Ben Watson & Allan Grant | SOC Analyst | 1 May 2025

Welcome to Fortian's April cyber threat environment summary!

April saw a sharp escalation in state-aligned cyber activity, with China and Russia intensifying operations and the U.S. scaling back its cyber defence leadership and funding with rising pressure on global cyber security infrastructure and frameworks like MITRE and CVE.

In Australia, the superannuation, education, and health sectors were hit by breaches, while new ransomware reporting laws and critical vulnerability advisories signalled a growing urgency to harden defences.

U.S.–China Cyber Tensions

In April, tensions between China and the United States continued over cyber issues. China accused the United States of launching cyberattacks against critical industries and breaching the registration system for the Asian Winter Games held in February. Chinese authorities claimed three National Security Agency (NSA) agents, allegedly supported by the Universities of California and Virginia Tech, activated pre-installed backdoors in Windows devices to access personal information of athletes and support staff involved in the games.

China responded by issuing arrest warrants for the agents and offering rewards for any information related to the alleged attacks. This move mirrors recent U.S. actions against Chinese nationals accused of state-sponsored attacks on American critical infrastructure.

The U.S. government denied involvement, just as China previously denied its role in similar U.S. infrastructure attacks. However, an April report by The Wall Street Journal alleged that in a secret meeting with the former Biden administration, Chinese officials admitted responsibility for the Volt Typhoon attacks, framing them as retaliation for U.S. support of Taiwan. SCMP, Reuters

U.S. Cyber Cuts and Layoffs

The U.S. administration moved forward with further cuts to cybersecurity programmes in April:

• Early in the month, President Trump dismissed NSA and U.S. Cyber Command chief Gen. Timothy Haugh and his deputy Wendy Noble. The firings occurred shortly after Trump met with far-right activist Laura Loomer, who reportedly pushed for their removal. While the dismissals appear politically motivated, they further destabilise federal cybersecurity leadership already weakened by funding cuts. AP News
• Additionally, Trump revoked the security clearances of former CISA Director Chris Krebs and several SentinelOne employees. An April 9 White House memo labelled Krebs a "bad-faith actor" and called for a Justice Department investigation into his past actions at CISA, citing alleged censorship and mishandling of classified material. Krebs was previously fired by Trump in 2020 for affirming the 2020 election was secure. Dark Reading
• CISA also suffered operational setbacks. The agency announced it would no longer provide VirusTotal and Censys access to its 500+ threat hunters due to budget cuts. These tools are critical to analysing threats and producing reports relied on by industry and government. GB Hackers
• In April, the U.S. administration cancelled $28 million in CISA contracts with the MITRE Corporation, leading to the termination of 442 MITRE employees. MITRE, a nonprofit organisation, develops the globally used CVE database and ATT&CK framework. Concerns emerged that MITRE's CVE programme might lose its funding altogether. On April 17, CISA confirmed an 11-month funding extension. BleepingComputer, CyberDaily

The Trump administration's cuts to US cybersecurity programs including CISA and MITRE have global implications, including for close allies like Australia.

Cybersecurity teams, including those in the Australian private sector, can rely heavily on U.S. provided cyber infrastructure and frameworks such as the ATT&CK and CVE. Uncertainty around these have the potential to affect how Australian organisations track and mitigate emerging threats.

Annual Threat Reports Released

April was a month in review with many cybersecurity providers releasing reports on the 2024 threat landscape. We have reviewed these reports and identified some concurrent themes, as follows:

Manufacturing industry targeted by threat actors

• The manufacturing sector remained a top target, ranked as the most attacked industry for the fourth year running. Reasons include the sector's supply chain significance, high-value intellectual property, and ageing infrastructure. One report also suggested that manufacturing firms are more likely to pay ransomware demands, making them more attractive to attackers than government or education sectors. IBM, Check Point
• CrowdStrike highlighted a 2–3x increase in China-linked attacks on manufacturers compared to previous years.

Chinese threat actors conducted the most cyber attacks

• Chinese state-aligned groups significantly expanded operations in 2024, increasing attacks by over 150%. These operations often aimed to embed long-term access to critical infrastructure, enabling future disruptive campaigns.
• This surge aligns with Chinese General Secretary Xi Jinping's directive for China to become a "cyber power." The state has invested heavily in cyber education, sponsoring universities and hosting domestic capture-the-flag events to nurture talent.
• Chinese threat actors pivoted to targeting cloud-based services in 2024. One technique leveraged a bug in the Microsoft sign-in flow that allowed them to validate credentials without logging a sign-in event. Once they had validated the correct credentials, the threat actor would perform automated exfiltration of SharePoint documents. From start to finish this only took the attack just under 14 minutes. CrowdStrike, Check Point

Lumma information stealer emerges as most prevalent stealer

• The Lumma information stealer was the most detected malware on dark web forums in 2024, with 3.7 million references, 2.4 million more than the next most prevalent, RisePro. Believed to be of Russian origin, Lumma steals cryptocurrency wallets, browser session cookies, two-factor extensions, and FTP credentials.
• Lumma not only steals information but can also be used to deliver additional malware using PowerShell scripts or other executables. The malware is sold as malware-as-a-service in Russian speaking forums and most commonly infects victim devices when it is downloaded from compromised websites by victims. In 2024, however, distribution of information stealers via email increased by 84%, indicating a change in tactic by infostealer operators. Trellix, Sophos
• Fortian recommends security teams consult the deep dive report into Lumma linked above to ensure they are familiar with how it operates.

FBI Releases Annual Internet Crime Report

• The FBI also released their own 2024 Internet Crime Complaint Center (IC3) report, highlighting trends in cybercrime affecting the USA. The top three reported cybercrimes by number of complaints were phishing/spoofing, extortion, and personal data breaches. Of note is the significant increase in cyber threats targeting U.S. critical infrastructure sectors. In 2024, the IC3 received over 4,800 complaints from critical infrastructure organisations, with ransomware and data breaches being the most reported incidents. FBI

ACSC Critical Advisories

Vulnerability reports

In April, the ACSC warned of active exploitation of two critical vulnerabilities:

• Fortinet SSL VPN vulnerabilities: Several known issues in sslvpnd continue to be exploited, including heap-based and out-of-bounds buffer overflows. Fortinet released a technical advisory and remediation guidance. ACSC
• Ivanti Connect Secure and related products: A critical unauthenticated buffer overflow vulnerability is actively being exploited. Affected organisations should patch immediately and review configurations. ACSC

Fortian recommends Australian organisations assess their inventory for exposure and apply updates as a priority.

Threat actors use "fast flux" to get around network security controls

The Australian ACSC, along with the US National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), Canadian Centre for Cyber Security (CCCS), and New Zealand National Cyber Security Centre (NCSC-NZ) released a joint cybersecurity advisory on the "fast flux" technique being used by threat actors to subvert defences and communicate reliably with command-and-control servers. ACSC

Fast flux is a relatively old technique wherein threat actors rapidly change IP addresses associated with a domain's DNS record. This means that a single domain can map to dozens of different IP addresses. These IP addresses are often associated with botnets controlled by the threat actor. An extension of this technique, known as double flux, adds a layer of obfuscation by also rapidly changing the DNS name server responsible for resolving the domain. This means that defenders cannot easily block the DNS server resolving these malicious domains, nor can they easily block the IPs themselves. This technique is often paired with bullet-proof hosting providers and domain generating algorithms. By using these techniques in conjunction, it provides resilient hosting infrastructure for threat actors that is more difficult to detect and block for network defenders, and takedown for law enforcement.

Australian Cyber Policy

The Australian Cyber Security Legislative Package which consisted of three cyber security focused acts and was given royal assent in November 2024, is beginning to come into effect on the 4th of April and 30 May. The package introduces some major reforms including:

• Security Standards for Smart Devices. Manufacturers of smart devices must improve their security by removing default passwords and providing transparency for consumers around vulnerability reporting and minimum support periods.
• Ransomware Reporting. Private organisations with annual turnover higher than AUD 3 million, and certain critical infrastructure-related entities will be required to report any ransomware payments within 72 hours of payment.
• Cyber Incident Review Board (CIRB). The government will establish an independent body that will review significant cyber security incidents and publish concrete recommendations that would aid in the prevention, detection, response and minimisation of cyber incidents, ensuring transparency.

Australian Cybersecurity Incidents

Superannuation companies targeted in credential stuffing attack

• Threat actors used a technique known as credential stuffing to breach accounts at major Australian superannuation companies stealing at least $500,000 of funds and customer data. According to media reports, these organisations were warned that they were "underprepared" for a cyber-attack. Credential stuffing is when threat actors try to compromise an account with credentials that have been leaked in a potential data breach, these credentials are used against other accounts. Customers of the impacted superannuation companies are advised to reset their passwords and ensure they do not use the same password across multiple accounts. CPO Magazine, CyberDaily

NSW universities suffer data breaches

Two NSW universities suffered data breaches in April.

• The Western Sydney University suffered its fourth cyber incident in two years after its single sign-on system was breached. Threat actors gained access to data of 10,000 current and former students including demographic and enrolment information and listed it on the dark web. iTnews
• Source code from the University of Sydney was listed for sale by threat actor Sythe on April 3rd. The threat actor claimed to have exfiltrated the data from the university's GitHub repo using a stolen GitHub authentication token. The University of Sydney denied they had suffered a breach instead stating it was their third-party provider Beakon who had been compromised. Beakon confirmed they had suffered a cyber-attack but that no University of Sydney data was stolen. CyberDaily

Car rental company Hertz breached

• Hertz has confirmed a data breach affecting customers, including Australians, due to a third-party compromise of file-sharing platform Cleo by the Clop ransomware group. The breach exposed personal data such as names, contact details, birth dates, driver's licence and payment card info, with a few cases involving passport data. Hertz stated that its internal systems were not impacted and has urged affected individuals to monitor for any suspicious activity, or indicators of fraud. CyberDaily

Police charge man with NSW Department of Justice website breach

• NSW Police Cybercrime Squad charged a 38-year-old man for allegedly accessing 8,769 restricted documents from the NSW Department of Community and Justice Online Registry Website between January and March 2025. The suspect was arrested during a search in Maroubra where two laptops were seized. He faces charges including unauthorised data access and online harassment. NSW Police

Patient data stolen from Adelaide Women's and Children's Hospital

• Personal details of over 2000 participants in a sleep study at the Women's and Children's Hospital in Adelaide were stolen in April. Threat actors gained access to names, addresses and clinical information of patients after compromising Compumedics, a third-software product used by the hospital. The data went back as far as seven years with SA Health advising that patients who had used the inpatient service at the hospital since 2018 were likely to have been impacted. The breach emphasises the importance of requiring third-party providers to undergo regular external security assessments when contracting for their services and uphold data retention policies which ensure stale personal data is deleted. ABC News

Key Takeaways for Australian Organisations

Australian organisations should undertake the following tactical actions:

• With the increase in infostealers being disseminated via email, Australian organisations should consider implementing email security policies that block emails with suspicious attachment types or quarantine suspicious attachments for administrator review before releasing to the end user.
• Superannuation customers should reset their passwords and enable MFA on their account if possible. In general, customers could also consider eliminating password reuse by using a password manager or other authentication methods such as single sign-on or passkeys.
• Fortian encourages organisations that use Ivanti or Fortinet products to follow the ACSC advisory and apply remediation advice urgently to affected systems.
• Familiarise themselves with the new legislative obligations that have entered into effect.