ctipilot.ch

CTI Daily Brief — 2026-06-11

Typedaily
Date2026-06-11
GeneratorAnthropic Claude (specific model not determined)
ClassificationTLP:CLEAR
LanguageEnglish
Promptv2.60
Items7
CVEs7
On this page

On this page

Tags (24)
Regions (2)
References (19)

0. TL;DR

  • ServiceNow shipped a Scripted REST endpoint (/api/now/related_list_edit/create) with requires_authentication=false, and attackers queried customer instance tables unauthenticated between 2–4 June before a silent server-side patch on 5 June (BleepingComputer, 2026-06-09). NCSC-CH GovCERT flags it "Actively Exploited"; ServiceNow's own read is that the activity was "likely tied to security researchers" — either way, instance tables holding tickets, tokens and PII were reachable without credentials. No CVE.
  • ShinyHunters claims Oracle PeopleSoft data theft at 100+ organisations across ~300 instances, mostly in higher education; the University of Nottingham confirmed student and alumni data was accessed (BleepingComputer, 2026-06-10). Post-access lateral movement abuses default PeopleSoft/Oracle SSH service accounts — see the deep dive.
  • Windows Netlogon RCE CVE-2026-41089 (CVSS 9.8, pre-auth SYSTEM on any unpatched DC) is now confirmed exploited in the wild in the EU by Belgium's CCB; CERT-EU issued advisory 2026-007 (CERT-EU, 2026-06-10). The fix shipped in May 2026 Patch Tuesday — unpatched domain controllers are a forest-compromise path.
  • Langflow CVE-2026-5027 (CVSS 8.8 path traversal → arbitrary file write) is being exploited in the wild, made effectively pre-auth by Langflow's default auto-login; ~7,000 instances are internet-exposed and a patch is now available (BleepingComputer, 2026-06-10).
  • A new Microsoft Defender SYSTEM-LPE zero-day, "RoguePlanet," dropped as a public PoC hours after June Patch Tuesday — a TOCTOU race in the Defender scan engine, no CVE and no patch (BleepingComputer, 2026-06-09). No in-the-wild use reported yet; monitoring is the only mitigation.

3. Research & Investigative Reporting

Black Lotus Labs: the Volt Typhoon-linked JDY botnet doubles to 1,500+ devices and weaponises CVE disclosures within hours

Lumen's Black Lotus Labs reports that the JDY botnet — the reconnaissance cluster that survived the 2024 KV-botnet takedown and is assessed with high confidence to support multiple China-nexus actors including Volt Typhoon — has more than doubled from roughly 650 bots in January 2024 to over 1,500 compromised SOHO and IoT devices (Lumen Black Lotus Labs, 2026-06-10). The botnet now spans Cisco, Araknis, Mimosa Networks, Ubiquiti, Draytek, Hikvision and Linksys devices, performs multiprotocol service fingerprinting, banner-grabbing and TLS-certificate collection at scale, and routes C2 through hidden Tor services while managing victims with the open-source Platypus reverse-shell server. The operationally significant finding: scanning of Fortinet devices spiked within hours of the public disclosure of CVE-2026-35616, demonstrating sub-24-hour integration of new vulnerability intelligence into the recon-to-exploitation pipeline (The Hacker News, 2026-06-10). Targeting centres on US military and associated entities, with distributed European nodes. Technique mapping: T1595.002 Active Scanning: Vulnerability Scanning, T1590 Gather Victim Network Information, T1584.005 Compromise Infrastructure: Botnet.

Why it matters to us: JDY scanning should be treated as a precursor to targeted exploitation, not background noise — the sub-24-hour weaponisation window means CH/EU public-sector and critical-infrastructure operators must compress patch cycles for internet-facing edge appliances to hours, not weeks, after a disclosure. Hunt for outbound connections from edge/SOHO devices to the Platypus default service, unusual high-rate outbound SYN scanning, and unexpected TLS-certificate harvesting.

Changes since first coverage(1 prior appearance)
  1. 2026-05-292026-05-29First coverage. ITW exploitation via X-SSL-CLIENT-VERIFY header spoof to push EKZ via trusted EMS update channel signed under fortitray.exe. CISA KEV since 2026-04-06. Deep dive § 5.

ANNUAL REPORT [SINGLE-SOURCE] — CrowdStrike 2026 Technology Threat Landscape Report: technology is now the most-targeted sector

CrowdStrike published its 2026 Technology Threat Landscape Report on 9 June 2026 (CrowdStrike, 2026-06-09). The findings most relevant to a Swiss/EU public-sector SOC running AI and cloud DevOps infrastructure: China-nexus adversaries (named clusters include MURKY PANDA, MUSTANG PANDA and WARP PANDA) drove more than 58% of state-sponsored intrusions against the technology sector, focused on AI capabilities, training data, ML infrastructure and semiconductor IP; and DPRK-nexus FAMOUS CHOLLIMA accounted for 47% of state-sponsored hands-on-keyboard activity through IT-worker infiltration using AI-enhanced personas and front companies across North America, Europe and Asia. The report frames AI/ML development pipelines and model weights as espionage targets warranting the same protection as source code and credentials. CrowdStrike also names a compromise of the axios npm package as part of a DPRK-linked supply-chain operation — a notable claim, but in this run only CrowdStrike asserts it, so treat the axios element as single-source pending independent corroboration.

4. Updates to Prior Coverage

UPDATE: Windows Netlogon RCE CVE-2026-41089 now confirmed exploited in the wild in the EU; CERT-EU issues advisory 2026-007

UPDATE (originally covered 2026-W23 weekly): CERT-EU published advisory 2026-007 on 10 June 2026 confirming that CVE-2026-41089 — a CVSS 9.8 stack-based buffer overflow (CWE-121) in the Windows Netlogon service — is being actively exploited in the wild, citing Belgium's Centre for Cybersecurity (CCB) (CERT-EU, 2026-06-10). This is the material delta since the weekly's disclosure-only coverage: an EU national authority has now attributed in-the-wild exploitation, roughly 20 days after the May 2026 Patch Tuesday fix.

An unauthenticated remote attacker sends a crafted Netlogon RPC packet to obtain SYSTEM-level code execution on an unpatched domain controller — functionally a full Active Directory forest compromise, in the ZeroLogon lineage of Netlogon-channel attacks (BleepingComputer, 2026-06-01). CERT-EU's advisory carries the per-version patched-build table: Server 2016 before 10.0.14393.9140, Server 2019 before 10.0.17763.8755, Server 2022 before 10.0.20348.5074, Server 2022 23H2 before 10.0.25398.2330, and Server 2025 before 10.0.26100.32772, with Server 2012/2012 R2 also affected.

Changes since first coverage(3 prior appearances)
  1. 2026-06-082026-W23Weekly recap: pre-auth SYSTEM RCE on DCs; Belgium CCB confirmed active exploitation; patch since 13 May.
  2. 2026-06-022026-06-02UPDATE: active ITW exploitation confirmed by CCB Belgium 2026-06-01 on the May Patch Tuesday Netlogon RCE; promoted to Immediate Action. Microsoft advisory not yet updated to mark exploited.
  3. 2026-05-132026-05-13May 2026 Patch Tuesday; ZDI flags wormable-candidate; MDASH-discovered.

5. Deep Dive — ShinyHunters Oracle PeopleSoft campaign: gadget-chain access, SSH default-credential lateral movement, mass exfiltration

ShinyHunters confirmed to BleepingComputer on 10 June 2026 that it had compromised Oracle PeopleSoft servers across approximately 300 instances at more than 100 organisations, with a heavy concentration in higher education (BleepingComputer, 2026-06-10). The University of Nottingham confirmed the same day that student and alumni data had been accessed in a security incident affecting its student-record system, opened a dedicated support line, and notified Action Fraud and the ICO (University of Nottingham, 2026-06-10). TechCrunch independently corroborated the scale of the campaign and the education-sector skew (TechCrunch, 2026-06-10).

Access and exploitation. ShinyHunters describes initial access as a "gadget chain" combining legacy PeopleSoft vulnerabilities with claimed zero-days; the actor stresses that exploitation is configuration-dependent and not universal across all internet-reachable instances. Oracle has not published a CVE for the specific flaws in this campaign and did not respond to press inquiries, so the precise initial-access vector remains attacker-asserted rather than vendor-confirmed — treat the "zero-day" framing with appropriate caution. The relevant entry surface is the externally reachable PeopleSoft web and application tier (PIA, Integration Broker, and REST/SAML/OAuth endpoints), mapped to T1190 Exploit Public-Facing Application.

Post-access lateral movement. The better-evidenced — and more directly defender-actionable — phase is what follows initial access. The actor's tooling attempts SSH connections against common PeopleSoft/Oracle operating-system service accounts (psoft, oracle, linuxadm) using password and key-based fallback, then runs a shell script that performs bulk data retrieval and drops ransom notes into PeopleSoft web/application server directories (BleepingComputer, 2026-06-10). This maps to T1078.004 Valid Accounts: Cloud/default service accounts, T1021.004 Remote Services: SSH, and T1213 Data from Information Repositories, culminating in T1567 Exfiltration Over Web Service. Exfiltrated data categories stated by the actor include student and applicant records, financial-aid data, immigration status, health records, and contact details — the full sensitive payload of a campus-management deployment.

Detection and hunting concepts (no IOCs). Watch for SSH authentication attempts to PeopleSoft hosts using the psoft/oracle/linuxadm account names from external or unexpected source ranges; correlate against successful logons followed by interactive shell activity. On the application tier, alert on anomalous bulk-query volumes or out-of-hours mass record retrieval in PeopleTools security-audit logs, and on egress anomalies consistent with bulk data transfer to non-standard destinations (T1071). Treat the appearance of unexpected ransom-note text files in web/app server document roots as a high-confidence lateral-movement indicator and review authorized_keys and /etc/hosts for unauthorised additions.

Hardening / mitigation. Rename or disable the default psoft/oracle/linuxadm OS service accounts and enforce SSH key-only authentication; restrict PeopleSoft administrative interfaces to jump-host access and remove direct internet exposure of the management tier; enable PeopleTools security-audit logging if not already on; and apply any outstanding Oracle Critical Patch Update advisories for PeopleSoft, recognising that the campaign's specific CVEs are undisclosed so defence-in-depth around authentication and exposure is the dependable control. Public-sector and university SOCs running PeopleSoft Campus Solutions or HCM should audit external reachability of the web/app tier as the first action.

6. Action Items

  • Confirm all domain controllers carry the May 2026 Patch Tuesday update (CVE-2026-41089). Pre-auth Netlogon RCE giving SYSTEM on any unpatched DC is now confirmed exploited in the wild in the EU by Belgium's CCB. Where a DC cannot be patched immediately (legacy Server 2012/2012 R2 past ESU), isolate it behind a management VLAN with firewall rules blocking Netlogon from untrusted subnets. See § 4.
  • Audit ServiceNow Scripted REST Resources for requires_authentication=false and rotate exposed secrets. Check sys_ws_operation for unauthenticated endpoints, review access_log_transaction for requests to /api/now/related_list_edit in the 2–5 June window, and rotate any credentials or API tokens stored in support-ticket workflows. Confirm via the support portal whether a case was opened on your tenant. See § 1.
  • Patch Langflow (1.9.0 / 1.10.0) and disable auto-login (CVE-2026-5027). This pre-auth path-traversal-to-RCE is exploited in the wild with ~7,000 instances exposed. If patching is delayed, set LANGFLOW_AUTO_LOGIN=false, remove the instance from internet exposure, and hunt web logs for POST /api/v2/files requests containing ../ or %2e%2e%2f. See § 2.
  • For PeopleSoft operators: rotate default SSH service accounts and hunt for ransom-note artefacts. Rename/disable psoft, oracle, linuxadm; enforce SSH key-only auth; restrict the admin tier to jump-host access; review authorized_keys; and treat unexpected ransom-note text files in web/app document roots as a lateral-movement indicator. See § 5.
  • With no patch for "RoguePlanet," instrument Defender process-tree monitoring. Alert on MsMpEng.exe spawning cmd.exe/powershell.exe (Sysmon EID 1 / Windows 4688) and on SYSTEM-context shells not tied to a service restart. See § 1.

7. Verification Notes

  • Items dropped:
    • CVE-2026-25089 (FortiSandbox unauthenticated OS command injection, CVSS 9.8, patched 9 June) — dropped from § 2 because it cleared no inclusion gate: not in CISA KEV, no confirmed ENISA EUVD listing, no in-the-wild exploitation reported, and no public PoC. The Fortinet PSIRT page (FG-IR-26-141) returned "Unavailable" on fetch, so no primary advisory URL could be cited. Will reassess if exploitation or a working PoC emerges.
    • EVERTEC / Banco Popular de Puerto Rico SEC 8-K (third-party support-platform breach, payment-card data) — dropped: no Switzerland/EU and no public-sector nexus (Puerto Rico banking). Logged as a third-party-vendor-risk pattern only; not within audience scope this run.
    • BACS/NCSC-CH G7 Évian pre-event threat bulletin — dropped: the campaign is already covered (campaign:g7-evian-2026) and the primary advisory is dated 1 June 2026, outside the 36 h recency window, with no fresh in-window delta.
  • Single-source items: CrowdStrike's claim of an axios npm-package compromise (§ 3) is asserted only by CrowdStrike in this run — flagged single-source-vendor pending independent corroboration. The rest of the CrowdStrike report is treated under the PD-9 one-treatment rule for periodic reports.
  • Contradiction resolved: Langflow CVE-2026-5027 patch status — one research stream reported "no patch available," another reported a fix in Langflow 1.9.0 / langflow-base 0.8.3 with 1.10.0 on 10 June. Brief reports patch-available on the basis of the more recent, BleepingComputer-sourced read; defenders should confirm the fixed version against the vendor release notes.
  • Attribution caveat: ServiceNow (§ 1) — exploitation was observed against a subset of customers, but ServiceNow attributes the activity to "likely security researchers / bug-bounty," while NCSC-CH GovCERT records it as "Actively Exploited." The brief presents both framings rather than asserting malicious exploitation. The ShinyHunters PeopleSoft "gadget chain of zero-days" (§ 5) is attacker-asserted and not vendor-confirmed.
  • Cross-source discrepancy (GreenPlasma CVE): the RoguePlanet item's cited primary, NCSC-CH GovCERT post 12622, maps the GreenPlasma zero-day to CVE-2026-50507, and SecurityWeek lists CVE-2026-45586 as a separate Windows CTFMON elevation-of-privilege flaw; a separate (non-cited) June Patch Tuesday round-up instead associates CVE-2026-45586 with GreenPlasma. The brief follows its cited primary (NCSC-CH 12622) and reports GreenPlasma as CVE-2026-50507. The GreenPlasma/YellowKey CVEs are background context for the RoguePlanet disclosure, not the operative item.
  • Coverage gaps: databreaches-net (Cloudflare challenge / no usable Wayback snapshot — bridge blocked); sec-disclosures-edgar (EDGAR full-text bridge returned 0 results across all tested windows, direct fetch 403 "Undeclared Automated Tool"; EVERTEC 8-K found via WebSearch fallback); inside-it-ch (Cloudflare Managed Challenge on all attempts); sophos-xops (known 503 pattern, not attempted); greynoise (no in-window posts); fortiguard-psirt (FG-IR-26-141 returned "Unavailable"); cert-fr-actu (feed capped at 2025 entries); ncsc-ch-kw24 (Week-24 review not yet published as of run time).