2 May 2025
Week in review
Greetings,
This week, Verizon Business released its much-anticipated 2025 Data Breach Investigations Report (DBIR), and the findings should serve as a wake-up call for the cyber security community. The report analysed over 22,000 incidents and more than 12,000 confirmed breaches, painting a sobering picture of the current threat landscape.
Key Takeaways:
• Third-party breaches have doubled, now linked to 30% of incidents, raising supply chain concerns.
• Vulnerability exploitation is up 34%, often targeting perimeter devices and zero-day flaws.
• Ransomware features in 44% of breaches, hitting SMBs hardest—88% of ransomware breaches affected this group.
• Credential abuse (22%) and vulnerability exploitation (20%) remain dominant attack vectors.
• Human error and social engineering continue to play a critical role in breaches.
The report strongly urges organisations to prioritise strong password policies, prompt patching, and comprehensive security awareness training. Espionage-driven attacks are on the rise in the Manufacturing and Healthcare sectors, while Education, Financial, and Retail continue to face persistent threats.
With increasing zero-day and third-party threats, businesses should strengthen patching practices, assess vendor risk, and reinforce human-centric defences. Proactive resilience is key. Read more insights and guidance from the report Verizon DBIR site
Final reminder to register for our upcoming webinar —The New Competitive Edge? Cyber Security in Value Propositions on Tuesday, 6 May from 12:00–1:00pm. Join AUSCERT General Manager Ivano Bongiovanni and a panel of leading experts as they explore how cyber security is emerging as a powerful strategic differentiator. Discover how it’s reshaping trust, purchasing behaviour, and value creation — and what organisations need to do to stay ahead in a trust-driven economy. Register now to secure your spot.
Storm-1977 targets education sector with password spraying
Date: 2025-04-27
Author: Security Affairs
Over the past year, Microsoft Threat Intelligence researchers observed a threat actor, tracked as Storm-1977, using AzureChecker.exe to launch password spray attacks against cloud tenants in the education sector. AzureChecker.exe connected to sac-auth[.]nodefunction[.]vip to download AES-encrypted data, which, once decrypted, revealed password spray targets. It also accepted an accounts.txt file with username and password pairs, using both datasets to validate credentials against target tenants. Microsoft observed a successful account breach where a threat actor used a guest account to create a resource group and over 200 containers for cryptomining.
SentinelOne Uncovers Chinese Espionage Campaign Targeting Its Infrastructure and Clients
Date: 2025-04-29
Author: The Hacker News
Cybersecurity company SentinelOne has revealed that a China-nexus threat cluster dubbed PurpleHaze conducted reconnaissance attempts against its infrastructure and some of its high-value customers.
"We first became aware of this threat cluster during a 2024 intrusion conducted against an organization previously providing hardware logistics services for SentinelOne employees," security researchers Tom Hegel, Aleksandar Milenkoski, and Jim Walter said in an analysis published Monday.
PurpleHaze is assessed to be a hacking crew with loose ties to another state-sponsored group known as APT15, which is also tracked as Flea, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda.
Thousands of Australian bank login details leaked on dark web, and banks can’t stop it
Date: 2025-04-30
Author: 7news
Thousands of Australians’ bank login details are being passed around on the dark web and banks say there’s little they can do to stop it.
More than 31,000 sets of credentials — including those of at least 14,000 Commonwealth Bank customers, 7000 ANZ customers, 5000 NAB customers and 4000 Westpac customers — have been stolen from personal devices infected with malware, the ABC reported.
The stolen details are now circulating on the messaging platform Telegram and dark web forums, according to Australian cyber intelligence firm Dvuln.
Cloudflare mitigates record number of DDoS attacks in 2025
Date: 2025-04-28
Author: Bleeping Computer
Internet services giant Cloudflare says it mitigated a record number of DDoS attacks in 2024, recording a massive 358% year-over-year jump and a 198% quarter-over-quarter increase.
These figures come from Cloudflare's 2025 Q1 DDoS Report, where the company says it mitigated a total of 21.3 million DDoS attacks in 2024.
Melbourne Airport aims to ‘predict the future’ with enhanced cyber visibility
Date: 2025-04-28
Author: iTnews
Melbourne Airport is building up its cyber detection and response capabilities in order to secure 30 million annual passenger journeys, which are enabled by multiple technology systems.
Speaking on the iTnews Podcast, head of cyber security Cheuk Wong said he is heavily focused on having visibility across the airport’s technology ecosystem, from its internal IT to baggage handling systems and even its wi-fi networks.
ESB-2025.2665 – Tenable Identity Exposure
Several of the third-party components (Erlang OTP, OpenSSL) were found to contain vulnerabilities, and updated versions have been made available by the providers.
Michael Randrianantenaina discovered that the Bluetooth driver in the Linux Kernel contained an improper access control vulnerability
ESB-2025.2650 – Mozilla Firefox
Modification of specific WebGL shader attributes could trigger an out-of-bounds read, which, when chained with other vulnerabilities, could be used to escalate privileges.
Node.js could be made to crash if it received specially crafted network traffic.
Stay safe, stay patched and have a good weekend!
The AUSCERT team