The cyber threat environment in Australia and New Zealand experienced a new escalation throughout 2025, driven by a surge in initial access sales, ransomware operations, and high-impact data breaches. According to our Threat Landscape Report Australia and New Zealand 2025, threat activity observed between January and November 2025 reveals a complex and commercialized underground ecosystem, where compromised network access is actively bought, sold, and exploited across multiple sectors. 

The threat landscape report identifies a persistent focus on data-rich industries, with threat actors disproportionately targeting Retail, Banking, Financial Services, and Insurance (BFSI), Professional Services, and Healthcare organizations. These sectors continue to attract attackers due to the volume of sensitive personally identifiable information (PII), financial data, and downstream access opportunities they offer. 

Growth of Initial Access Sales in 2025 

A central finding of the report is the continued growth of the initial access market. Cyble Research and Intelligence Labs (CRIL) documented 92 instances of compromised access sales affecting organizations in Australia and New Zealand during 2025. Retail organizations were the most heavily targeted, accounting for 31 incidents, or approximately 34% of all observed activity. This figure is more than three times higher than that of the next most targeted sector. 

The BFSI sector recorded nine compromised access listings, followed by Professional Services with seven incidents. Combined, these three sectors accounted for more than half of all initial access listings observed in the region during the reporting period. 

This concentration reflects a strategic approach by initial access brokers. Retail and BFSI organizations routinely handle large volumes of customer data and payment information, making them valuable targets for monetization or follow-on ransomware attacks. Professional Services firms, meanwhile, often provide access to client environments, creating opportunities for supply chain exploitation. 

A Fragmented but Active Access Brokerage Market 

Analysis of the compromised access marketplace reveals a highly fragmented ecosystem rather than one dominated by a small number of major actors. The threat actor known as “cosmodrome” emerged as the most prolific seller of compromised access during the period, followed closely by an actor operating under the alias “shopify.” 

Despite their activity, these actors did not control the market. The top seven most active sellers were collectively responsible for only about 26% of the observed access listings. The remaining activity originated from dozens of individual threat actors who posted listings once or twice, suggesting a low barrier to entry and a marketplace populated by both specialized brokers and opportunistic participants. 

This structure indicates that initial access sales have become an accessible revenue stream for a wide range of threat actors, reinforcing the resilience and scalability of the underground economy. 

High-Impact Incidents Highlight Broader Risks 

Several notable incidents documented in the threat landscape report illustrate how initial access is translated into real-world impact. 

In June 2025, the threat group Scattered Spider was suspected of orchestrating a cyberattack against a major Australian airline. Attackers reportedly gained unauthorized access to a customer service portal, resulting in a data breach that exposed records belonging to nearly six million customers. The compromised data included names, email addresses, phone numbers, dates of birth, and frequent flyer numbers. 

The airline confirmed that more sensitive information, such as credit card details, financial records, and passport data, was not affected because it was not stored in the breached system. Investigators believe the incident may be part of a broader campaign targeting the aviation sector. 

In March, threat actor “Stari4ok” advertised the sale of unauthorized access to a large Australian retail chain on the Russian-language cybercrime forum Exploit. The actor claimed the access involved a hosting server containing approximately 250 GB of data, including a 30 GB SQL database with a user table of around 71,000 records. Based on the claimed annual revenue of USD 2.6 billion and the described industry, the victim appears to be a major retailer, although this has not been independently confirmed. The access was listed for auction with a starting price of USD 1,500. 

Another listing emerged in May when the threat actor “w_tchdogs” offered unauthorized access to a portal belonging to an Australian telecommunications provider on the English-language forum Darkforums. The actor claimed the access provided entry to domain administration tools and critical network information. The listing price was USD 750. 

Data Breaches and Hacktivist Activity 

Not all incidents were tied directly to access sales. In mid-April, unidentified threat actors gained unauthorized access to the IT systems of a prominent accounting firm operating across Australia and New Zealand. The organization publicly confirmed the breach, stating that some data may have been compromised and that an investigation was ongoing. While business operations continued, the firm warned clients of potential phishing attempts and obtained court injunctions in both countries to prevent the dissemination of affected data. As of the time of reporting, no threat group had claimed responsibility. 

Hacktivist activity also remained visible. In January 2025, the group RipperSec claimed to have accessed an optical-fiber network monitoring device belonging to an Australian cable and media services provider. The device was reportedly no longer supported by its vendor. As proof, the group released images suggesting internal defacement and possible data manipulation. 

Want a deeper insight into these threats? Check out Cyble’s Australia and New Zealand Threat Landscape Report 2025 or schedule a demo to see check out how Cyble can protect your organization against these threats. 

The post Initial Access Sales Accelerated Across Australia and New Zealand in 2025 appeared first on Cyble.

Cyble – ​Read More

• Cisco Talos is disclosing a sophisticated threat actor we track as UAT-7290, who has been active since at least 2022.
• UAT-7290 is tasked with gaining initial access as well as conducting espionage focused intrusions against critical infrastructure entities in South Asia.
• UAT-7290’s arsenal includes a malware family consisting of implants we call RushDrop, DriveSwitch, and SilentRaid.
• Our findings indicate that UAT-7290 conducts extensive technical reconnaissance of target organizations before carrying out intrusions.

---

Talos assesses with high confidence that UAT-7290 is a sophisticated threat actor falling under the China-nexus of Advanced Persistent Threat actors (APTs). UAT-7290 primarily targets telecommunications providers in South Asia. However, in recent months we have also seen UAT-7290 expand their targeting into Southeastern Europe.

In addition to conducting espionage focused attacks where UAT-7290 burrows deep inside a victim enterprise’s network infrastructure, their tactics, techniques and procedures (TTPs) and tooling suggests that this actor also establishes Operational Relay Box (ORBs) nodes. The ORB infrastructure may then be used by other China-nexus actors in their malicious operations, signifying UAT-7290’s dual role as an espionage motivated threat actor as well as an initial access group.

Active since at least 2022, UAT-7290 has an expansive arsenal of tooling, including open-source malware, custom developed malware, and payloads for 1-day vulnerabilities in popular edge networking products. UAT-7290 primarily leverages a Linux based malware suite but may also utilize Windows based bespoke implants such as RedLeaves or Shadowpad commonly linked to China-nexus threat actors.

Our findings suggest that the threat actor conducts extensive reconnaissance of target organizations before carrying out intrusions. UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public facing edge devices to gain initial access and escalate privileges on compromised systems. The actor appears to rely on publicly available proof-of-concept exploit code as opposed to developing their own.

UAT-7290 shares overlapping TTPs with known China-nexus adversaries, including the exploitation of high-profile vulnerabilities in networking devices, use of open-source web shells for persistence, leveraging UDP listeners, and using compromised infrastructure to facilitate operations.

Specifically, we have observed technical indicators that overlap with RedLeaves, a malware family attributed to APT10 (a.k.a. MenuPass, POTASSIUM and Purple Typhoon), as well as infrastructure associated with ShadowPad, a malware family used by a variety of China-nexus adversaries.

Additionally, UAT-7290 shares a significant amount of overlap in victimology, infrastructure, and tooling with a group publicly reported by Recorded Future as Red Foxtrot. In a 2021 report, Recorded Future linked Red Foxtrot to Chinese People’s Liberation Army (PLA) Unit 69010.

UAT-7290’s malware arsenal for edge devices

Talos currently tracks the Linux-based malware families associated with UAT-7290 in this intrusion as:

• RushDrop – The dropper that kickstarts the infection chain. RushDrop is also known as ChronosRAT.
• DriveSwitch – A peripheral malware used to execute the main implant on the infected system.
• SilentRaid – The main implant in the intrusion meant to establish persistent access to compromised endpoints. It communicates with its command-and-control server (C2) and carries out tasks defined in the malware. SilentRaid is also known as MystRodX.

Another malware implanted on compromised devices by UAT-7290 is Bulbature. Bulbature, first disclosed by Sekoia in late 2024, is an implant that is used to convert compromised devices into ORBs.

RushDrop and DriveSwitch

RushDrop is a malware dropper that consists of three binaries encoded and embedded within it. RushDrop first makes rudimentary checks to ensure it is running on a legitimate system instead of a sandbox.

Then it either checks for the existence of, or creates a folder called “.pkgdb” in the current working directory of the dropper. RushDrop then decodes and drops three binaries to the “.pkgdb” folder:

• “daytime” – A malware family that simply executes a file called “chargen” from the current working directory. This executor is being tracked as DriveSwitch.
• “chargen” – The central implant of the infection chain, tracked as SilentRaid. SilentRaid communicates with its C2 server, usually in the form of a domain and can carry out action as instructed by the C2.
• “busybox” – Busybox is a legitimate Linux utility that can be used to execute arbitrary commands on the system. 

 DriveSwitch simply executes the SilentRaid malware on the system.

SilentRaid: The multifunctional malware

SilentRaid is a malware written in C++ and consists of multiple functionalities, written in the form of “plugins” embedded in the malware. On execution, it does certain rudimentary anti-VM and analysis checks to ensure it isn’t running in a sandbox. Then the malware simply initializes its “plugins” and contacts the C2 server for instructions to carry out malicious tasks on the infected endpoint. The plugins are built in functionalities, but modular enough to enable the threat actor to stitch together a combination of them during compilation.

Plugin: my_socks_mgr

This plugin handles communication to C2 server. It obtains the C2 IP by resolving a domain using “8[.]8[.]8[.]8” and passes commands received from the C2 to the appropriate plugin.

Plugin:my_rsh

This plugin opens a remote shell by executing “sh” either via either “busybox” or “/bin/sh”. This remote shell is then used to run arbitrary commands on the infected system.

Plugin:port_fwd_mgr

This plugin sets up port forwarding between ports specified — a local port and a port on a remote server. It can also set up port forwarding across multiple ports.

Plugin:my_file_mgr

This is the file manager of the backdoor. It allows the SilentRaid to:

• Read contents of “/etc/passwd”
• Execute a specified file on the system
• Archive directories specified by the C2 using “tar -cvf” – executed via busybox
• Check if a file is accessible
• Remove a file or directory using the “rm” command – via busybox
• Read/write a specified file

SilentRaid can also parse thru x509 certificates and collect attribute information such as:

• id-at-dnQualifier | Distinguished Name qualifier
• id-at-pseudonym | Pseudonym
• id-domainComponent | Domain component
• id-at-uniqueIdentifier | Unique Identifier

Bulbature

The Bulbature malware discovered consisted of the same string encoding scheme as the other UAT-7290’s malware illustrated earlier. Usually UPX compressed, Bulbature can bind to and listen to either a random port of its choosing or one specified via command line via the “-d <port_number>” switch.

Bulbature obtains the local network interface’s name by executing the command:

cat /proc/net/route | awk '{print $1,$2}' | awk '/00000000/ {print $1}'

It also obtains basic system information and the current user using the command:

echo $(whoami) $(uname -nrm)

The malware typically records its C2 address in a config file in the /tmp directory. The file will have the same name as the malware binary with the “.cfg” extension appended to it. The C2 address may be an encoded string.

Bulbature can obtain additional or new C2 addresses from the current C2 and can switch over communications with them instead. The malware can open up a reverse shell with its C2 to execute arbitrary commands on the infected system.

A recent variant of Bulbature contained an embedded self-signed certificate that it used for communicating with the C2. This certificate matches the one from the sample disclosed by Sekoia as well:

509 Certificate:
Version: 3
Serial Number: 81bab2934ee32534
Signature Algorithm:
    Algorithm ObjectId: 1.2.840.113549.1.1.11 sha256RSA
    Algorithm Parameters:
    05 00
Issuer:
    O=Internet Widgits Pty Ltd
    S=Some-State
    C=AU
  Name Hash(sha1): d398f76c7ba0bbf79b1cac0620cdf4b42e505195
  Name Hash(md5): 4a963519b4950845a8d76668d4d7dd29
 
NotBefore: 8/8/2019 3:33 AM
NotAfter: 12/24/2046 3:33 AM
 
Subject:
    O=Internet Widgits Pty Ltd
    S=Some-State
    C=AU
  Name Hash(sha1): d398f76c7ba0bbf79b1cac0620cdf4b42e505195
  Name Hash(md5): 4a963519b4950845a8d76668d4d7dd29
 
Cert Hash(sha256): 918fb8af4998393f5195bafaead7c9ba28d8f9fb0853d5c2d75f10e35be8015a

Censys data shows that this certificate, with the exact Serial number, is present on at least 141 hosts, all either located in China or Hong Kong. On Virus Total, many of the IPs identified hosting this certificate are associated with other malware typically associated with China-nexus of threat actors such as SuperShell, GobRAT, Cobalt Strike, etc.

Coverage

The following ClamAV signatures detect and block this threat:

• Unix.Dropper.Agent
• Unix.Malware.Agent
• Unix.Packed.Agent

The following Snort Rule (SIDs) detects and blocks this threat: 65124

IOCs

723c1e59accbb781856a8407f1e64f36038e324d3f0bdb606d35c359ade08200

59568d0e2da98bad46f0e3165bcf8adadbf724d617ccebcfdaeafbb097b81596

961ac6942c41c959be471bd7eea6e708f3222a8a607b51d59063d5c58c54a38d

Cisco Talos Blog – ​Read More

Overview 

The Cyber Security Agency of Singapore has issued an alert regarding a critical vulnerability affecting IBM API Connect, following the release of official security updates by IBM on 2 January 2026. The flaw, tracked as CVE-2025-13915, carries a CVSS v3.1 base score of 9.8, placing it among the most severe vulnerabilities currently disclosed for enterprise automation software. 

According to IBM’s security bulletin, the issue stems from an authentication bypass weakness that could allow a remote attacker to gain unauthorized access to affected systems without valid credentials. The vulnerability impacts multiple versions of IBM API Connect, a widely used platform for managing application programming interfaces across enterprise environments. 

Details of CVE-2025-13915 and Technical Impact 

IBM confirmed that CVE-2025-13915 was identified through internal testing and classified under CWE-305: Authentication Bypass by Primary Weakness. The flaw allows authentication mechanisms to be bypassed, despite the underlying authentication algorithm itself being sound. The weakness arises from an implementation flaw that can be exploited independently. 

The official CVSS vector for the vulnerability is: 

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

This indicates that the vulnerability is remotely exploitable, requires no user interaction, and can lead to a complete compromise of confidentiality, integrity, and availability. IBM stated that successful exploitation could enable attackers to access the application remotely and operate with unauthorized privileges. 

Data from Cyble Vision further classifies the issue as “very critical,” confirming that IBM API Connect up to versions 10.0.8.5 and 10.0.11.0 is affected.  

Affected IBM API Connect Versions 

IBM confirmed that the following versions are vulnerable to CVE-2025-13915: 

• IBM API Connect V10.0.8.0 through V10.0.8.5 

• IBM API Connect V10.0.11.0 

No evidence has been disclosed indicating active exploitation in the wild, and the vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. 

Cyble Vision data also indicates that the vulnerability has not been discussed in underground forums, suggesting no known public exploit circulation at this time.  

The EPSS score for CVE-2025-13915 stands at 0.37, indicating a moderate probability of exploitation compared to other high-severity vulnerabilities. 

Remediation and Mitigation Guidance 

IBM has released interim fixes (iFixes) to address the vulnerability and strongly recommends that affected organizations apply updates immediately. For IBM API Connect V10.0.8, fixes are available for each sub-version from 10.0.8.0 through 10.0.8.5. A separate interim fix has also been released for IBM API Connect V10.0.11.0. 

IBM’s advisory explicitly states: 
“IBM strongly recommends addressing the vulnerability now by upgrading.” 

For environments where immediate patching is not possible, IBM advises administrators to disable self-service sign-up on the Developer Portal, if enabled. This mitigation can help reduce exposure by limiting potential abuse paths until updates can be applied. 

Cyble Vision reinforces this recommendation, noting that upgrading removes the vulnerability entirely, and that temporary mitigations should only be considered short-term risk reduction measures. 

Broader Security Context 

The disclosure of CVE-2025-13915 reinforces the persistent risk posed by authentication bypass vulnerabilities in enterprise platforms such as IBM API Connect. Classified under CWE-305 and CWE-287, the flaw demonstrates how implementation weaknesses can negate otherwise robust authentication controls. Despite the absence of confirmed exploitation, the vulnerability, remote attack surface, and critical CVSS score of 9.8 make immediate remediation necessary. 

The Cyber Security Agency of Singapore’s alert reflects heightened regional scrutiny of high-impact vulnerabilities affecting widely deployed enterprise software. IBM’s advisory, first published on 17 December 2025 and reinforced in January 2026, provides clear guidance on patching and mitigation. Organizations running affected versions of IBM API Connect should assess exposure without delay and apply the recommended fixes to reduce risk. 

Threat intelligence data from Cyble Vision further confirms the vulnerability’s severity, its impact on confidentiality, integrity, and availability, and the effectiveness of upgrading as the primary remediation. Continuous monitoring and contextual intelligence remain critical for identifying and prioritizing vulnerabilities with enterprise-wide consequences like CVE-2025-13915. 

Security teams tracking high-risk vulnerabilities like CVE-2025-13915 need real-time visibility, context, and prioritization. Cyble delivers AI-powered threat intelligence to help organizations assess exploitability, monitor new risks, and respond faster. 

Learn how Cyble helps security teams stay protected from such vulnerabilities— schedule a demo. 

References: 

• https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2025-126/# 

• https://www.ibm.com/support/pages/node/7255149 

• https://nvd.nist.gov/vuln/detail/CVE-2025-13915 

The post Singapore Cyber Agency Warns of Critical IBM API Connect Vulnerability (CVE-2025-13915)  appeared first on Cyble.

Cyble – ​Read More

Cyble Vulnerability Intelligence researchers tracked 1,782 vulnerabilities in the last week, the third straight week that new vulnerabilities have been growing at twice their long-term rate. 

Over 282 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. 

A total of 207 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 51 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Here are some of the top IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

CVE-2025-66516 is a maximum severity XML External Entity (XXE) injection vulnerability in Apache Tika’s core, PDF and parsers modules. Attackers could embed malicious XFA files in PDFs to trigger XXE, potentially allowing for the disclosure of sensitive files, SSRF, or DoS without authentication. 

CVE-2025-15047 is a critical stack-based buffer overflow vulnerability in Tenda WH450 router firmware version V1.0.0.18. Attackers could potentially initiate it remotely over the network with low complexity, and a public exploit exists, increasing the risk of widespread abuse. 

Among the vulnerabilities added to CISA’s Known Exploited Vulnerabilities (KEV) catalog were: 

• CVE-2025-14733, an out-of-bounds write vulnerability in WatchGuard Fireware OS that could enable remote unauthenticated attackers to execute arbitrary code. 

• CVE-2025-40602, a local privilege escalation vulnerability due to insufficient authorization in the Appliance Management Console (AMC) of SonicWall SMA 1000 appliances. 

• CVE-2025-20393, a critical remote code execution (RCE) vulnerability in Cisco AsyncOS Software affecting Cisco Secure Email Gateway and Cisco Secure Email and Web Manager appliances. The flaw has reportedly been actively exploited since late November by a China-linked APT group, which has deployed backdoors such as AquaShell, tunneling tools, and log cleaners to achieve persistence and remote access. 

• CVE-2025-14847, a high-severity MongoDB vulnerability that’s been dubbed “MongoBleed” and reported to be under active exploitation. The Improper Handling of Length Parameter Inconsistency vulnerability could potentially allow uninitialized heap memory to be read by an unauthenticated client, potentially exposing data, credentials and session tokens. 

Vulnerabilities Under Discussion on the Dark Web 

Cyble dark web researchers observed a number of threat actors sharing exploits and discussing weaponizing vulnerabilities on underground and cybercrime forums. Among the vulnerabilities under discussion were: 

CVE-2025-56157, a critical default credentials vulnerability affecting Dify versions through 1.5.1, where PostgreSQL credentials are stored in plaintext within the docker-compose.yaml file. Attackers who access deployment files or source code repositories could extract these default credentials, potentially gaining unauthorized access to databases. Successful exploitation could enable remote code execution, privilege escalation, and complete data compromise. 

CVE-2025-37164, a critical code injection vulnerability in HPE OneView. The unauthenticated remote code execution flaw affects HPE OneView versions 10.20 and prior due to improper control of code generation. The vulnerability exists in the /rest/id-pools/executeCommand REST API endpoint, which is accessible without authentication, potentially allowing remote attackers to execute arbitrary code and gain centralized control over the enterprise infrastructure. 

CVE-2025-14558, a critical severity remote code execution vulnerability in FreeBSD’s rtsol(8) and rtsold(8) programs that is still awaiting NVD and CVE publication. The flaw occurs because these programs fail to validate domain search list options in IPv6 router advertisement messages, potentially allowing shell commands to be executed due to improper input validation in resolvconf(8). Attackers on the same network segment could potentially exploit this vulnerability for remote code execution; however, the attack does not cross network boundaries, as router advertisement messages are not routable. 

CVE-2025-38352, a high-severity race condition vulnerability in the Linux kernel. This Time-of-Check Time-of-Use (TOCTOU) race condition in the posix-cpu-timers subsystem could allow local attackers to escalate privileges. The flaw occurs when concurrent timer deletion and task reaping operations create a race condition that fails to detect timer firing states. 

ICS Vulnerabilities 

Cyble threat researchers also flagged two industrial control system (ICS) vulnerabilities as meriting high-priority attention by security teams. They include: 

CVE-2025-30023, a critical Deserialization of Untrusted Data vulnerability in Axis Communications Camera Station Pro, Camera Station, and Device Manager. Successful exploitation could allow an attacker to execute arbitrary code, conduct a man-in-the-middle-style attack, or bypass authentication. 

Schneider Electric EcoStruxure Foxboro DCS Advisor is affected by CVE-2025-59827, a Deserialization of Untrusted Data vulnerability in Microsoft Windows Server Update Service (WSUS). Successful exploitation could allow for remote code execution, potentially resulting in unauthorized parties acquiring system-level privileges. 

Conclusion 

The persistently high number of new vulnerabilities observed in recent weeks is a worrisome new trend as we head into 2026. More than ever, security teams must respond with rapid, well-targeted actions to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

The post The Week in Vulnerabilities: The Year Ends with an Alarming New Trend  appeared first on Cyble.

Cyble – ​Read More