News

Human-Centric Attacks and Supply Chain Risks Demand Urgent Action

Written by Digital Frontier Partners | 12 January 2026 10:48:41 PM

This week’s cyber landscape is a reminder that the weakest link is often not a piece of technology, but a moment of human trust. Attackers are blending technical exploits with social engineering, supply chain compromise, and legacy vulnerabilities—making vigilance, patch discipline, and staff awareness more critical than ever for Australian organisations.

The Threats at the Gates

Organisations globally—including in Australia—have faced a wave of sophisticated phishing and malware campaigns. North Korea’s Kimsuky group has ramped up “quishing” attacks, embedding malicious QR codes in phishing emails to bypass traditional defences. Russian APT28 continues credential harvesting via spoofed Outlook and Google login pages, while China-linked UAT-7290 has breached telecommunications firms by exploiting edge-device flaws and deploying Linux implants. The hospitality sector is being targeted by a new ClickFix campaign using fake Booking.com cancellation notices and a faux Blue Screen of Death to deliver the DCRat remote-access trojan. In Brazil, the Astaroth banking worm is spreading through compromised WhatsApp contact lists.

Supply chain threats persist: attackers have slipped NodeCordRAT into npm libraries, hijacked Chrome extension namespaces to harvest ChatGPT conversations from over 900,000 users, and leveraged the React2Shell bug to deploy cryptominers and Mirai variants via the RondoDox botnet. Urgent patching is critical following active exploits of high-severity flaws, including MongoDB’s “MongoBleed” memory leak, HPE OneView RCE, Trend Micro Apex Central RCE, and multiple critical n8n automation-platform vulnerabilities. Newly disclosed deserialization weaknesses in popular Bluetooth chips and command-injection in unsupported D-Link DSL routers underscore the risks of legacy hardware.

Critical Vulnerabilities and Exploits: The Crumbling Bridges

  • VMware ESXi: Attackers exploited three zero-days after breaching SonicWall VPN devices, enabling VM escape and hypervisor compromise.
  • HPE OneView: A critical unauthenticated RCE flaw allows full takeover of centralised IT infrastructure.
  • Trend Micro Apex Central: Unauthenticated attackers can load malicious DLLs to execute code as SYSTEM.
  • n8n Workflow Automation: Multiple RCE bugs allow unauthenticated remote code execution and full system control.
  • MongoDB “MongoBleed”: Zlib memory-leak vulnerability enables attackers to extract credentials and tokens from server memory.
  • Legacy D-Link DSL Routers: End-of-life routers remain open to remote command injection.
  • Coolify Self-Hosted: Eleven vulnerabilities enable command injection, auth bypass, and info disclosure.
  • TOTOLINK EX200: Firmware upload error triggers unauthenticated root-level telnet service.
  • Cisco ISE & Snort: XML parsing and DCE/RPC vulnerabilities patched.
  • Veeam Backup & Replication: Multiple RCE and privilege escalation flaws.
  • npm Packages: AdonisJS BodyParser and jsPDF path-traversal flaws.
  • Hitachi Energy Asset Suite: Java deserialization RCE in JasperReports.
  • Kimwolf Android Botnet: Over 2 million devices infected via exposed ADB services.

Australian organisations should prioritise patch management, retire unsupported devices, enforce network segmentation, and monitor for signs of compromise.

Malware and Botnet Campaigns: The Saboteurs Within

  • Kimwolf Android Botnet: Infected over two million devices by exploiting exposed ADB services and proxy networks.
  • RondoDox Botnet: Scanning more than 90,000 vulnerable Next.js servers for React2Shell, deploying cryptominers and Mirai variants.
  • Boto Cor-de-Rosa: Weaponises WhatsApp to spread the Astaroth banking trojan.
  • PHALT#BLYX: Targets hospitality with fake Booking.com cancellations and a fake BSOD to deliver DCRat.
  • BlackCat Affiliates: SEO poisoning tricks users into installing backdoor Trojans.
  • NodeCordRAT: Malicious npm packages install RATs and harvest credentials.
  • VVS Stealer: Obfuscated Python loader harvesting credentials from over a million browsers.
  • State-Aligned Groups: Deploying Hijack Loader, Remcos RAT, and Linux implants in telecom networks.

Australian organisations should urgently secure exposed IoT endpoints, enforce multifactor authentication, and monitor network traffic for anomalous activity.

Phishing and Social Engineering Techniques: Identity is the New Perimeter

  • Kimsuky “Quishing”: QR-code phishing to divert targets from secure environments.
  • MuddyWater: Spear-phishing with malicious Word documents to deploy Rust-based RAT.
  • APT28: Credential harvesting via spoofed login pages.
  • Tycoon2FA: Surge in domain-spoofed Office 365 attacks.
  • PHALT#BLYX: Fake Booking.com cancellation emails and faux BSOD.
  • Callback-Style Phishing: Emerging on Microsoft Teams.
  • Deepfake Tools: Undermining KYC checks.

Mitigations should include enforcing multi-factor authentication, bolstering staff awareness of QR-code and domain-spoofing lures, and monitoring for anomalous login-page redirects.

Data Breaches and Ransomware Incidents: What’s at Stake

  • BreachForums: Illicit-data marketplace breached, exposing 324,000 user accounts.
  • Illinois Department of Human Services: Misconfiguration left nearly 700,000 Medicaid and Medicare recipients’ personal details publicly accessible.
  • ManageMyHealth (NZ): Ransomware attack exfiltrated 108 GB of patient records, affecting up to 130,000 individuals.

These breaches underscore ongoing vulnerabilities in public-sector and healthcare systems and the critical need for robust access controls and incident response measures.

State-Sponsored and APT Cyber Operations: The Shadowy Figures

  • Kimsuky (North Korea): Deploying QR-code “quishing” in spear-phishing campaigns.
  • China-Linked Actors: Exploiting unpatched edge-device vulnerabilities and SonicWall VPNs to deliver VMware ESXi zero-day exploits.
  • MuddyWater (Iran): Custom Rust-based RATs via malicious VBA-macro documents.
  • APT28 (Russia): Credential-harvesting attacks against energy and policy bodies.
  • UAT-7290 (China): Implanting Linux malware to create relay nodes in telecom networks.

Australian organisations should urgently patch known exploited vulnerabilities, enforce robust multi-factor authentication, and enhance monitoring for unusual remote-access-tool activity.

Building a Resilient City: Business Actions

  1. Patch with Purpose: Prioritise actively exploited flaws and track closure.
  2. Harden Identity: Move to phishing-resistant MFA, enforce conditional access, and rotate high-risk tokens.
  3. Control the Supply Chain: Maintain a live inventory, lock down CI/CD permissions, whitelist extensions, and scan for malicious packages.
  4. Segment and Monitor: Isolate OT/IoT, restrict admin/API surfaces, deploy EDR with kernel integrity checks, and monitor cloud-storage and blockchain usage.
  5. Prepare for Failure: Test ransomware playbooks, verify offline backups, and rehearse third-party breach response.

Final Word: Human Factors and Patch Discipline Are Your Best Defence

This week’s lesson is clear: attackers are exploiting both technology and human behaviour. Speed and discipline in patching, identity management, and supply chain oversight are now board-level concerns. The organisations that measure and improve these areas are the ones best positioned to withstand the next wave of cyber threats.
View full post