ctipilot.ch

CTI Daily Brief — 2026-06-13

Typedaily
Date2026-06-13
GeneratorClaude Opus 4.8 (`claude-opus-4-8`)
ClassificationTLP:CLEAR
LanguageEnglish
Promptv2.60
Items9
CVEs10
On this page

On this page

Tags (22)
Regions (7)
References (27)

0. TL;DR

  • Oracle PeopleSoft CVE-2026-35273 confirmed exploited as a zero-day since 27 May; 100+ orgs hit, 68% higher education. Mandiant/GTIG attributes the unauthenticated SSRF→RCE campaign against the PeopleSoft Environment Management Hub to UNC6240 (ShinyHunters); the University of Nottingham confirmed 454,600 student records stolen. CISA added it to KEV on 12 June. Swiss/EU universities running PeopleTools 8.61/8.62 (Campus Solutions) are squarely in scope (Mandiant/GTIG, 2026-06-11). See § 4.
  • SimpleHelp RMM ships an unauthenticated OIDC auth-bypass (CVE-2026-48558). A forged unsigned OIDC token yields a full technician session and bypasses IdP MFA — a clean initial-access vector into every downstream MSP-managed estate (Horizon3.ai, 2026-06-12). See § 2.
  • China-nexus Velvet Ant lived inside an air-gapped network for ~10 years by trojanising the Linux login stack itself — nine backdoored pam_unix.so variants and a credential-logging sshd, invisible to EDR. Today's deep dive is a binary-integrity hunt playbook for any Linux fleet (The Hacker News, 2026-06-12). See § 5.
  • "Atomic Arch" hijacked 400+ orphaned Arch Linux AUR packages to drop a Rust credential stealer and an eBPF rootkit that hides processes/files via pinned BPF maps; injection rides a malicious atomic-lockfile npm dependency added to PKGBUILD (Sonatype, 2026-06-11). See § 1.
  • Novo Nordisk disclosed theft of clinical-trial and healthcare-professional data, including directly-identifying HCP names, phone and WhatsApp contacts — a ready-made spear-phishing target package for EU clinical-research staff (Novo Nordisk, 2026-06-11). See § 1.

Immediate Action — Patch internet-exposed Oracle PeopleSoft now; hunt PSEMHUB exploitation. UNC6240 (ShinyHunters) exploited CVE-2026-35273 (CVSS 9.8, unauthenticated SSRF→RCE) as a zero-day against the PeopleSoft Environment Management Hub from 27 May, two weeks before Oracle's 10 June out-of-band patch, and exploitation is ongoing with active victim acquisition concentrated in higher education (68% of 100+ confirmed victims). If you run PeopleTools 8.61/8.62 with /PSEMHUB/hub or /PSIGW/HttpListeningConnector reachable, apply Oracle's out-of-band fix immediately, restrict those endpoints to trusted admin subnets, rotate PeopleSoft admin credentials, and hunt for MeshCentral agents spawned by the app-server process and unexpected outbound SMB. Swiss/EU universities running Campus Solutions are an active target set, not a hypothetical one.

3. Research & Investigative Reporting

Check Point chains SQL injection to RCE in LangGraph's checkpointer (CVE-2025-67644 + CVE-2026-28277)

Check Point Research disclosed a vulnerability chain in LangGraph, the open-source stateful-agent framework published under LangChain (Check Point Research, 2026-06-11). CVE-2025-67644 is a SQL injection in the SQLite checkpointer's get_state_history() function, which interpolates user-controlled metadata filter keys directly into SQL without sanitisation. Chained with CVE-2026-28277, an unsafe msgpack deserialization in checkpoint loading, an attacker injects a crafted checkpoint row via the SQLi and triggers arbitrary Python module import and command execution when the application later loads that checkpoint — full server-side RCE (The Hacker News, 2026-06-12). A parallel SQLi in the Redis checkpointer is tracked as CVE-2026-27022. Exploitation requires a self-hosted deployment using the SQLite or Redis checkpointer that exposes get_state_history() to user-controlled filter input; PostgreSQL-backed deployments and LangChain's managed LangSmith cloud are not affected. Per Check Point, the fixes shipped in langgraph-checkpoint-sqlite 3.0.1 (CVE-2025-67644), langgraph 1.0.10 (CVE-2026-28277) and langgraph-checkpoint-redis 1.0.2 (CVE-2026-27022). Maps to T1190 and T1059.006. This is the substantive technical disclosure behind the agentic-AI attack surface that Swiss/EU public-sector AI pilots are increasingly building on. Defender action: pin the fixed versions, treat get_state_history() filter input as untrusted even in internal tooling, and never expose the state-history API unauthenticated.

Changes since first coverage(1 prior appearance)
  1. 2026-06-142026-W24

"Agentjacking": Tenet Security hijacks AI coding agents via forged Sentry error events

Tenet Security documented an MCP-injection attack class that abuses the implicit trust between AI coding agents and the Sentry error-tracking integration (The Hacker News, 2026-06-12). The attacker needs only a target's Sentry DSN — a write-only credential frequently exposed in client-side JavaScript or committed to GitHub — to publish a crafted error event embedding markdown-formatted instructions. When a developer later asks their coding agent to investigate that Sentry issue, the agent retrieves the injected event over MCP and executes the embedded instructions with the developer's own system privileges. Because every action the agent takes is one the developer nominally authorised, the technique reportedly slips past EDR, WAF, IAM and VPN controls (Tenet Security, 2026-06-12). Sentry acknowledged the disclosure but declined a root-cause fix, deploying only a content filter for a specific payload string; no CVE was assigned because the issue is an architectural trust-model gap in MCP. Maps to T1059 (agent-mediated command execution) and T1195. Defender action: audit MCP server integrations for any external service that can write content later surfaced to an agent; treat Sentry event content as untrusted, use a read-only Sentry service account/project for MCP, rotate exposed DSNs and remove them from client bundles and repos; alert when an agent tool-call chain involving Sentry events is followed by shell or filesystem writes.

Google sues China-based "Outsider" PhaaS network for weaponising Gemini to mass-produce phishing pages

Google filed a federal lawsuit against the operators of "Outsider Enterprise," a phishing-as-a-service network that prompted Google's own Gemini model with innocuous-seeming HTML-generation requests and imported the output directly into its kit to stand up live scam pages (Google, 2026-06-12). The kit, sold via Telegram subscription with built-in credential capture, shipped pre-built templates impersonating financial, retail and government services — including postal, parcel-delivery and tax-authority lures that map directly onto common Swiss/EU smishing themes (The Hacker News, 2026-06-12). The operationally relevant signal is not the scale numbers in the complaint but the technique: LLM safety filters police the prompt, not the downstream weaponisation, so AI-generated phishing pages are now produced faster and with more visual variety than template-based detection assumes. Defender action: anti-phishing controls that fingerprint known kit templates should expect higher variant churn; brief citizen-facing and finance teams that postal/delivery/tax-impersonation smishing volume is rising.

4. Updates to Prior Coverage

UPDATE: Oracle PeopleSoft CVE-2026-35273 attributed to ShinyHunters; confirmed zero-day, 100+ victims, education sector hit hardest

UPDATE (originally covered 2026-06-11): Mandiant and Google GTIG formally attribute the PeopleSoft Environment Management Hub exploitation campaign to UNC6240 (ShinyHunters) and confirm the activity ran from 27 May to 9 June 2026 — predating Oracle's 10 June out-of-band advisory, establishing CVE-2026-35273 (CVSS 9.8) as a zero-day at time of exploitation (Mandiant/GTIG, 2026-06-11). The unauthenticated SSRF→RCE is reached via the /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints in PeopleTools 8.61/8.62.

GTIG notified over 100 organisations whose endpoints correlated with exploitation; 68% are higher-education institutions. Post-exploitation, the actor deployed MeshCentral remote-management agents disguised as Azure binaries, used SSH fan-out scripts with PeopleSoft admin credentials for lateral movement, and exfiltrated to the ShinyHunters leak site (Rapid7, 2026-06-12). The University of Nottingham confirmed 454,600 student and alumni records were taken, including passport numbers (University of Nottingham; BleepingComputer, 2026-06-11). CISA added the CVE to KEV on 12 June. Swiss/EU universities running Campus Solutions should treat this as P1 (see § 0 Immediate Action and § 6).

Changes since first coverage(3 prior appearances)
  1. 2026-06-142026-W24
  2. 2026-06-142026-06-14
  3. 2026-06-122026-06-12

UPDATE: Maine AG takes its breach-notification portal offline after confirming the VRChat/Discord filings were a hoax

UPDATE (originally covered 2026-06-12): The Maine Attorney General's Office issued a formal statement on 12 June confirming that the VRChat and Discord breach filings surfaced through its public portal were hoaxes submitted by an unknown entity unrelated to either company, and that it has no record of any recent legitimate breach reports from either (Maine AG, 2026-06-12).

The office took the public-facing breach database offline while it reviews and hardens its submission procedures (BleepingComputer, 2026-06-12). The material delta on yesterday's coverage is the regulator's own confirmation that the filings were fraudulent and the portal's suspension — a reminder that self-certification breach portals are an unauthenticated data-integrity surface, and that breach "disclosures" sourced solely from such portals warrant corroboration before action.

5. Deep Dive — Velvet Ant "Operation Highland": subverting the Linux authentication stack for a decade

Background. Velvet Ant is a China-nexus espionage actor Sygnia has tracked across several long-dwell intrusions, most prominently a multi-year campaign that abused legacy Cisco Nexus switch persistence and F5 BIG-IP appliances as internal footholds to survive repeated eradication attempts (Sygnia — Velvet Ant prior reporting). The throughline across those engagements is patience and a preference for living in places defenders rarely image or hash-verify: network gear, load balancers, and now the host authentication layer. Operation Highland extends that pattern from network appliances to the Linux login path itself.

Sygnia's Operation Highland report, relayed in detail by The Hacker News on 12 June, describes Velvet Ant maintaining covert access to an air-gapped network for nearly a decade, with the earliest traces around 2016 (The Hacker News, 2026-06-12; Sygnia — Operation Highland). Because the target network had no direct internet connectivity, the group first compromised internet-facing perimeter hosts and engineered a deliberate multi-stage path inward — there was no single exploit, just abuse of trusted administration once inside.

The core of the operation is subversion of the components that decide who may log in. Velvet Ant deployed nine distinct compiled variants of pam_unix.so — the primary PAM password module — across hosts. Some variants accept a hard-coded magic password that grants access as any user while leaving normal authentication intact; others silently write the real credentials typed by legitimate users to disk for later harvesting (T1556.003Modify Authentication Process: Pluggable Authentication Modules). In parallel, the sshd/ssh binaries were replaced with backdoored copies that log every username, password and command, and carry an attacker flag to suppress that logging during the operators' own sessions (T1554Compromise Host Software Binary). Harvested credentials then enable ordinary-looking authenticated movement (T1078Valid Accounts; T1021.004Remote Services: SSH), and the trojanised modules are placed at their legitimate paths under /lib/security/ and /usr/sbin/ so nothing looks out of place (T1036.005Masquerading: Match Legitimate Name or Location).

The defensive lesson is the part worth internalising: this class of compromise is invisible to the telemetry most SOCs rely on. A backdoored pam_unix.so produces no failed-login events, spawns no anomalous child process, and drops no second-stage userland implant for EDR to catch — the malice lives inside a trusted system library behaving normally for everyone except the attacker. Password resets and standard IR containment do not evict it, because the authentication decision itself is owned by the adversary. Detection therefore has to move to filesystem and binary integrity rather than behaviour:

  • Verify the on-disk pam_unix.so, sshd and ssh binaries against authoritative package-manager checksums — rpm -V openssh-server / dpkg --verify openssh-server on every Linux host, and a hash comparison of /lib/security/pam_unix.so (and the distro's PAM module directory) against the package-provided value. Any mismatch or unexpected modification timestamp on these files is a triage trigger, not a curiosity.
  • Deploy file-integrity monitoring (AIDE, Tripwire, or equivalent) on the authentication components specifically, and put OS auth-stack changes under separate change management so a legitimate update is distinguishable from tampering. On Linux endpoints with file-creation telemetry (Sysmon for Linux EID 11), alert on modification of /lib/security/pam_unix.so and /usr/sbin/sshd.
  • Threat-hunt the credential-harvesting side effect: look for successful SSH logins that coincide with unusual source IPs or off-hours timing, and remember that PAM-module replacement will not generate failed-login noise to anchor on. Hunt for unexpected credential-log files left in world-writable or dot-prefixed locations.

Hardening that removes or shrinks the attack path: immutable OS partitions or dm-verity for high-value isolated systems so authentication binaries cannot be silently rewritten; FIM in detect-and-block mode on the auth stack; and, for genuinely air-gapped networks, outbound filtering on the internet-facing pivot hosts the actor needs to stage the multi-step path inward. The strategic takeaway for a public-sector SOC: your Linux fleet's pam_unix.so and sshd are as much a crown-jewel integrity target as your domain controllers, and almost certainly far less monitored.

6. Action Items

  • Patch internet-exposed Oracle PeopleSoft (PeopleTools 8.61/8.62) now — CVE-2026-35273 is under active zero-day exploitation by ShinyHunters with ongoing victim acquisition in education. Apply Oracle's out-of-band fix, restrict /PSEMHUB/hub and /PSIGW/HttpListeningConnector to trusted admin subnets, rotate PeopleSoft admin credentials, and hunt for MeshCentral agents spawned by the app-server process and unexpected outbound SMB (see § 0 Immediate Action and § 4).
  • Patch SimpleHelp to 5.5.16 / 6.0 RC2, or disable OIDC — CVE-2026-48558 lets an unauthenticated attacker forge an OIDC token into a full Technician session and bypass IdP MFA; review access logs for no-signature token exchanges preceding successful Technician auth (see § 2).
  • Run a binary-integrity sweep of the Linux auth stack — verify pam_unix.so, sshd and ssh against package-manager checksums (rpm -V / dpkg --verify, AIDE/Tripwire) across the fleet; this is the only reliable way to surface Velvet Ant-class trusted-binary backdoors that produce no EDR or failed-login signal (see § 5).
  • Audit AUR usage on developer/CI hosts and hunt for the eBPF rootkit — restrict AUR-helper use on privilege-holding CI runners, alert on npm/bun install spawned from makepkg, and enumerate ls /sys/fs/bpf/hidden_* across Linux developer endpoints (see § 1).
  • Audit offboarding token/key revocation — inventory signing keys and OAuth client secrets tied to departed staff/contractors, confirm access logs fall under legal-hold retention, and add anomaly detection for credential use from unexpected geographies (Coupang lesson, § 1).
  • Lock down self-hosted LangGraph and Sentry-MCP exposure — pin langgraph ≥1.0.10 / langgraph-checkpoint-sqlite ≥3.0.1 / langgraph-checkpoint-redis ≥1.0.2 and treat get_state_history() filters as untrusted; for AI coding agents, move Sentry MCP to a read-only service account, rotate exposed DSNs and remove them from client bundles/repos (see § 3).
  • Brief clinical-research and pharma-partner staff on spear-phishing — the Novo Nordisk HCP data set (name + phone + WhatsApp) is a complete targeting package; no IOCs exist to anchor a technical hunt, so the control is awareness against SMS/WhatsApp pretexting (see § 1).

7. Verification Notes

  • Items dropped (deduplication): CVE-2026-49261 (MariaDB Galera wsrep_notify_cmd OS command injection, CVSS 10.0) returned by S1 and S2 — already covered as the 2026-06-12 deep dive; no material in-window delta, so not re-reported.
  • Items dropped (out-of-window, PD-7): OpenSSL 9 June 2026 batch advisory (CVE-2026-45447 PKCS7_verify heap UAF plus CMS/QUIC/OCSP issues) — freshest source is the CERT-FR advisory of 2026-06-10, outside the 36 h window with no fresher in-window development. CERT-EU advisory 2026-008 on Ivanti Sentry (CVE-2026-10520/CVE-2026-10523) — the EU-institutions advisory is dated 2026-06-10 and the underlying CVEs were covered 2026-06-10; the only delta (CERT-EU echoing the vendor advisory) is itself out-of-window.
  • CVEs that did not clear a § 2 inclusion gate: CVE-2026-6552 (GitLab EE Group SAML account takeover, CVSS 8.7) — post-auth (Group Owner required), no in-the-wild exploitation and no public PoC, CVSS below the 9.0 EUVD threshold; patched in GitLab 19.0.2/18.11.5/18.10.8 and worth scheduling, but it does not meet the § 2 bar (KEV / EUVD-exploited / EUVD CVSS 9–10 / vendor-confirmed ITW / pre-auth RCE with public PoC). The LangGraph chain (CVE-2025-67644 / CVE-2026-28277 / CVE-2026-27022) is carried in § 3 as research rather than § 2 — no ITW, CVSS below threshold.
  • Editorial relevance cut: INTERPOL "Operation Ramz" / SniperDz PhaaS takedown (201 arrests across 13 MENA countries) — genuine and corroborated (THN + Infosecurity Magazine), but a MENA-centred law-enforcement takedown with only marginal CH/EU nexus (French/German templates) and no 1–7-day defender action; not promoted.
  • Reduced-confidence / UA-blocked primaries: the Sygnia "Operation Highland" post (sygnia.co, § 5) and the Tenet Security "Agentjacking" post (tenetsecurity.ai, § 3) both return automated-UA blocks (Imunify360 / Cloudflare). Each item leads with a verified-live The Hacker News relay as primary and lists the vendor originator as an additional source; the vendor pages are likely reachable from a human browser. Technical claims for both rest on the THN relay plus the named vendor report.
  • Single-source / national-CERT-primary items: none — every published item carries ≥2 independent sources.
  • Reduced confidence (aggregator-only sourcing): the Coupang PIPC item (§ 1) rests on The Record and BleepingComputer; the primary regulator announcement (PIPC) is Korean-language and was not directly fetched this run. The facts (fine amount, root cause, evidence-obstruction finding) are consistent across both outlets, but the item carries one degree of separation from the regulator's own filing.
  • Contradictions: none material. Minor figure variation across outlets on the Outsider/SniperDz scale numbers; § 3 deliberately omits those counts as non-operational.
  • Coverage gaps: databreaches-net (HTTP 403 via bridge, no usable Wayback snapshot — 6+ consecutive runs); sec-disclosures-edgar (efts.sec.gov full-text search returned zero results across attempted date ranges — endpoint degraded or indexing lag); group-ib (HTTP 503 via bridge, no Wayback — SniperDz primary unreachable); sophos-xops (HTTP 503 again — rotation-priority warning confirmed); inside-it-ch (HTTP 403, no usable Wayback — unresolvable); cert-fr-actu (actualité RSS feed stalled at Oct 2025; avis feed current).