CCTR.8.FEB.26

The FBI has shared Indicators of Compromise linked to ATM jackpotting attacks that are increasingly occurring across the United States. Threat actors are compromising ATMs directly, bypassing bank authorisation to force machines to dispense cash on demand with a disproportionate spike observed in 2025.

This may not necessarily apply to Australia at this stage but I find ATM jackpotting a fascinating example of a cyber-physical attack that completely bypasses traditional fraud controls.

https://www.ic3.gov/CSA/2026/260219.pdf

Ok, and here’s something Aussie made.

Australian fintech platform youX has confirmed a data breach following unauthorised access to its systems, after a threat actor published a preview of a large dataset online.

The threat actor claims to have exfiltrated 141GB of data from a MongoDB Atlas cluster. The breach potentially impacts more than 600,000 loan applications across nearly 100 lenders.

The situation is even more concerning given that youX was previously reported to have an exposed database containing 27,000 records in March 2025. That exposure involved a publicly accessible Amazon S3 bucket without password protection or encryption.

Finance facilitation technology platforms like these aggregate identity documents, contact details and financial context in a single environment. This makes a single compromise highly valuable and immediately usable for fraud, phishing and potential downstream account takeovers.

At this point, it is reasonable to ask whether parts of the fintech sector have learned anything since the Medibank flagship cybersecurity incident in 2022. Australian consumers deserve significantly better stewardship of their personal and financial data.

May 2025 incident https://www.securitymagazine.com/articles/101503-27-000-records-in-australian-fintech-database-were-exposed

Feb 2026 incident https://www.cyberdaily.au/security/13235-exclusive-youx-breach-could-lead-to-further-impacts-says-rapid7

Mandiant has identified active zero-day exploitation of critical vulnerability CVE-2026-22769 CVSS 10.0 in Dell RecoverPoint for Virtual Machines.

The flaw is a hardcoded credential vulnerability that enables unauthenticated attackers to gain OS-level access and establish root persistence. Exploitation has been observed since at least mid-2024.

The activity is attributed to a Chinese APT UNC6201, used for lateral movement, persistence and malware deployment. This group is known to target edge appliances such as VPN concentrators to gain initial access into their victims.

• Patch RecoverPoint for Virtual Machines immediately

• Assume compromise if the product was internet-reachable or edge-adjacent

• Review VPN and edge appliance exposure and hunt for root persistence and lateral movement

https://cloud.google.com/blog/topics/threat-intelligence/unc6201-exploiting-dell-recoverpoint-zero-day