TL;DR

This week's cybersecurity landscape packs a punch for Australian SMBs: Microsoft's latest Patch Tuesday closes 137 vulnerabilities including an actively-exploited SQL Server zero-day, Fortinet firewalls have a privilege escalation flaw, a major IT distributor got hit by ransomware disrupting supply chains, APT28 is hijacking DNS viaSOHO routers, and malicious Chrome extensions are stealing credentials at scale. Patch now, check your Fortinet firmware, and brief your team on browser-based phishing.​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Microsoft Patch Tuesday: 137 Flaws and a SQL Server Zero-Day

Microsoft's April 2026 Patch Tuesday addresses 137 vulnerabilities, including 14 rated critical and one SQL Server zero-day under active exploitation. The zero-day enables remote code execution against database servers — the kind of infrastructure Australian SMBs commonly expose for web applications and internal tools.

What this means for SMBs: If you run SQL Server (and most on-premises SMBs do), this is not a "patch next month" situation. Attackers are already using it. Pair this with the 14 critical Remote Code Execution fixes across Windows and Office, and your Monday morning priority is clear: push these updates via WSUS or auto-deploy. If you're running W

indows 10 21H2, also grab KB5062554 — it's mandatory. If you outsource IT, confirm your MSP has applied these by end of week.​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​‌​‌‍​‌‌​‌​‌‌‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌​​​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

FortiOS Buffer Overflow: Your Firewall Might Have a Gap

Fortinet disclosed CVE-2025-24477, a heap-based buffer overflow in FortiOS's cw_stad daemon. CVSS 4.0 sounds medium, but authenticated attackers can exploit it for arbitrary code execution and privilege escalation. Fortinet firewalls are the backbone of Australian SMB perimeter defences — if yours is running unpatched firmware, your front door has a weaker lock than you think.

What this means for SMBs: Log into your FortiGate dashboard and check firmware versions. If you're on a version prior to the patched release, schedule the update outside business hours tonight. This requires authenticated access, which limits the blast radius — but if an attacker already has a foothold via phishing (see below), they've got the credentials they need. Layer your defences: patch the firewall and enforce MFA on admin accounts.

Ingram Micro Ransomware: Supply Chain Disruption Hits Home

Global IT distributor Ingram Micro was hit by the SafePay ransomware group over a holiday weekend, disrupting ordering systems and the MS Xvantage platform across multiple regions. Operations are mostly restored, but the incident exposed how a single supplier compromise cascades through the channel. Australian resellers and their SMB customers felt delays in hardware procurement and licence provisioning.

What this means for SMBs: If your business depends on a single IT distributor or supplier for hardware, software, or cloud licences, you need a Plan B. Identify alternate suppliers now, before an incident. More broadly: map your critical vendor dependencies and ask them about their incident response timelines. If they can't answer, assume they'll be down for at least a week during a crisis. Also verify your own backups aren't sitting on the same supply chain — offline, immutable copies are non-negotiable.

APT28 DNS Hijacking: SOHO Routers in the Crosshairs

Russia-linked APT28 is exploiting vulnerableSOHO routers to carry out DNS hijacking and adversary-in-the-middle attacks, primarily targeting Microsoft Outlook credentials. They redirect DNS queries, intercept login traffic, and harvest credentials — all without touching your endpoints. Australian NBN-connected businesses with default or unpatched router firmware are prime targets.

What this means for SMBs: Change your router admin password from default immediately. Check firmware updates for your ISP-supplied or office router — Telstra, Optus, and Vocus gateways have had known issues. Enable DNS-over-HTTPS where possible. If your router hasn't had a firmware update in over a year, replace it. The ACSC's Essential Eight Maturity Model explicitly calls for hardening network devices — this is why. Consider routing DNS through a filtered resolver like Cloudflare (1.1.1.2) or Quad9 to block known-malicious domains at the network edge.

Malicious Chrome Extensions: The Phishing Threat Hiding in Plain Sight

A weaponised Chrome extension is delivering LummaC2 stealer, which harvests browser profiles, cryptocurrency wallets, saved passwords, session cookies, and screenshots — then exfiltrates everything to a command-and-control server. Distributed via malicious HTA scripts and RAR archives (NordDragonScan variant), these campaigns explicitly target Windows users in business environments. AI-powered phishing is making the lure emails nearly indistinguishable from legitimate correspondence.

What this means for SMBs: CrowdStrike's 2025 SMB Cybersecurity Report found high awareness but lagging protection among small businesses — and browser-based attacks exploit exactly that gap. Audit your team's Chrome extensions using chrome://extensions — remove anything not business-essential. Deploy a browser extension allowlist via Group Policy or your MDM. Train staff that no browser extension request is urgent, and never install from unverified sources. This is also a timely reminder: the Australian Privacy Act amendments now carry heavier penalties for data breaches involving credentials. An extension harvesting your customers' data is now your regulatory headache.

FAQ

Q: How quickly should SMBs apply Patch Tuesday updates? A: Critical and actively-exploited flaws within 48 hours. The ACSC recommends patching within 48 hours for exploited vulnerabilities and two weeks for the rest. If you lack in-house IT, your MSP should have a Service Level Agreement covering this.

Q: Is my Australian business really a target for APT28? A: APT28 casts a wide net via compromised infrastructure. You don't need to be the target — your router can become the stepping stone. Australian businesses are frequently used as relay nodes due to our relatively high bandwidth and lower security investment compared to enterprises.

Q: What's the Essential Eight and does it apply to my SMB? A: The Essential Eight is the ACSC's baseline cybersecurity framework — eight mitigation strategies from application control to patching. It now applies to any organisation handling government data, and the Privacy Act amendments are pushing it toward broader relevance. Start with Maturity Level One: it's achievable for any SMB.

Q: How do I check if a Chrome extension is malicious? A: Check chrome://extensions, remove anything you don't recognise, and verify publishers. Extensions requesting broad permissions (clipboard, all URLs, file access) are highest risk. Use Group Policy to enforce an allowlist.

Conclusion

This week's threat landscape reinforces what Australian SMBs keep hearing but too rarely act on: patching, hardening, and layered defences aren't optional extras — they're the baseline. The SQL zero-day is being exploited right now. Your Fortinet firewall has a known gap. A major distributor's ransomware incident rippled through the channel. A nation-state group is hijacking the routers you probably haven't updated since installation. And browser-based credential theft is getting better at fooling your team every week.

Start here: Patch SQL Server and Windows today. Update your Fortinet firmware tonight. Audit your router passwords and DNS settings. Review your Chrome extensions. And if you want a professional assessment of where your SMB actually sits against the Essential Eight — visit consult.lil.business for a free cybersecurity assessment.

References

  1. Microsoft Security Response Center — April 2026 Patch Tuesday
  2. Fortinet PSIRT Advisory — CVE-2025-24477
  3. Australian Cyber Security Centre — Essential Eight Maturity Model
  4. CISA Advisory — Zimbra Collaboration Suite Active Exploitation

Why the Person Who Fixes Your Printer Can't Always Protect You From Hackers

ELI10 version — the IT vs cybersecurity difference, no jargon.

TL;DR

  • IT admin: keeps the building running — lights, plumbing, printers
  • Security specialist: protects the building from burglars — completely different job
  • Both are essential, but they are NOT the same person
  • Bring in a security specialist proactively — before something goes wrong, not after

Imagine your business is an office building.

Your IT admin is the building manager. They keep the lights on, fix the heating, make sure the internet works, set up new desks when you hire someone. They know the building inside-out. Brilliant at their job.

Now imagine you want to make the building secure against burglars.

The building manager might know a few things about security. They might have put a lock on the server room door. But they're not a security specialist. They haven't been trained to think like a burglar, spot hidden entry points, or design a system that contains damage after someone gets through the front door.

That's a security specialist. Different training. Different mindset. Different job.

Why That Difference Matters When You Get Hacked

When a security incident happens, the most important thing is NOT to fix things quickly.

The most important thing is to preserve evidence before anything is touched. NIST's federal incident handling standard (SP 800-61r2) defines this as the critical first step — isolation without destruction — because forensic evidence determines whether you can claim insurance, meet regulatory obligations, and understand how the attacker got in [1].

An IT admin's instinct is to restore normal operations as fast as possible. A security specialist's instinct is to freeze everything and document carefully before any recovery happens. These instincts are directly opposed during a breach.

The Things Security Specialists Do That IT Doesn't

Thinking like the bad guys. The MITRE ATT&CK framework — a knowledge base of real-world adversary techniques maintained by MITRE Corporation — is the toolkit security specialists use to map how attackers operate [2]. IT admins don't typically use this framework because it's not relevant to keeping systems running.

Finding holes before attackers do. Penetration testing requires offensive security certifications (OSCP, GPEN) and skills that are fundamentally different from IT administration. OWASP's research shows that some of the most critical vulnerability classes are only found through manual offensive testing, not automated scanners [3].

Compliance. Healthcare, finance, legal — these industries have strict data security rules. Meeting frameworks like the ACSC Essential Eight [4] or ISO 27001 [5] requires specialised governance expertise that goes beyond infrastructure management.

"But Nothing Has Gone Wrong Yet…"

According to IBM's 2024 Cost of a Data Breach Report, the average breach goes undetected for 194 days [6]. Six months of attackers quietly inside your systems before anyone notices.

"Nothing has gone wrong" often means "we haven't caught anything yet." Security specialists set up the monitoring that lets you actually know whether something is happening. Without that visibility, you're flying blind and calling it clear skies.

When Should You Bring in a Security Specialist?

Right now, if:

  • You store customer data of any kind
  • You're in healthcare, finance, or legal
  • You haven't had a security check in the past year
  • You're growing your team or moving more business online

Definitely before:

  • A cyberattack — because after costs 5–20× more [6]
  • A compliance audit — scrambling at audit time is expensive and stressful
  • A contract with a larger company that asks about your security posture

Your Action Items

  • Be honest: is your IT person also trained in security? Most aren't
  • Think about what data you hold and whether it's adequately protected
  • Book a free conversation with lilMONSTER — we assess your current security posture with no sales pressure
  • Ask your IT admin what happens if you get ransomware tomorrow — their answer will tell you a lot

FAQ

Can't my IT admin handle cybersecurity too? Some IT admins have security knowledge, and they're a valuable part of security posture. But dedicated cybersecurity requires skills most IT admins aren't trained in: forensic investigation, threat modelling using frameworks like MITRE ATT&CK [2], penetration testing, compliance frameworks, and adversarial thinking. For businesses handling sensitive data, relying entirely on IT administration for security leaves significant gaps [1].

How much does a cybersecurity consultant cost for a small business? A baseline security assessment typically costs $2,000–$8,000 depending on size and complexity. Weigh that against the average cost of a data breach for businesses under 500 employees: USD $3.31 million, according to IBM's 2024 Cost of a Data Breach Report [6].

What's the first thing a cybersecurity specialist will check? Typically: who has access to what (access control audit), what systems are exposed to the internet (external attack surface), whether logging and monitoring is in place per ACSC Essential Eight guidance [4], and whether critical controls like MFA and patching are current.

References

[1] P. Cichonski, T. Millar, T. Grance, and K. Scarfone, "Computer Security Incident Handling Guide," NIST Special Publication 800-61 Revision 2, National Institute of Standards and Technology, Aug. 2012. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

[2] MITRE Corporation, "MITRE ATT&CK Framework — Enterprise Matrix," MITRE ATT&CK, 2024. [Online]. Available: https://attack.mitre.org/

[3] OWASP Foundation, "OWASP Top 10 Web Application Security Risks 2021," OWASP, 2021. [Online]. Available: https://owasp.org/www-project-top-ten/

[4] Australian Signals Directorate, "Essential Eight Maturity Model," Australian Cyber Security Centre, Nov. 2024. [Online]. Available: https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model

[5] International Organization for Standardization, "ISO/IEC 27001:2022 — Information Security, Cybersecurity and Privacy Protection," ISO, Oct. 2022. [Online]. Available: https://www.iso.org/standard/27001

[6] IBM Security, "Cost of a Data Breach Report 2024," IBM Research, 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

Your IT admin is doing their job — make sure someone is also doing the security job. Book a free consultation with lilMONSTER and find out where your real exposure is. No obligation, no sales pitch — just an honest assessment.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation