CTI Daily Brief — 2026-06-28

NAIC breached via Oracle PeopleSoft zero-day; ShinyHunters publishes 3.1 TB of US insurance-regulatory data and rating-agency feeds pause

The National Association of Insurance Commissioners (NAIC) — the US standard-setting body governing all 50 state insurance regulators — confirmed on 2026-06-26 that an unauthorised party gained access to part of its environment on 2026-06-11 by exploiting an Oracle PeopleSoft vulnerability that was unknown to the vendor at the time, then used the PeopleSoft foothold to obtain credentials that pivoted into NAIC data-storage areas (NAIC, 2026-06-26). The flaw is reported as CVE-2026-35273, a critical unauthenticated remote-code-execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 (Insurance Business Mag, 2026-06-24). NAIC states the access path has since been blocked and remediated and that the FBI plus external forensics are engaged. The extortion group ShinyHunters claimed responsibility on 2026-06-18 and by 2026-06-25 had published the data, which corroborating reporting puts at ~3.1 TB (TechRadar, 2026-06-26); the corpus is reported to include insurer statutory financial-reporting documents and files from major credit-rating agencies (Insurance Journal, 2026-06-25). NAIC says it has not confirmed ShinyHunters' claim to have taken SERFF, OPTins, UCAA, EDP and RDC, and that employee PII, EFT, policyholder and producer data were not accessed. The operationally significant consequence: several rating agencies paused their data feeds to NAIC, forcing it to temporarily suspend assigning investment-risk designations to insurer portfolios — a direct disruption to US insurance-sector solvency monitoring. The incident is reported as part of a broader PeopleSoft campaign affecting 100+ organisations (Insurance Business Mag, 2026-06-24).

Why it matters to us: Oracle PeopleSoft is widely deployed for HR/finance in European and Swiss public-sector and large enterprises; the kill chain here is T1190 (exploit a public-facing PeopleSoft app) → T1078 (abuse the obtained credentials/session to pivot to data stores) → T1567 (web-service exfiltration). Verify PeopleSoft patch status against the in-the-wild zero-day campaign, segment PeopleSoft data-bus/integration accounts to least privilege, and put DLP/volume alerting on bulk export from PeopleSoft repositories. EU/Swiss insurance supervisors (EIOPA, national NCAs) and reinsurers whose data is in the rating-agency corpus should treat affected feeds as potentially tampered until NAIC confirms integrity restoration.

NYT investigation gives first named attribution for the Jaguar Land Rover ransomware attack — a Russian state-linked criminal group

A New York Times investigation published 2026-06-26 provides the first named attribution for the August–October 2025 ransomware attack on Jaguar Land Rover (JLR): investigators including the FBI, the UK National Crime Agency, NCSC, Google Mandiant and Palo Alto Networks now attribute the core intrusion to a Russian state-linked criminal group (Microsoft is reported to have named the group to investigators) (TechCrunch, 2026-06-26; The Next Web, 2026-06-26). The attribution is the investigators' assessment relayed through journalism — the UK government has not made it official, and investigators say they cannot establish whether the group acted on Kremlin orders, with tacit approval, or independently. The attack halted JLR manufacturing for roughly six weeks and disrupted 5,000+ supply-chain businesses, with UK economic damage estimated at ~£1.9 bn ($2.5 bn). Investigators also found a separate Jordanian actor ("Rey") independently inside JLR networks, illustrating multi-actor opportunistic access to the same under-segmented victim.

CVE-2026-58053 — Gitea `act_runner` Docker backend: container-hardening bypass to host escape (CVSS 9.4, public PoC)

Gitea act_runner through 0.262.0 with the Docker backend passes the workflow-defined container.options string straight into Docker's HostConfig for the job container. When an operator hardens the runner with privileged: false, the code forces only the Privileged flag off but still merges the rest of container.options unchanged — so options such as --pid=host, --cap-add=SYS_PTRACE, --security-opt=seccomp:unconfined or arbitrary bind mounts pass through, allowing any user with write access to a repository whose workflows run on that runner to escape to the host as root despite the hardening (VulnCheck, 2026-06-27; ENISA EUVD EUVD-2026-58053, 2026-06-28). ENISA EUVD scores it CVSS 4.0 9.4 and a public PoC is referenced. Technique class: T1611 Escape to Host via Docker HostConfig injection → T1068. Prerequisite is write access (or accepted external contribution) to a repo whose workflows execute on a Docker-backed runner configured privileged: false — the common hardened setting, which is what makes this dangerous. Self-service CI on internal Gitea + Docker is common in Swiss/EU public-sector and academic IT. Detection: watch Docker daemon audit logs for containers launched with unusual HostConfig flags (pid_mode=host, non-baseline cap_add, custom seccomp); review CI workflow-YAML diffs from external contributors for container.options injection. Mitigation now (vendor fix act_runner >= 0.263.0 was pending at advisory time): strip or allowlist container.options at the runner policy layer, require approval for fork/external-contributor workflow runs, and use a kernel-isolation runtime (e.g. gVisor) for untrusted CI.

CVE-2026-55200 — libssh2 heap out-of-bounds write in `ssh2_transport_read()` with public PoC; companion pre-auth DoS CVE-2026-55199

CVE-2026-55200 is a heap out-of-bounds write (CWE-680 integer-overflow-to-buffer-overflow) in libssh2's ssh2_transport_read(): the packet_length field in an SSH transport packet is not bounds-checked before allocation, so a malicious or compromised SSH server can send a crafted length to corrupt a connecting client's heap — leading to DoS or, where ASLR is absent, potential remote code execution. NCSC-NL updated advisory NCSC-2026-0210 on 2026-06-24 to note that a public PoC has appeared confirming code execution under specific conditions; the GitHub advisory scores it CVSS 9.2 (NCSC-NL, 2026-06-24; GitHub Advisory GHSA-r8mh-x5qv-7gg2, 2026-06-23). The companion flaw CVE-2026-55199 (CVSS 8.2, CWE-835 infinite loop via a crafted SSH_MSG_EXT_INFO extension count → pre-auth CPU exhaustion/DoS) is also unfixed in 1.11.1. libssh2 is embedded in curl, the PHP ssh2 extension, FileZilla, WinSCP, Bitvise and many network appliances, so downstream exposure depends on vendor uptake. Technique class: T1190 (client-side, when tricked into connecting to an attacker-controlled server) for the OOB write; T1499.004 for the DoS. Affected: libssh2 ≤ 1.11.1; fixes are commit 97acf3df (55200) and 1762685 (55199), with no tagged release (1.11.2) yet. Detection/hardening: hunt heap-corruption crashes in processes using libssh2 (PHP-FPM, curl, scp wrappers); inventory embedded libssh2 versions in appliances/tooling; confirm ASLR is enabled (/proc/sys/kernel/randomize_va_space = 2) to raise the bar on the code-execution path; constrain automation hosts to known SSH endpoints.

Netcraft: Bluekit PhaaS uses Browser-in-the-Middle to defeat FIDO2 and Device Bound Session Credentials

Netcraft published a technical breakdown (2026-06-25) of Bluekit, a phishing-as-a-service platform first documented by Varonis Threat Labs (2026-04-29) and now seen by Netcraft at scale (~70 active hostnames in a single week) (Netcraft, 2026-06-25; Varonis, 2026-04-29). Bluekit's distinguishing technique is Browser-in-the-Middle (BitM): instead of proxying the victim's HTTP traffic the way Evilginx/AiTM kits do (which leaves session-fingerprint mismatches), it runs a real automated browser on attacker infrastructure and streams its live DOM to the victim over WebSocket using the open-source rrweb DOM-serialisation library. The victim's keystrokes and clicks are relayed into the attacker's browser and executed against the genuine site, so the session is created in and owned by the attacker from the start — which is why Device Bound Session Credentials (DBSC, which bind tokens to the legitimate device's keys) provide no protection, and why FIDO2/WebAuthn is bypassed (the attacker's browser completes the relying-party challenge on the victim's behalf). Anti-analysis: per-load randomised CSS filter values to defeat screenshot pixel-hashing, >1 MB rotating obfuscated JS bundles, brand-impersonating CAPTCHA, and WebRTC IP-mismatch checks to spot analyst proxies. Detection concepts: rrweb presence outside legitimate analytics; WebSocket streams of binary/encrypted DOM diffs to unexpected origins; sub-second form-submission round-trip latency characteristic of BitM relay; randomised CSS filter rules on top-level HTML. Relevant because Microsoft 365 / Entra ID tenants — including Swiss and EU public-sector ones — are named targets, and BitM degrades the "phishing-resistant MFA solves this" assumption.

Unit 42: Chinese-speaking cluster CL-STA-1062 deploys the new TinyRCT .NET backdoor against SE-Asian government and energy targets via AppDomainManager injection

Palo Alto Unit 42 (2026-06-25) documented CL-STA-1062, a Chinese-speaking cluster overlapping with Cisco Talos's UAT-7237, targeting government and state-owned energy infrastructure across Southeast Asia (Unit 42, 2026-06-25; The Hacker News, 2026-06-26). Initial access is via internet-facing web apps and ASPX web shells (T1505.003), pivoting to a custom .NET backdoor, TinyRCT, delivered through AppDomainManager injection (T1574.014): a benign signed chrome_setup.exe ships in a ZIP alongside a malicious chrome_setup.exe.config, causing the .NET CLR to load MyAppDomainManager.dll from the same directory and bootstrap TinyRCT in-process — no child process, so it is low-visibility to EDR. TinyRCT beacons over HTTP with AES-128-CBC payloads, supports command execution via cmd.exe, chunked file exfiltration, and screen capture, and self-terminates unless run from %LOCALAPPDATA% or %USERPROFILE%\Downloads (anti-sandbox). Observed tooling includes Mimikatz, JuicyPotato and SoftEther VPN masqueraded as vmtools.exe. The defender value is the technique: T1574.014 AppDomainManager injection is widely under-detected, and the same web-shell-to-in-process-.NET pattern is directly applicable to European public-sector web estates. Hunt for .NET .config files written into user-writable directories adjacent to signed executables, and DLL loads of MyAppDomainManager.dll from a signed PE's own directory (Sysmon EID 7).

Cisco Talos: a field guide to Windows COM abuse — ITaskService, BITS, WMI and DCOM as EDR-evasion primitives [SINGLE-SOURCE]

Cisco Talos published a reverse-engineering primer (2026-06-25) on how Windows threats weaponise Component Object Model (COM) interfaces to hide operations inside legitimate service call stacks (Cisco Talos, 2026-06-25). Four technique classes with a shared detection gap — function calls routed through vtable indirection rather than direct API imports limit EDR visibility: ITaskService/ITaskScheduler persistence creates scheduled tasks with no visible schtasks.exe (T1053.005); IBackgroundCopyJob (BITS) moves C2/files attributed to the trusted BITS service process (T1197); IWbemLocator/WMI blends discovery into svchost.exe (T1082, T1518.001); and DCOM/IDispatch enables remote object activation for lateral movement (T1021.003). Families studied include Gh0stRAT (ITaskService persistence), Attor (BITS C2 + WMI), Qakbot (WMI) and WarmCookie (ITaskScheduler 1.0). The actionable takeaway for detection engineers: scheduled-task-creation rules keyed on schtasks.exe/PowerShell miss COM-based task creation, which emits different event logs; build coverage for task creation where the creating image is unexpected, WMI activity from non-system parents, and BITS jobs created by non-svchost processes.

Island: "BadBlocker" — an 11M-user Chrome ad-blocker is one server config change away from arbitrary JavaScript on any site

Island researchers documented (2026-06-25) a dormant but architecturally complete arbitrary-JavaScript-execution capability in "Adblock for YouTube" (11M+ installs) (Island, 2026-06-25; The Hacker News, 2026-06-25). The extension fetches config every 24 hours; a server-controlled scriptletsRules field can activate a "create-element" scriptlet that appends an externally-sourced <script> to the DOM via a TrustedTypes policy that bypasses the browser's own script-injection guard. Because the extension declares <all_urls> host permissions but only checks whether the string youtube.com appears anywhere in the URL (not as the hostname), a lure such as https://bank.example.com/search?q=youtube.com passes the check — so an injected script could run in authenticated banking, admin-panel or enterprise-SaaS sessions with full DOM and credential access (T1176 Browser Extensions; T1056 Input Capture). Island demonstrated a Salesforce-data-exfiltration PoC; no malicious payload was live at analysis time, but sister extensions were previously removed by Google for actual malware. Defender concepts: flag browser extensions making config-fetch HTTPS requests outside their declared purpose; audit <all_urls> extensions against business need; enforce extension allowlisting via browser management policy.