#NSBCS.103 - ASD Cyber Threat Insights: Converting Intelligence into Action

ASD Cyber Threat Insights: Converting Intelligence into Action

Almost two months have passed since the Australian Signals Directorate (ASD) published its Annual Cyber Threat Report, but how can Australian firms turn this information into proactive cyber resilience?

Below are a few summarised themes and statistics from the report, which revealed a steep increase in cybercrime reports, response efforts and cost:

• In FY2024-25, the ASD:

  • received more than 84,700 cybercrime reports (roughly one every six minutes); and

  • responded to over 1,200 cyber security incidents (an 11% increase on the previous year).

• Ransomware and data theft extortion remain the most disruptive threats, with ASD responding to 138 ransomware incidents in FY2024–25.

• Business email compromise (BEC) and fraud are now among the most commonly reported cybercrimes for businesses, accounting for a significant share of financially motivated incidents.

• The volume and velocity of malicious activity are rising, with more than 1,700 proactive notifications issued to entities about potentially malicious activity.

Taken together, the message is clear; Australian organisations are being targeted more than ever, and practical steps must be taken to build cyber resilience.

Where organisations typically fall short

ASD has been clear for years that the Essential Eight represents a practical baseline for defending against common threats. Yet many organisations still operate at low maturity levels, even as they increase cyber spend. External assessments suggest that gaps frequently appear in patching, application control, identity security and backup resilience.

Common patterns include:

• Controls designed on paper, but not consistently implemented across the environment;

• Investments in technology without equivalent focus on processes, people and culture;

• Incident response plans that exist on paper, but are rarely tested at board and executive level; and

• Supplier ecosystems treated as a contractual issue rather than a security dependency.

A practical 12-month agenda for boards and executives

To promote impactful cyber maturity within Australian firms, boards do not need to become technical experts to act on ASD’s intelligence. They do, however, need to set expectations and ask better questions.

1. Set a clear Essential Eight maturity target
Agree on a target maturity level aligned to your risk appetite, and require quarterly reporting against it. Focus on a small number of high-impact gaps rather than a long shopping list of tools.

2. Run at least one cyber exercise at board level
Use realistic scenarios drawn from ASD’s reporting – ransomware, BEC, data theft – to test decision-making, communications and escalation paths, not just the technical response.

3. Tighten supplier and third-party oversight
Identify your most critical vendors and ask how they align to ASD guidance and the Essential Eight. Build cyber clauses, assurance and incident-notification expectations into contracts.

4. Demand meaningful metrics, not noise
Move beyond raw incident counts. Ask for metrics that link to resilience: time to detect and respond; recovery time from exercises; percentage of critical systems within patching SLAs; and progress against maturity targets.

Turning free intelligence into competitive advantage

The Annual Cyber Threat Report is free, deeply informed intelligence that many organisations would otherwise pay significant sums to access. Used well, it can justify investment, shape risk decisions and provide a benchmark for your own posture.

The key is not to treat it as a one-off read, but as an annual scorecard:

• Where do our controls align with what ASD is seeing?

• Where are we in comparison with our peers?

• And, if we were on the wrong end of one of these case studies, what would our customers, regulators and shareholders discover about how seriously we took the risk?

These are the questions. The answers will determine next year’s statistics.

Reference: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025

What we read this week

• Critical React Server Components Flaw Enables Remote Code Execution - Security researchers have disclosed a maximum-severity vulnerability in React Server Components (RSC), tracked as CVE-2025-55182 with a CVSS score of 10.0, that allows unauthenticated attackers to achieve remote code execution on affected servers. Dubbed React2shell, the flaw stems from improper input validation in the RSC payload processing, enabling malicious actors to inject and execute arbitrary JavaScript during server-side rendering. The issue affects Next.js applications using RSC in versions prior to 14.2.5 and React 19.0.0-rc-1234, with exploitation demonstrated via crafted HTTP requests that bypass authentication. Discovered during a routine code audit, the vulnerability has no known in-the-wild attacks but poses severe risks to web applications handling user-generated content. Developers are urged to upgrade immediately, implement strict payload sanitisation, and conduct penetration testing on RSC integrations to prevent server compromise and data exfiltration.

• Google's December Android Update Patches Two Actively Exploited Zero-Days - Google has released its December 2025 Android security bulletin, addressing 107 vulnerabilities including two high-severity zero-days, CVE-2025-48572 (privilege escalation) and CVE-2025-48633 (information disclosure) in the Android Framework. Added to CISA's Known Exploited Vulnerabilities catalog, these flaws allow attackers to elevate privileges and leak sensitive data without user interaction, potentially leading to full device takeover via malicious apps or web exploits. Exploitation has been observed in targeted attacks against high-profile users, with proof-of-concept code circulating on underground forums since early December. The update affects Android 13 through 16, with Google recommending immediate over-the-air updates and OEMs to prioritise patches. Users should enable auto-updates, avoid sideloading apps from untrusted sources, and use verified boot to mitigate risks from these persistent threats.

• Microsoft Silently Patches Long-Exploited Windows LNK Vulnerability - Microsoft has quietly addressed CVE-2025-9491, a high-severity shortcut file (LNK) flaw in Windows that has been actively exploited by state-sponsored and cybercrime groups for years, enabling zero-day malware delivery without user interaction. The vulnerability allows attackers to embed malicious payloads in seemingly benign LNK files, bypassing antivirus detection to execute code upon file opening in Explorer. Tracked since 2022 but only now fully patched in the December 2025 updates, it has been weaponised in campaigns by groups like APT28 and ransomware operators for initial access. Despite the fix, legacy systems remain vulnerable, prompting CISA to issue an advisory for immediate patching and enhanced logging. Organisations are advised to scan for anomalous LNK files, deploy endpoint detection rules, and transition to modern Windows versions to counter this enduring attack vector.

• Malicious NPM Package Evades AI Scanners with Hidden Prompts - Researchers have uncovered eslint-plugin-unicorn-ts-2, a trojanised NPM package masquerading as a TypeScript ESLint extension, which uses hidden prompts and scripts to influence AI-driven security tools and exfiltrate developer credentials. Uploaded in early December 2025, the package has amassed over 50,000 downloads before detection, employing obfuscated code to query AI scanners for evasion tactics and steal npm tokens via remote dependencies. The attack highlights the growing sophistication of supply chain threats targeting open-source ecosystems, with overlaps to the Sha1-Hulud campaign. Developers report infections leading to GitHub repo compromises and unauthorised package publications. Mitigation includes rigorous dependency auditing, enabling registry 2FA, and using tools like Socket or Snyk for behavioural analysis to safeguard against these stealthy, AI-assisted malware strains.

• India Scraps Mandatory Preloading of Cybersecurity App Amid Privacy Backlash - India's government has revoked an order requiring smartphone manufacturers to preload the state-run Sanchar Saathi app on all new devices, following widespread criticism from privacy advocates, opposition parties, and tech giants over surveillance concerns. Announced on 3 December 2025, the initial mandate aimed to combat telecom fraud by verifying user identities and blocking malicious calls, but critics argued it enabled unchecked data collection without consent. The app, developed by the Department of Telecommunications, would have accessed contacts, SMS, and location data, raising fears of mass monitoring akin to China's social credit system. Manufacturers like Apple and Samsung had voiced compliance challenges, citing conflicts with global privacy laws. The reversal underscores tensions between national security and individual rights, with experts recommending voluntary adoption paired with robust data protection regulations to balance fraud prevention and privacy.

References

• https://thehackernews.com/2025/12/critical-rsc-bugs-in-react-and-nextjs.html

• https://source.android.com/docs/security/bulletin/2025-12-01

• https://thehackernews.com/2025/12/microsoft-silently-patches-windows-lnk.html

• https://thehackernews.com/2025/12/malicious-npm-package-uses-hidden.html

• https://www.reuters.com/world/india/india-cyber-safety-app-mandate-breach-privacy-main-opposition-party-tells-2025-12-03/