#NSBCS.096 - Smarter. Together.

Technically advanced. Deeply Human.

It is conference season in the world of Cyber and NSB Cyber has certainly been part of it this week. We have people all over the country, both contributing as thought leaders and soaking in the atmosphere and energy you can only get at these types of events. What a privilege to be part of such a great community!

While most of the Australian cyber world made their way down to Melbourne for AISA CyberCon (watch out for Shane’s session on how to break into the industry), I made my way to SXSW Sydney.

In a week ruled by FOMO, with so many important topics to absorb, I found myself drawn to two in particular, AI and my passion, culture as a multiplier.

My takeaway, unsurprisingly, is that the future belongs to those who learn how to combine the best of both, the power of AI and the power of connection.

I don’t propose to be an expert in AI, in fact far from it. But like many people, I’ve been curious about what it’s truly capable of. I thought I was using AI, but I was barely scratching the surface.

Hearing from some of the brightest minds gave me a much clearer picture of the true power of AI and what it is capable of, and my mind was blown. An idea that stuck with me was how we should be using it, to augment intelligence, there was theory around AI amplifying your IQ drastically, managing the data so we can lead with curiosity, empathy and better decisions. And that’s the point, we should be using it to solve real-world problems not with a set of rules but with actual intelligence.

My new rabbit hole.

And yet here we are, using it to write our emails, LinkedIn posts or for the occasional meme.

And that’s all fine but the question I kept coming back to is how do we harness this power to solve our clients’ pain points. And my answer (as always) is people. But not people who are just punching a ticket, people who feel valued, who are part of something bigger, who feel like they truly belong. People who can be whoever they are without judgment and so bring their entire self to work and are proud of and celebrated for being different from me or someone else in the team.

All of this, while new, weirdly validated everything we’re trying to do at NSB Cyber. I’m a chartered accountant but the first to say we’re not in it for the money, that’s a by-product of creating somewhere special. We continue to work towards creating a place where people have a real sense of meaning in their work and a sense of belonging where they work. A place where curiosity around how to get the best outcomes for clients thrives. Where obsession is common and true experimentation, the kind where we don’t know whether it will work but if it does it’ll change the game, is safe, applauded and encouraged.

That’s the intersection where we can all win. In environments that are both technically advanced and deeply human, the real opportunity is bringing these closer together and I couldn’t be more excited to continue that journey with the incredible people around me every day.

What we read this week

• Hackers Using Outdated Velociraptor Versions in Ransomware Attacks - Threat actors linked to Storm-2603 are abusing the open-source DFIR tool Velociraptor to conduct ransomware attacks deploying Warlock, LockBit, and Babuk. According to Cisco Talos and Sophos, the group exploited on-premises SharePoint vulnerabilities known as ToolShell to install an outdated Velociraptor version containing a privilege-escalation flaw (CVE-2025-6264) for remote command execution and system control. Once inside, the attackers created domain admin accounts, disabled security defences via Group Policy changes, and moved laterally before exfiltrating data and launching multiple ransomware strains. Researchers believe Storm-2603 has ties to Chinese state-aligned hackers, citing its access to zero-day exploits, professional development cycles, and infrastructure similarities across Warlock, LockBit, and Babuk.

• Fake LastPass, Bitwarden Breach Alerts Lead to PC Hijacks - An ongoing phishing campaign is impersonating LastPass and Bitwarden, sending fake breach warnings that urge users to download a supposedly more secure desktop version. The supplied binary actually installs the Syncro MSP agent, which the attackers use to deploy the ScreenConnect remote-support tool to gain remote access. Analysis of the samples shows the Syncro agent hides its system tray icon to keep users unaware of the tool being installed, and is narrowly configured to deploy ScreenConnect while possibly disabling some security products. With ScreenConnect installed, attackers can remotely access the machine, deploy further malware, exfiltrate data, and potentially reach users’ password vaults via saved credentials.

• The Weakest Link: Hackers Going After Hybrid Workers - The Australian Signals Directorate has warned that state-sponsored hackers, including China-linked APT40, are increasingly targeting remote and hybrid workers by exploiting vulnerabilities in home networks, routers, and cloud collaboration tools. Its latest Annual Cyber Threat Report highlights that many small and medium businesses still lack strong protections for remote setups, making them attractive targets. Experts say attackers are compromising home routers to disguise their activity as originating from within Australia, bypassing geo-blocking and detection systems. Employers are urged to strengthen authentication, enforce security policies for remote work and provide regular cyber awareness training.

• Harvard University Breached in Oracle Zero-Day Attack - Harvard University has confirmed it was affected by a cyberattack exploiting a zero-day flaw in Oracle’s E-Business Suite (EBS), tracked as CVE-2025-61882, which allows unauthenticated remote access. The Clop ransomware group reportedly used the vulnerability to breach multiple Oracle customers, including Harvard, and later listed the university’s data on its leak site. Harvard stated that the impact appears limited to a small administrative unit and that it patched the system once Oracle released the fix. The Federal Bureau of Investigation (FBI) and and United Kingdom authorities have warned organisations to patch immediately, calling the flaw critically severe.

• Malicious Domains Emerge as Hackers Exploit Cloudflare in ClickFix Campaign - Researchers have uncovered the vast scale of the ClickFix phishing and malware campaign, identifying more than 13,000 unique domains used to trick users into running malicious scripts disguised as CAPTCHA checks. The campaign abuses browsers’ clipboard functions to execute PowerShell commands that download and run Visual Basic scripts, leading to infection or further compromise. Analysis showed Cloudflare hosted nearly a quarter of the malicious domains, with hundreds of smaller hosting providers, especially in the United States, Germany, Australia and Indonesia also supporting the activity. Over 76% of ClickFix infrastructure overlapped with known Adversary-in-the-Middle (AiTM) operations, indicating significant re-use of compromised or shared infrastructure, including academic and government domains. The findings highlight the need for continuous monitoring, stronger hosting provider controls, and multi-source validation before integrating domains into defensive blocklists.

References

• https://thehackernews.com/2025/10/hackers-turn-velociraptor-dfir-tool.html

• https://www.bleepingcomputer.com/news/security/fake-lastpass-bitwarden-breach-alerts-lead-to-pc-hijacks/

• https://www.hrleader.com.au/tech/27392-the-weakest-link-hackers-going-after-hybrid-workers

• https://www.darkreading.com/cyberattacks-data-breaches/harvard-breached-oracle-zero-day-attack

• https://cyberpress.org/clickfix-campaign-cloudflare/