Alan Grant | SOC Analyst | 301 October 2025        

 Welcome to Fortian’s October 2025 cyber environment update!

October underscored that global cyber coordination can become fragile when government shutdowns, supply-chain breaches, and emerging zero-days collide. Nation-state operations, ransomware gangs, and financially motivated collectives all expanded their reach, exploiting trusted platforms and third-party providers.

In Australia, the month brought significant incidents across education, aviation, technology, and telecommunications, alongside new ACSC advisories and policy developments.

Policy & Strategic Developments

Cyber Security Awareness Month

October was Cyber Security Awareness Month, built around the ACSC’s four weekly themes of event logging, legacy technology, supply-chain and third-party risk, and quantum readiness. Each week encouraged Australian organisations to strengthen foundational practices, understanding what’s happening across their systems, replacing or isolating outdated technology, securing vendor connections, and preparing for the coming wave of post-quantum encryption change. Fortian supported the campaign through two blog posts:

• ‍“ The Great Wall of Nope: Why Firewall Logs Aren’t Enough”, which explored the first-week theme by unpacking how endpoint, identity, and behavioural telemetry elevate visibility beyond perimeter defences.
• “Hidden Third Party Risks: How Shadow IT Escapes Governance”, addressed the third-week theme on supply-chain and third-party risk, offering practical measures for verifying vendor controls, monitoring integrations, and embedding trust frameworks across business ecosystems.

CISA affected by U.S. Shutdown

The U.S. government shutdown has left the Cybersecurity and Infrastructure Security Agency (CISA) operating with only about 35% of its workforce. This reduces its ability to monitor and defend critical infrastructure such as energy and water systems at a time of elevated threat activity. The shutdown coincided with the expiration of the 2015 Cybersecurity Information Sharing Act, which had previously provided liability protection for companies sharing threat intelligence with peers and the government. While both Republicans and Democrats support renewing the Act, it was collateral damage from the current standoff and the lapse of this legal framework reported caused several corporations to pause their participation in information-sharing programs out of concern for legal exposure. This breakdown in coordination weakens collective defense not only domestically but also globally, given the U.S's role in international intelligence exchange. Ironically, the disruption overlapped with the launch of Cybersecurity Awareness Month. (TheWashingtonPost)

New Australian Ambassador for Cyber Affairs and Critical Technology Named

The Australian government announced Jessica Hunter as its new Ambassador for Cyber Affairs and Critical Technology. A veteran of the Australian Signals Directorate and former ACSC threat operations leader, Hunter will lead Australia’s international cyber engagement, focusing on resilience building and regional cooperation. (ARNNET)

Cyber Incident Review Board Recruitment Begins

In parallel, the government opened recruitment for the new Cyber Incident Review Board, created under the Cyber Security Act 2024. The board will conduct independent, no-fault reviews of major incidents, extracting lessons without attributing blame. Candidates are being sought with deep cyber expertise, board-level experience, and security clearances, with an expert panel to provide additional support. (CyberDaily)

The Annual Cyber Threat Report 2024-2025 from ACSC

The ACSC released its 2024-2025 Annual Cyber Threat Report in October.  According to the report, Australia’s 2024–25 cyber threat landscape was dominated by a surge in both state-sponsored and criminal activity, with the ASD reporting an 11% rise in incidents and escalating financial losses for businesses. State-based actors from China and Russia continued targeting government, defence, and critical infrastructure networks using espionage and “living-off-the-land” techniques, while cybercriminals expanded ransomware and data-theft campaigns. Ransomware remained the most disruptive threat, with multi-layer extortion tactics and a 219% increase in reported losses for large enterprises. Identity fraud and information-stealer malware also proliferated, driven by a maturing cybercrime-as-a-service ecosystem that includes initial-access brokers, bulletproof hosting, and cryptocurrency laundering networks.

Emerging technologies are intensifying the threat environment. Generative AI is being weaponised for scalable phishing, deepfakes, and data analysis, while the frequency of denial-of-service attacks surged more than 280%, heavily affecting financial, telecommunications, and healthcare sectors. Vulnerability exploitation, legacy IT, weak logging, and supply-chain exposures remain the most common attack vectors. In response, the ASD urges organisations to adopt an “assume-compromise” mindset and focus on four defensive priorities: modern logging and monitoring, legacy replacement, third-party risk management, and preparation for post-quantum cryptography. (ACSC)

International Cyber Environment

ShinyHunters and “Scattered Lapsus$ Hunters” Continue to Target Salesforce

ShinyHunters, alongside actors claiming ties to Scattered Spider and Lapsus$ under the name “Scattered Lapsus$ Hunters,” have launched a leak site extorting 39 companies (including Qantas, see below) after Salesforce-related breaches, publishing stolen data samples and demanding victims respond before October 10 to avoid full disclosure. High-profile firms such as FedEx, Disney, Google, Cisco, Marriott, Qantas and IKEA are listed, with attackers alleging theft of up to 1.5 billion records via malicious OAuth app abuse and stolen tokens. They also threatened Salesforce directly, demanding ransom and citing GDPR failures. Salesforce issued a statement that it has found no compromise of its platform or vulnerabilities, is working with authorities, and continues to support affected customers. ( BleepingComputer)( Cyberdaily)

China-nexus group allegedly behind F5 breach

U.S. security firm F5 has confirmed that a nation-state actor, reportedly linked to China, breached its internal systems and stole portions of source code, vulnerability data, and customer configuration information from its engineering network. Although F5 found no evidence of supply-chain tampering or compromised customer devices, the exposure of internal code and vulnerability intelligence represents a significant risk given the company’s extensive use across enterprise and government environments. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive urging federal agencies to review their environments for F5 assets (including BIG-IP, F5OS, and NGINX), ensure systems are fully patched, restrict external access to management interfaces, and monitor for anomalous authentication or configuration activity. Australian organisations are advised to adopt the same measures.

(TheHackerNews)(CISA)

Asahi Group (Japan)

The ransomware-as-a-service gang Qilin claimed responsibility for a cyberattack on Asahi Group Holdings, Japan’s largest brewer, which forced the stoppage of production, order-processing and shipping systems across six of its domestic beer plants beginning 29 September 2025.  Qilin alleged that it exfiltrated approximately 27 GB of data (over 9,300 files including financial documents, contracts, employee personal data and business forecasts) and published 29 sample images of stolen documents on its leak site. While Asahi has confirmed that a ransomware incident occurred and data may have been transferred without authorisation, the authenticity of the group’s claims and whether a ransom demand was made remain unverified.  (Reuters)

Renault (UK)

Renault Group confirmed that a third-party data processor suffered a breach exposing UK customer information, including names, addresses, contact details, dates of birth, and vehicle registration numbers, though no financial data or passwords were affected. The automaker stated that the incident was swiftly contained, its own systems were not compromised, and relevant authorities, including the UK Information Commissioner’s Office, were notified.  The breach underscores ongoing supply-chain risks in the automotive sector (reference September’s monthly update), where third-party vendors remain frequent targets for data theft. (Express)

Harvard University (US)

The Clop ransomware gang has publicly claimed responsibility for breaching Harvard University and added the institution to its data-leak site, stating that data archiving is in progress and a torrent link will be released soon.  The group, which operates under TA505 (also known as FIN11) and is listed by Canadian authorities as a financially motivated ransomware-as-a-service group, has a track record of exploiting zero-day vulnerabilities in file-transfer and enterprise tools (for example, the MOVEit Transfer vulnerability CVE-2023-34362) to exfiltrate large amounts of data before demanding extortion payments. (SecurityAffairs)

Capita (UK)

A UK based company, Capita was fined £14 million by the UK Information Commissioner’s Office (ICO) for a cyber incident in March 2023 that exposed the personal data of approximately 6.6 million individuals, including pension scheme members, staff and customers of organisations it services. The ICO’s investigation found critical shortcomings: a malicious file downloaded on 22 March triggered a high-priority alert within 10 minutes, but the affected device wasn’t quarantined for 58 hours, allowing attackers to gain administrator privileges, move laterally and ultimately exfiltrate nearly 1 terabyte of data. Among the failings cited were inadequate patching of known vulnerabilities, a Security Operations Centre (SOC) that was poorly resourced and under-performing, weak penetration testing (and failure to act on its findings) and over-privileged administrative accounts enabling broad lateral movement. The ICO initially proposed a fine of £45 million but reduced it in light of Capita’s post-incident remediation, victim support and regulator engagement, culminating in the voluntary settlement of £14 million.  (ICO)(TheRegister)

Red Hat Consulting (Global)

Red Hat has confirmed that attackers gained unauthorised access to a self-managed GitLab instance used exclusively by its Consulting division. The threat actor, Crimson Collective, claims to have exfiltrated around 570 GB of compressed data from over 28,000 repositories, including approximately 800 Customer Engagement Reports that may contain infrastructure diagrams, configurations, credentials and other sensitive client-details. While Red Hat emphasises that its core products, software supply chain and production environments remain unaffected, the consultancy-linked nature of the compromised data poses a potential risk to downstream clients reliant on those engagements. (BleepingComputer)

Australian Cyber Incidents

Qantas Customer Data Leaked on The Dark Web After Ransom Standoff

Hackers (likely Scattered Lapsus$ Hunters, mentioned previously), leaked 153GB of Qantas customer data to the dark web after the airline refused ransom demands. The breach, traced back to a third-party call centre compromise in June, exposed up to five million records including names, emails, phone numbers, birth dates, and frequent flyer numbers, though no credit card or passport details were included. Despite an injunction to prevent release, the data was dumped online on 10 October 2025, with cybersecurity researchers confirming its legitimacy.

The attack was part of a wider campaign by the hacker collective Scattered Lapsus$ Hunters (SLSH), which claimed to target 39 companies via Salesforce-related exploits. Although it threatened to release over a billion records, only six organisations including Qantas, Fujifilm, GAP, and Vietnam Airlines had data leaked. SLSH has since declared a “war on Australia,” vowing continued attacks while facing increased law enforcement pressure, including FBI domain seizures. (ACS)

Western Sydney University Breach Update

Between 19 June and 3 September 2025, Western Sydney University discovered that unauthorised attackers had accessed a student-management system hosted by a third-party provider via linked external IT systems. The breach enabled exfiltration of personal data, including names, addresses, emails, phone numbers, dates of birth, student/staff IDs, bank account and tax-file numbers, driver-licence and passport details, health and disability information, employment and payroll records, and legal/complaint-case details.

The university confirmed that fraudulent phishing emails sent on 6 October used data stolen in this incident. Under instruction from the NSW Police Cybercrime Squad, the university delayed public disclosure, has notified regulatory authorities, issued individual notifications to impacted current and former students/staff, and obtained an interim injunction barring use or disclosure of the stolen information. The university has apologised for the impact, pledged support for affected individuals, and committed to strengthening cyber defences and supply-chain oversight. (Western Sydney University)

Vocus (Dodo & iPrimus) SIM Swap Breach

Vocus-owned ISP Dodo confirmed that attackers compromised around 1,600 email accounts on 17 October 2025. Using this access, the threat actors executed at least 34 SIM-swapping attacks, hijacking mobile numbers by provisioning new SIM cards. The company suspended its email services, implemented forced password resets, and worked with victims to reverse fraudulent activity. Some affected customers, however, reported long delays regaining access. The case highlights the ongoing risks of email compromise as a steppingstone to account takeover and mobile fraud. (ABC)

CBS Tasmania Ransomware Attack

Not-for-profit aged-care and disability provider Community Based Support Ltd (CBS Tasmania) was listed on the Lynx ransomware gang’s leak site on 10 October 2025, with proof-of-breach samples indicating the theft of employee and client records such as addresses, financial information and identity documents. CBS Tasmania has stated its core operations were not disrupted, but the incident nonetheless marks a departure from Lynx’s earlier claims of avoiding attacks on government or not-for-profit sectors and unsurprisingly, underscores the questionable reliability of so-called ransomware “codes of ethics”.  (Cyberdaily)

Benedict Targeted by INC Ransom Gang

The ransomware group INC Ransom has claimed responsibility for a breach of Australian recycling and landscaping firm Benedict Industries, alleging that around 270 GB of HR, payroll and other workplace records were exfiltrated and listed on 10 October 2025. While publicly verifiable details are limited, the incident underscores INC Ransom’s growing interest in penetrating Australian mid-to-large enterprises. (Hookphish)

VETtrak Software Disruption

Melbourne-based ReadyTech’s VETtrak student management system experienced a cyber-incident that caused a nationwide service outage for many education and training providers. The company later confirmed that a threat actor had published a “small number of documents containing personal information” from the platform. The disruption impacted multiple users including Tasmanian government agencies that rely on VETtrak for student management functions. Investigation and response efforts are ongoing; while ReadyTech has notified Australian cybersecurity authorities and sought an injunction to prevent further dissemination of data, it has not yet confirmed the full scope of the data breach or quantified how many records were accessed.

ACSC Advisories

The ACSC released four key advisories in October, addressing critical flaws in CISCO, Oracle, Microsoft, and F5 products.

CISCO IOS XE Devices (CVE-2023-20198)

• The ACSC alert reports that cyber-actors are installing an implant known as “BADCANDY” on vulnerable Cisco IOS XE Software devices affected by CVE‑2023‑20198. The implant is a Lua-based web-shell allowing unauthenticated remote actor control of the device’s management interface; while the implant does not persist across a reboot, intruders may already have created persistent credentials or tunnels. The ACSC estimates over 400 devices in Australia may have been compromised since July 2025 (with over 150 still active as of late October) and warns of re-exploitation if the underlying vulnerability remains unpatched. Organisations are urged to apply Cisco’s patch for CVE-2023-20198 immediately, review device configurations for unexpected administrator accounts or tunnel interfaces, restrict web UI access, reboot affected devices, and follow Cisco’s hardening-guide for edge devices. (ACSC)

Oracle E-Business Suite (CVE-2025-61882)

• Oracle has disclosed CVE-2025-61882, a critical remote code execution vulnerability in Oracle E-Business Suite versions 12.2.3 through 12.2.14. The flaw is remotely exploitable without authentication, allowing attackers to target affected systems over a network without credentials. Australian organisations are advised to review their environments for vulnerable instances and consult the Oracle Security Advisory for mitigation guidance. (ACSC)

Microsoft WSUS (CVE-2025-59287)

• A deserialization flaw allows unauthenticated attackers to execute code with system privileges on WSUS servers (2012–2025). Successful exploitation could give full control of update servers.
• Mitigation: Patch per Microsoft guidance and confirm updates are applied. (MSRC)(ACSC)

F5 Products

• F5 has released an advisory regarding a cybersecurity incident affecting certain F5 systems, alongside its October 2025 quarterly security notification detailing multiple critical vulnerabilities across BIG-IP, BIG-IP Next, F5OS-A/C, and Silverline devices. Affected builds include major releases 15.x through 17.x, as well as Next SPK, CNF, and Kubernetes versions. Organisations are advised to review F5 advisories K000154696, K000156572, and K67091411, apply the recommended patches or hotfixes, upgrade unsupported appliances, and subscribe to F5 security updates to maintain protection. (ACSC)

Wrap Up

October underscored how trust, visibility, and coordination remain critical weak points in global and Australian cyber defence.

For Australian organisations, the key takeaways are:

• Third-party and supply chain risk must be treated as primary exposures requiring contractual, technical, and monitoring controls.
• Identity remains the frontline, demanding phishing-resistant MFA, credential rotation, and ongoing vigilance against SIM swapping and infostealers.
• Source code repositories and CI/CD pipelines are now high-value targets and must be hardened with secrets scanning, access restrictions, and monitoring.
• Ransomware groups continue to show both opportunism and disregard for ethical claims, requiring proactive planning, backups, and tested incident response playbooks.