18 Jul 2025
Week in review
Greetings,
This week, Clive Palmer’s United Australia Party and affiliated group Trumpet of Patriots confirmed they were hit by a ransomware attack that exposed extensive personal data. The breach, discovered on June 23, compromised years of emails, identity documents, banking details, and employment history. While systems have now been secured and restored, the organisations were unable to notify all affected individuals directly. Authorities have been informed, and impacted individuals are urged to monitor their accounts, change passwords, and review past communications for any shared sensitive information.
A new CyCognito study has identified the education sector as the most exposed to cyber risk across all industries, particularly in cloud infrastructure, APIs, and web applications. Vulnerability rates in education are significantly higher, 31% for cloud assets, 38% for APIs, and 35% for web apps—compared to the industry averages of 14%, 21%, and 20%, respectively. The increased risk is attributed to rapid digital transformation, reliance on legacy systems, underfunded cyber security, and small, overstretched IT teams. The fast shift to remote learning has also introduced numerous tools without adequate security controls, making educational institutions prime targets for ransomware, data breaches, and credential theft.
AUSCERT, which counts many educational organisations among its members, is helping the sector mitigate these risks through timely threat intelligence, proactive alerts, expert incident response, and vulnerability notification services. By improving asset visibility and prioritising critical actions, AUSCERT supports long-term resilience in this high-risk environment.
CISA tags Citrix Bleed 2 as exploited, gives agencies a day to patch
Date: 2025-07-11
Author: Bleeping Computer
[AUSCERT has identified the impacted members (where possible) and contacted them via email. Please see AUSCERT bulletin: https://portal.auscert.org.au/bulletins/ESB-2025.4041.2]
The U.S. Cybersecurity & Infrastructure Security Agency has confirmed active exploitation of the CitrixBleed 2 vulnerability (CVE-2025-5777) in Citrix NetScaler ADC and Gateway and is giving federal agencies one day to apply fixes.
Such a short deadline for installing the patches is unprecedented since CISA released the Known Exploited Vulnerabilities (KEV) catalog, showing the severity of the attacks exploiting the security issue.
Interlock ransomware adopts FileFix method to deliver malware
Date: 2025-07-14
Author: Bleeping Computer
Hackers have adopted the new technique called 'FileFix' in Interlock ransomware attacks to drop a remote access trojan (RAT) on targeted systems.
Interlock ransomware operations have increased over the past months as the threat actor started using the KongTuke web injector (aka 'LandUpdate808') to deliver payloads through compromised websites.
CVSS 10 RCE in Wing FTP exploited within 24 hours, security researchers warn
Date: 2025-07-11
Author: The Register
Huntress security researchers observed exploitation of the CVSS 10.0 remote code execution (RCE) flaw in Wing FTP Server on July 1, just one day after its public disclosure.
Wing FTP Server is a cross-platform file-transfer solution, supporting FTP, FTPS, SFTP, and HTTP/S. It is used by over 10,000 customers worldwide for secure data exchange, including Airbus, Reuters, and the US Air Force, according to its website.
New Fortinet FortiWeb hacks likely linked to public RCE exploits
Date: 2025-07-16
Author: Bleeping Computer
[See AUSCERT bulletin https://portal.auscert.org.au/bulletins/ESB-2025.4493]
Multiple Fortinet FortiWeb instances recently infected with web shells are believed to have been compromised using public exploits for a recently patched remote code execution (RCE) flaw tracked as CVE-2025-25257.
News of the exploitation activity comes from threat monitoring platform The Shadowserver Foundation, which observed 85 infections on July 14 and 77 on the next day.
SonicWall SMA Appliances Targeted With New ‘Overstep’ Malware
Date: 2025-07-16
Author: Security Week
[AUSCERT has identified the impacted members (where possible) and contacted them via email]
A threat actor that may be financially motivated has been targeting SonicWall appliances with a new piece of malware, Google’s Threat Intelligence Group warned on Wednesday.
The threat actor, tracked by Google as UNC6148, has been around since at least October 2024. The hackers’ malware can enable data theft, extortion and ransomware deployment, but the researchers have not been able to definitively confirm that they are financially motivated.
It’s worth noting that the lines between state-sponsored hacker attacks and financially motivated cybercrime have become increasingly blurry.
ESB-2025.4716 – IBM QRadar SIEM: CVSS (Max): 7.5
IBM QRadar SIEM version 7.5.0 UP12 IF02 is impacted by multiple vulnerabilities in the gRPC and HTTP/2 protocols, which can lead to denial of service (DoS) conditions.
IBM has addressed these issues via Auto Update.
ESB-2025.4744 – VMware Products: CVSS (Max): 9.3
Critical vulnerabilities in VMware’s VMXNET3, VMCI, PVSCSI, and vSockets components allows local admin privileged attackers to execute code or leak memory on host systems or virtual machines. Broadcom has released patches across ESXi, Workstation, Fusion, and VMware Tools to remediate them.
ESB-2025.4752 – Atlassian Products: CVSS (Max): 8.8
Atlassian’s monthly Security Bulletin covers a batch of recent high-severity vulnerabilities affecting their Data Center and Server products. Users are advised to update to the listed fixed versions for each affected product to mitigate potential risks.
ASB-2025.0141 – Oracle Retail Applications: CVSS (Max): 9.8
Oracle has released patches addressing multiple critical vulnerabilities in several Oracle Retail products. Some flaws allow unauthenticated remote attackers to take full control or cause denial of service, urging immediate application of fixes.
Stay safe, stay patched and have a good weekend!
The AUSCERT team
