders Network.

Third-party providers remain one of the biggest blind spots in cyber security. With most major breaches originating from third-party vulnerabilities, it’s critical to assess and manage these relationships with precision. Developed by the Cyber Leaders Network’s Third-Party Risk Management working group, this resource offers a practical framework to help security teams make informed decisions and reduce exposure: Third-Party Risk and Contract Management Decision Tree Toolkit The Cyber Leaders Network brings together cyber security professionals from across industries to collaborate, share best practices, and exchange insights on emerging challenges. Coordinated by AUSCERT, the Network provides a trusted forum for leaders to collectively strengthen Australia’s cyber resilience. This artefact is shared under a Creative Commons Attribution 4.0 International License (CC BY 4.0), allowing you to share and adapt the material with appropriate credit to the AUSCERT Cyber Leaders Network.

Greetings, This week, we have released a new episode of the Share Today, Save Tomorrow podcast, Episode 47: Building Cyber Resilience with Lucas from the AUSCERT Dev Team. Our host, Bek, chats with Lucas Rossdeutscher, one of AUSCERT’s senior software developers, for an engaging behind-the-scenes look at MSINs (Member Security Incident Notifications) – a personalised and vital security service that helps AUSCERT members stay ahead of emerging threats. Lucas offers practical advice on how members can make the most of this tool to strengthen their cyber resilience and streamline their incident response efforts. Listeners will also get to know the person behind the code, as Lucas shares stories from his half-marathon training journey, his love of coffee, and how his passion for cyber security developed over time. This episode is available now on Spotify and Apple Podcasts now! After nearly a decade, Windows 10 is now unsupported as of 14th October 2025, marking a major shift for millions of users and organisations still relying on the operating system. Despite running on over a third of the world’s PCs, Microsoft have now ceased providing security updates, leaving unpatched vulnerabilities that cybercriminals could exploit. Ondrej Kubovič from ESET (a global digital company) warned that continuing to use unsupported systems creates “a significantly larger attack surface,” exposing users to data theft, malware, and potential operational or reputational damage. He recommends that if upgrading isn’t immediately possible, organisations should implement strict security controls such as restricting user privileges, limiting exposed services, using VPNs, and enhancing monitoring and audits. Still, Kubovič stresses that these measures are only stopgaps. “Temporary fixes can buy you time, but they are not a substitute for a full upgrade,” he said. “Start planning your transition now to avoid unnecessary risks.” F5 releases BIG-IP patches for stolen security vulnerabilities Date: 2025-10-15 Author: Bleeping Computer [AUSCERT has published security bulletins for these F5 updates and an ASB-https://portal.auscert.org.au/bulletins/ASB-2025.0175] Cybersecurity company F5 has released security updates to address BIG-IP vulnerabilities stolen in a breach detected on August 9, 2025. The company disclosed today that state hackers breached its systems and stole source code and information on undisclosed BIG-IP security flaws. F5 added that there's no evidence the threat actors leveraged the undisclosed vulnerabilities in attacks and said it has not yet found evidence that the flaws have been disclosed. Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws Date: 2025-10-14 Author: Bleeping Computer [AUSCERT has published security bulletins for these Microsoft updates] Today is Microsoft's October 2025 Patch Tuesday, which includes security updates for 172 flaws, including six zero-day vulnerabilities. This Patch Tuesday also addresses eight "Critical" vulnerabilities, five of which are remote code execution vulnerabilities and three are elevation of privilege vulnerabilities. Qantas says customer data released by cyber criminals Date: 2025-10-13 Author: iTnews Qantas Airways confirmed customer data stolen in a July breach had been published by cybercriminals. Qantas says customer data released by cyber criminals The airline said in July that more than a million customers had sensitive details such as phone numbers, birth dates or home addresses accessed in one of Australia's biggest cyber breaches in years. Another four million customers had just their name and email address taken during the hack, it said at the time. Annual Cyber Threat Report 2024-2025 Date: 2025-10-14 Author: ASD ACSC Australia is an early and substantial adopter of digital technology which drives public services, productivity and innovation. Our increasing dependency on digital and internet-connected technology means Australia remains an attractive target for criminal and state-sponsored cyber actors. In FY2024–25, ASD’s ACSC received over 42,500 calls to the Australian Cyber Security Hotline – a 16% increase from the previous year, over 1,200 cyber security incidents – an 11% increase, more than 1,700 times of potentially malicious cyber activity – an 83% increase from last year – highlighting the ongoing need for vigilance and action to mitigate against persistent threats. Oracle silently fixes zero-day exploit leaked by ShinyHunters Date: 2025-10-14 Author: Bleeping Computer Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group. The flaw was addressed with an out-of-band security update released over the weekend, which Oracle said could be used to access “sensitive resources.” ESB-2025.7359 – Adobe: Adobe Connect: CVSS (Max): 9.3 Adobe has released a security update for Adobe Connect. This update resolves critical and moderate vulnerabilities that could lead to arbitrary code execution and security feature bypass. ESB-2025.7350 – F5 Networks: F5 BIG-IP (all modules): CVSS (Max): 9.8 Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing. (CVE-2016-2148) ESB-2025.7295 – Debian: Linux: CVSS (Max): 9.8 Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks. ESB-2025.7269 – Linux kernel (Azure): CVSS (Max): 9.8* Several security issues were discovered in the Linux kernel. An attacker could possibly use these to compromise the system. ESB-2025.7222 – Red Hat: kernel: CVSS (Max): 7.8 A heap out-of-bounds write affecting Linux since v2.6.19-rc1 was discovered in net/netfilter/x_tables.c. This allows an attacker to gain privileges or cause a DoS (via heap memory corruption) through user name space. Stay safe, stay patched and have a good weekend! The AUSCERT team

LISTEN HERE: AUSCERT “Share Today, Save Tomorrow” – ep 47: Building Cyber Resilience with Lucas from the AUSCERT Dev Team In this episode of the Share Today, Save Tomorrow podcast, host Bek chats with Lucas, one of our senior software developers, for a behind-the-scenes look at MSINs — a vital security service for AUSCERT members. Lucas takes us through his development journey and explains how the dev team builds and maintains the systems that power AUSCERT’s incident response and threat intelligence capabilities. He also shares practical advice on how members can make the most of these services to strengthen their own cyber resilience. This episode was hosted by Bek Cheb. The AUSCERT podcast can also be found on Spotify and Apple Podcasts.

Greetings, The hacking collective Scattered Lapsus$ Hunters has continued its campaign of cyber extortion this week, targeting major Australian organisations including Telstra and Qantas. The group, which has claimed responsibility for a string of recent Salesforce-based attacks, alleged it had stolen millions of customer records from both companies and threatened to release the data unless “a resolution” was reached. Telstra was listed on the group’s darknet leak site overnight, with hackers claiming to hold 19 million sets of personal data including names, mobile numbers, and addresses. However, Telstra has denied the breach, confirming that the data was scraped from publicly available sources and did not come from its systems. Cyber Daily’s analysis suggests the information instead matches data from Reverse Australia, a public reverse phone lookup service. Meanwhile, Qantas has also reappeared on Scattered Lapsus$ Hunters’ leak site following an earlier breach in June. The group claims to possess over five million records of personally identifiable information, including customer names, contact details, and Frequent Flyer numbers, with a data release deadline set for 10 October. Qantas said its systems remain secure and that the incident stemmed from a third-party contact centre platform. The airline continues to strengthen its cyber defences and support affected customers. Oracle Rushes Patch for CVE-2025-61882 After Cl0p Exploited It in Data Theft Attacks Date: 2025-10-06 Author: The Hacker News [AUSCERT has published a MISP event with IOCs. Also see bulletin https://portal.auscert.org.au/bulletins/ASB-2025.0163] Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that it said has been exploited in the recent wave of Cl0p data theft attacks. The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component. ShinyHunters Wage Broad Corporate Extortion Spree Date: 2025-10-07 Author: Krebs on Security A cybercriminal group that used voice phishing attacks to siphon more than a billion records from Salesforce customers earlier this year has launched a website that threatens to publish data stolen from dozens of Fortune 500 firms if they refuse to pay a ransom. The group also claimed responsibility for a recent breach involving Discord user data, and for stealing terabytes of sensitive files from thousands of customers of the enterprise software maker Red Hat. Salesforce refuses to pay a ransom in recent wave of attacks Date: 2025-10-08 Author: SC Media News that Salesforce has refused to negotiate or pay a ransom in the recent wave of cyberattacks experienced by at least 39 of its customers was viewed as a double-edged sword by some security professionals. “Salesforce's public refusal to pay the ransom sets a precedent that discourages future extortion attempts,” MacKenzie Brown, vice president, Adversary Pursuit Group at Blackpoint Cyber. “However, this strategy shifts the risk to their customers, who must now prepare for a potential data leak.” Redis warns of critical flaw impacting thousands of instances Date: 2025-10-06 Author: Bleeping Computer [See AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.7128] The Redis security team has released a patch for a vulnerability CVE-2025-49844 which could allow threat actors to gain remote code execution on thousands of vulnerable instances. An authenticated threat actor can exploit a 13-year-old use-after-free vulnerability to escape the Lua sandbox to establish a reverse shell for persistent access and achieve remote code execution on the targeted Redis host. SonicWall Concludes Investigation Into Incident Affecting MySonicWall Configuration Backup Files Date: 2025-10-08 Author: Arctic Wolf Recommendations On September 17, 2025, SonicWall released a knowledge base article detailing the exposure of firewall configuration backup files stored in certain MySonicWall accounts. As of October 8, 2025, the investigation has concluded and SonicWall has updated their advisory accordingly. While the original SonicWall advisory stated that under 5% of customers using the MySonicWall configuration file backup feature were affected by the incident, the finalized verbiage now specifies that all customers who have used SonicWall’s cloud backup service were affected. ASB-2025.0163 – Oracle E-Business Suite: CVSS (Max): 9.8 Oracle released an emergency patch to fix CVE-2025-61882, a critical remote-code-execution flaw in its E-Business Suite that has already been exploited by the Cl0p group in data theft campaigns. ESB-2025.7127 – Tenable Security Center: CVSS (Max): 10.0 Tenable fixed a medium-severity access control flaw (CVE-2025-36636) in Security Center ≤ 6.6.0, with the issue resolved in version 6.7.0. ESB-2025.7128 – redis: CVSS (Max): 9.9 Redis has disclosed a maximum-severity use-after-free flaw (CVE-2025-49844) in its Lua scripting engine that enables remote code execution when exploited. ESB-2025.7165 – IBM Db2 Data Management Console: CVSS (Max): 8.3 IBM warned of critical flaws in Db2 Data Management Console 3.1.12, including RCE via SnakeYAML, now added to CISA’s KEV catalog. Upgrading to version 3.1.13+ is strongly advised. Stay safe, stay patched and have a good weekend! The AUSCERT team