CCTR.37.SEP.25

Monday morning cyber coffee read CCTR.37.SEP.25. Cyber is personal. It’s not someone else’s problem anymore.

Qantas Bonuses Slashed After Cyber Breach

Qantas confirmed that a July 2025 cyber attack led to direct financial accountability for its executive team. The breach impacted Qantas customers, prompting executive bonus cuts. CEO Vanessa Hudson’s short-term bonus was reduced by $250,000 (a 15 percentage point cut across executives).

Qantas chair John Mullen stated the cuts reflect the seriousness of the incident and are intended to reinforce a culture of accountability and ownership.

This is an interesting development and likely the first time (as far as I’m aware) in corporate Australia that management has been personally penalised for failing to prevent a cyber attack.

https://www.cyberdaily.au/security/12600-qantas-execs-take-a-hit-to-bonuses-after-july-cyber-attack

Google’s Security Team Personally Targeted in Hacker Ultimatum

A threat actor coalition calling itself “Scattered Lapsus$ Hunters” has threatened Google, demanding that two named security experts be fired. If Google refuses, they claim they will leak internal Google data. The demands also include dropping ongoing investigations into certain threat clusters.

It is believed this is primarily an intimidation campaign aimed at disrupting investigations and undermining key defenders.

This marks an interesting development, with threat actors forming coalitions against a common enemy and shifting tactics to personally target defenders, naming specific employees to weaken cyber capabilities, rather than pursuing traditional financial extortion.

https://hackread.com/scattered-lapsus-hunters-google-fire-experts-data-leak/

Single Compromised Key Turns AWS SES into Phishing Engine

Wiz Research uncovered a phishing campaign abusing Amazon Simple Email Service (SES). Attackers compromised an AWS access key, bypassed SES restrictions, verified new sender identities and systematically launched phishing at scale. Such activity enables credential theft, business email compromise and other fraud schemes.

While SES abuse may appear low-cost, the real risk is significant: attackers can send phishing emails from verified domains, damage brand reputation and escalate their access beyond email abuse. Abuse complaints can also trigger AWS enforcement actions against the victim’s account. Importantly, SES abuse is a clear signal of deeper compromise, since adversaries already hold valid AWS credentials.

• Regularly rotate IAM keys, investigate dormant keys that suddenly reactivate.

https://www.wiz.io/blog/wiz-discovers-cloud-email-abuse-campaign