ctipilot.ch

ShinyHunters

actor · actor:shinyhunters single-source

ShinyHunters — financially motivated data-theft group

Coverage timeline
52
first 2026-05-04 → last 2026-07-03
Entries
52
29 distinct days
Sources cited
123
66 hosts
Sections touched
12
active-threats, deep-dive, trending-vulnerabilities
Co-occurring entities
8
see Related entities below
2026-05-0452 appearances2026-07-03

Story timeline

  1. 2026-07-03Medtronic notifies ~9 million people of a ShinyHunters-claimed corporate-IT breach — 2.5 months after containment
    active-threatsMedtronic notifies ~9 million people of a ShinyHunters-claimed corporate-IT breach — 2.5 months after containment
  2. 2026-07-01Oracle E-Business Suite CVE-2026-46817: pre-auth RCE in the Payments File Transmission servlet, first in-the-wild exploitation
    deep-diveOracle E-Business Suite CVE-2026-46817: pre-auth RCE in the Payments File Transmission servlet, first in-the-wild exploitation
  3. 2026-07-01Nissan is the largest named victim yet in the ShinyHunters Oracle PeopleSoft campaign
    updatesNissan is the largest named victim yet in the ShinyHunters Oracle PeopleSoft campaign
  4. 2026-06-29ShinyHunters / UNC6240 Oracle PeopleSoft campaign
    weekly-long-runningShinyHunters / UNC6240 Oracle PeopleSoft campaign
  5. 2026-06-29ShinyHunters (UNC6240) — one cluster, multiple reported tradecraft paths in one week
    weekly-multi-dayShinyHunters (UNC6240) — one cluster, multiple reported tradecraft paths in one week
  6. 2026-06-29NAIC breached through an Oracle PeopleSoft zero-day; ShinyHunters dumps 3.1 TB and US rating-agency feeds stall
    weekly-top-storiesNAIC breached through an Oracle PeopleSoft zero-day; ShinyHunters dumps 3.1 TB and US rating-agency feeds stall
  7. 2026-06-29Looking ahead — 2026-W26
    weekly-looking-aheadLooking ahead — 2026-W26
  8. 2026-06-29Education
    weekly-sector-patternsEducation
  9. 2026-06-28NAIC breached via Oracle PeopleSoft zero-day; ShinyHunters publishes 3.1 TB of US insurance-regulatory data and rating-agency feeds pause
    active-threatsNAIC breached via Oracle PeopleSoft zero-day; ShinyHunters publishes 3.1 TB of US insurance-regulatory data and rating-agency feeds pause
  10. 2026-06-27UK Cyber Monitoring Centre publishes sector review of the Canvas/Instructure LMS breach — 160 universities, ShinyHunters extortion, ransom paid
    active-threatsUK Cyber Monitoring Centre publishes sector review of the Canvas/Instructure LMS breach — 160 universities, ShinyHunters extortion, ransom paid
  11. 2026-06-26ShinyHunters used a single vishing call into the company's identity platform to breach Madison Square Garden
    active-threatsShinyHunters used a single vishing call into the company's identity platform to breach Madison Square Garden
  12. 2026-06-22ShinyHunters extortion brand — Council of Europe named, Kodak and One Medical added to the leak-site pressure
    weekly-multi-dayShinyHunters extortion brand — Council of Europe named, Kodak and One Medical added to the leak-site pressure
  13. 2026-06-22Public administration — named European institutions and government data in the firing line
    weekly-sector-patternsPublic administration — named European institutions and government data in the firing line
  14. 2026-06-22Looking ahead — 2026-W25
    weekly-looking-aheadLooking ahead — 2026-W25
  15. 2026-06-22Education — exposed CMS and forum software stack a structural risk
    weekly-sector-patternsEducation — exposed CMS and forum software stack a structural risk
  16. 2026-06-22CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (10.0) and PeopleSoft RCE (9.8)
    weekly-vuln-rollupCVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (10.0) and PeopleSoft RCE (9.8)
  17. 2026-06-21Amazon's One Medical confirms a legacy-storage breach; ShinyHunters' 8.8TB claim is unverified and its deadline expires today
    active-threatsAmazon's One Medical confirms a legacy-storage breach; ShinyHunters' 8.8TB claim is unverified and its deadline expires today
  18. 2026-06-20Kodak confirms breach after ShinyHunters leak-site listing; June 18 deadline passed without publication
    active-threatsKodak confirms breach after ShinyHunters leak-site listing; June 18 deadline passed without publication
  19. 2026-06-16Council of Europe named as a victim of the Oracle PeopleSoft (CVE-2026-35273) campaign
    updatesCouncil of Europe named as a victim of the Oracle PeopleSoft (CVE-2026-35273) campaign
  20. 2026-06-14Education — ShinyHunters' PeopleSoft campaign lands disproportionately on universities
    weekly-sector-patternsEducation — ShinyHunters' PeopleSoft campaign lands disproportionately on universities
  21. 2026-06-14CVE-2026-35273 — Oracle PeopleSoft: confirmed zero-day exploited by ShinyHunters (UNC6240), education sector hit hardest
    weekly-top-storiesCVE-2026-35273 — Oracle PeopleSoft: confirmed zero-day exploited by ShinyHunters (UNC6240), education sector hit hardest
  22. 2026-06-14CrowdStrike 2026 Technology Threat Landscape Report — "technology = most-targeted" reads as prophecy against this week's incidents
    weekly-annual-reportsCrowdStrike 2026 Technology Threat Landscape Report — "technology = most-targeted" reads as prophecy against this week's incidents
  23. 2026-06-13Oracle PeopleSoft CVE-2026-35273 attributed to ShinyHunters; confirmed zero-day, 100+ victims, education sector hit hardest
    updatesOracle PeopleSoft CVE-2026-35273 attributed to ShinyHunters; confirmed zero-day, 100+ victims, education sector hit hardest
  24. 2026-06-13CVE-2026-48558 — SimpleHelp RMM: unauthenticated OIDC authentication bypass yields a full technician session
    trending-vulnerabilitiesCVE-2026-48558 — SimpleHelp RMM: unauthenticated OIDC authentication bypass yields a full technician session
  25. 2026-06-12ShinyHunters PeopleSoft campaign — Oracle confirms CVE-2026-35273 and ships an out-of-band patch; Nottingham quantifies 455,000 records
    updatesShinyHunters PeopleSoft campaign — Oracle confirms CVE-2026-35273 and ships an out-of-band patch; Nottingham quantifies 455,000 records
  26. 2026-06-11ShinyHunters Oracle PeopleSoft campaign: gadget-chain access, SSH default-credential lateral movement, mass exfiltration
    deep-diveShinyHunters Oracle PeopleSoft campaign: gadget-chain access, SSH default-credential lateral movement, mass exfiltration
  27. 2026-06-05ShinyHunters extortion campaign adds DentaQuest — 234 GB published after refusal to pay, 2.6 M dental-benefit records exposed
    updatesShinyHunters extortion campaign adds DentaQuest — 234 GB published after refusal to pay, 2.6 M dental-benefit records exposed
  28. 2026-06-02ShinyHunters publishes the Charter Communications dataset after ransom refusal
    updatesShinyHunters publishes the Charter Communications dataset after ransom refusal
  29. 2026-06-01ShinyHunters — DentaQuest: 234 GB HIPAA claims data published after ransom refusal, 2.6 M Medicaid and dental-benefit records
    weekly-incidents-recapShinyHunters — DentaQuest: 234 GB HIPAA claims data published after ransom refusal, 2.6 M Medicaid and dental-benefit records
  30. 2026-06-01Healthcare — HIPAA breach + healthcare supply-chain exposure
    weekly-sector-patternsHealthcare — HIPAA breach + healthcare supply-chain exposure
  31. 2026-05-29Carnival Corporation confirms 5.99 M-record ShinyHunters breach — passport + driver's-licence numbers exposed across four cruise brands
    active-threatsCarnival Corporation confirms 5.99 M-record ShinyHunters breach — passport + driver's-licence numbers exposed across four cruise brands
  32. 2026-05-27ShinyHunters Salesforce campaign — Charter and 7-Eleven both confirm; 7-Eleven count put at ~185,000 affected
    active-threatsShinyHunters Salesforce campaign — Charter and 7-Eleven both confirm; 7-Eleven count put at ~185,000 affected
  33. 2026-05-25ShinyHunters Salesforce campaign — 40+ listed victims; Canada Life and Pitney Bowes confirm; the BreachForums extortion channel was previously seized
    weekly-long-runningShinyHunters Salesforce campaign — 40+ listed victims; Canada Life and Pitney Bowes confirm; the BreachForums extortion channel was previously seized
  34. 2026-05-25ShinyHunters lists Charter Communications (Spectrum) — telco victim in the Salesforce-credential campaign
    updatesShinyHunters lists Charter Communications (Spectrum) — telco victim in the Salesforce-credential campaign
  35. 2026-05-19Grafana Labs CoinbaseCartel breach — victim confirms source-code-only theft, no customer data, ransom rejected
    active-threatsGrafana Labs CoinbaseCartel breach — victim confirms source-code-only theft, no customer data, ransom rejected
  36. 2026-05-197-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic
    active-threats7-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel
  37. 2026-05-18Education — virtual-classroom platforms and EdTech SaaS exposure
    weekly-sector-patternsEducation — virtual-classroom platforms and EdTech SaaS exposure
  38. 2026-05-187-Eleven — ShinyHunters Salesforce campaign claims another 600,000+ records
    weekly-incidents-recap7-Eleven — ShinyHunters Salesforce campaign claims another 600,000+ records
  39. 2026-05-16GTIG: UNC6671 "BlackFile" vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration of 1M+ files per victim; DLS shutdown signals probable rebrand
    active-threatsGTIG: UNC6671 "BlackFile" vishing → AiTM → rogue-MFA → programmatic SharePoint exfiltration of 1M+ files per victim; DLS shutdown signals probable rebrand
  40. 2026-05-13Instructure Canvas — US House Homeland Security Committee opens formal investigation; Instructure paid ransom
    updatesInstructure Canvas — US House Homeland Security Committee opens formal investigation; Instructure paid ransom
  41. 2026-05-12Instructure (Canvas LMS) — ransom paid to ShinyHunters with "shred logs"; second intrusion confirmed; per-institution leak deadline reset to today
    updatesInstructure (Canvas LMS) — ransom paid to ShinyHunters with "shred logs"; second intrusion confirmed; per-institution leak deadline reset to today
  42. 2026-05-11TeamPCP / Mini Shai-Hulud (ShinyHunters / WorldLeaks adjacent) — wave 4 + framework leak + IDE persistence
    weekly-long-runningTeamPCP / Mini Shai-Hulud (ShinyHunters / WorldLeaks adjacent) — wave 4 + framework leak + IDE persistence
  43. 2026-05-11TeamPCP / Mini Shai-Hulud npm supply-chain worm — wave 4 + framework source leak
    weekly-multi-dayTeamPCP / Mini Shai-Hulud npm supply-chain worm — wave 4 + framework source leak
  44. 2026-05-11Canvas / Instructure — ShinyHunters / WorldLeaks ransom-paid, US House investigation
    weekly-long-runningCanvas / Instructure — ShinyHunters / WorldLeaks ransom-paid, US House investigation
  45. 2026-05-11Canvas / Instructure extortion — ransom paid, US House investigation, second-intrusion vulnerability re-exploited
    weekly-multi-dayCanvas / Instructure extortion — ransom paid, US House investigation, second-intrusion vulnerability re-exploited
  46. 2026-05-10Canvas/Instructure — ShinyHunters claims a *second* intrusion despite May 8 patches; seven Dutch universities executed emergency disconnects on/before May 9
    updatesCanvas/Instructure — ShinyHunters claims a *second* intrusion despite May 8 patches; seven Dutch universities executed emergency disconnects on/before May 9
  47. 2026-05-09Inditex (Zara) — ShinyHunters publishes 140 GB; 197,400 EU customer records confirmed via third-party analytics compromise
    active-threatsInditex (Zara) — ShinyHunters publishes 140 GB; 197,400 EU customer records confirmed via third-party analytics compromise
  48. 2026-05-04ShinyHunters / WorldLeaks — week-long cross-incident operator activity touching Inditex, Vimeo, ADT, and Instructure / Canvas
    weekly-multi-dayShinyHunters / WorldLeaks — week-long cross-incident operator activity touching Inditex, Vimeo, ADT, and Instructure / Canvas
  49. 2026-05-04ShinyHunters / WorldLeaks family (financial-data extortion, third-party-SaaS pivot)
    weekly-long-runningShinyHunters / WorldLeaks family (financial-data extortion, third-party-SaaS pivot)
  50. 2026-05-04Looking ahead — 2026-W19
    weekly-looking-aheadLooking ahead — 2026-W19
  51. 2026-05-04Europol IOCTA 2026
    weekly-annual-reportsEuropol IOCTA 2026
  52. 2026-05-04Canvas / Instructure breach — five-day arc from first claim to seven Dutch universities executing emergency disconnects
    weekly-multi-dayCanvas / Instructure breach — five-day arc from first claim to seven Dutch universities executing emergency disconnects

Where this entity is cited

  • active-threats12
  • updates10
  • weekly-multi-day6
  • weekly-sector-patterns6
  • weekly-long-running5
  • weekly-looking-ahead3
  • weekly-annual-reports2
  • weekly-incidents-recap2
  • deep-dive2
  • weekly-top-stories2
  • trending-vulnerabilities1
  • weekly-vuln-rollup1

Source distribution

  • bleepingcomputer.com16 (13%)
  • securityweek.com12 (10%)
  • theregister.com7 (6%)
  • attack.mitre.org6 (5%)
  • securityaffairs.com4 (3%)
  • cloud.google.com3 (2%)
  • techcrunch.com3 (2%)
  • therecord.media3 (2%)
  • other69 (56%)

Related entities

All cited sources (123)

Entries about ShinyHunters (52)

2026-07-03 · view entry permalink →

Medtronic notifies ~9 million people of a ShinyHunters-claimed corporate-IT breach — 2.5 months after containment

high incident discovered 2026-07-03 04:48 UTC

Medical-device manufacturer Medtronic began notifying customers on 2026-07-02 of a breach the ShinyHunters extortion group first claimed in April. Medtronic's investigation found an unauthorized actor accessed certain corporate IT systems between 2026-04-13 and 2026-04-19 after unusual activity was noticed on 2026-04-15; ShinyHunters listed the company on its leak portal on 2026-04-18 claiming ~9 million records (names, contact details, dates of birth, Social Security numbers, health-related information) and later pulled the entry — consistent with the group's pattern after a ransom is paid (BleepingComputer, 2026-07-02). Medtronic states it found "no evidence" the data was published, and that the compromised corporate systems were segregated from device-operating networks so therapy delivery was unaffected (The Register, 2026-07-02). No initial-access vector is disclosed. This is the same ShinyHunters cluster behind the recent Salesforce/PeopleSoft-adjacent extortion wave (Nissan, NAIC — see prior coverage), but a corporate-IT compromise rather than the SaaS-integration pattern seen elsewhere; the source does not confirm shared tradecraft.

“The investigation determined that from April 13 to April 19, 2026, an unauthorized actor accessed certain Medtronic corporate IT systems.” — BleepingComputer

“Based on our investigation, this incident did not impact the ability of any Medtronic device to operate safely and deliver intended therapy.” — The Register

data-breach organized-crime us global

2026-07-01 · view entry permalink →

Oracle E-Business Suite CVE-2026-46817: pre-auth RCE in the Payments File Transmission servlet, first in-the-wild exploitation

notable vulnerability discovered 2026-07-01 04:41 UTC deep dive

What it is. CVE-2026-46817 (CVSS 9.8) is an unauthenticated remote-code-execution flaw in the File Transmission component of Oracle Payments, part of Oracle E-Business Suite, affecting EBS 12.2.3 through 12.2.15. The reporting characterises it as allowing "remote, unauthenticated attackers to take over Oracle Payments" with only HTTP network access and a low-complexity attack. Oracle fixed it in the May 2026 Critical Patch Update (SecurityAffairs, 2026-06-30).

Exploitation status. Threat-intel firm Defused reported the first confirmed in-the-wild exploitation against its Oracle EBS honeypots, with the first attempts observed over the weekend of 27–28 June 2026 — roughly six weeks after the patch, and the flaw had "no known previous exploitation and no public POC code" until that point (BleepingComputer, 2026-06-29). Defused did not publicly disclose the technical mechanics of the observed attacks or the attackers' motivation, and no named threat cluster has been attributed. The operationally important signals are therefore the timeline and exposure, not a public exploit: a critical pre-auth flaw in a widely-deployed ERP moved from "patched, no known exploitation" to "exploited in the wild" without a public PoC, which is the pattern that turns unpatched internet-facing estates into targets fastest. Oracle's statement notes it "continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches."

Exposure surface. Shadowserver tracks over 450 internet-exposed Oracle EBS instances, with nearly 200 across the United States and Europe (BleepingComputer, 2026-06-29). Patch-adoption six weeks after the May CPU is unknown, so a meaningful exposed-and-unpatched population is plausible. EBS Payments/financial modules are common in government, higher-education and large-enterprise finance back offices — high-value data behind an internet-reachable application tier.

Why this product line draws attacker interest. Oracle back-office suites have become a recurring extortion target: this flaw lands while the separate, still-active ShinyHunters Oracle PeopleSoft campaign (§ 4, CVE-2026-35273) continues to acquire named victims. Two distinct Oracle enterprise product lines under active exploitation in the same window is the signal for defenders to treat all internet-facing Oracle application tiers as priority patch-and-isolate targets, not just the specific CVE.

ATT&CK, hunt and hardening. The observable stage is unauthenticated exploitation of an internet-facing application (T1190 Exploit Public-Facing Application). Because the exploit mechanics are not public, prioritise patch verification and exposure reduction over signature-based hunting: confirm the May 2026 Critical Patch Update is applied to every EBS 12.2.x instance; remove EBS / Oracle Payments web interfaces from public internet reachability, fronting them with authenticated VPN or restricting to internal networks; and review the Oracle Payments web tier's access logs for anomalous unauthenticated HTTP requests, treating any exposed, unpatched instance as potentially already-probed given the pre-PoC exploitation timing.

“What it is.” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited pre-auth rce global europe CVE-2026-46817

2026-07-01 · view entry permalink →

Nissan is the largest named victim yet in the ShinyHunters Oracle PeopleSoft campaign

UPDATE — originally covered NAIC breached via Oracle PeopleSoft zero-day; ShinyHunters publishes 3.1 TB of US insurance-regulatory data and rating-agency feeds pause (2026-06-28)

high vulnerability discovered 2026-07-01 04:41 UTC

UPDATE (originally covered 2026-06-28 as the NAIC breach): Nissan disclosed that current and former employees' data was exposed via CVE-2026-35273, the Oracle PeopleSoft PeopleTools pre-auth flaw exploited as a zero-day between 2026-05-27 and 2026-06-09 as part of the wider ShinyHunters campaign (SecurityWeek, 2026-06-30). The exposure spans current and former employees in the US, Canada, Mexico and Brazil, potentially including Social Security numbers, banking/direct-deposit information and tax records.

This is a materially different victim profile from the previously-covered NAIC breach — employee HR/payroll PII rather than regulatory data — showing the campaign spreading across both regulatory-body and corporate-HR PeopleSoft deployments. As mitigation, Nissan restricted pay-slip viewing and direct-deposit changes to company-network/VPN-authenticated sessions and is offering credit/dark-web monitoring (BleepingComputer, 2026-06-29). ShinyHunters' self-reported scale of "over 300 PeopleSoft instances across ~100 organizations" is an unverified actor claim — attribute the claim, not confirmed fact. No new technical detail beyond victim-count expansion; the operative guidance from the 2026-06-28 NAIC item stands (patch CVE-2026-35273; remove internet-exposed PeopleSoft PeopleTools from public reachability).

“UPDATE (originally covered 2026-06-28 as the NAIC breach): Nissan disclosed that current and former employees' data was exposed via CVE-2026-35273, the Oracle PeopleSoft PeopleTools pre-auth flaw exploited as a zero-day between 2026-05-27 and 2026-06-09 as part of the wider ShinyHunters campaign …” — ctipilot v2 brief (migrated)

data-breach vulnerabilities actively-exploited global CVE-2026-35273

2026-06-29 · view entry permalink →

Looking ahead — 2026-W26

notable outlook discovered 2026-06-29 00:21 UTC

A focused, justified list — items already in motion, not predictions.

  • ShinyHunters PeopleSoft notifications are still landing — expect more named European education and public-finance victims. GTIG has notified ~100 organisations (68% higher education) and NAIC is the fresh high-profile case; patch internet-reachable PeopleSoft and hunt /PSEMHUB/ and /PSIGW/HttpListeningConnector. (Google GTIG; daily 06-28)
  • FortiBleed is not a one-and-done credential reset — full AD domain takeover is now confirmed at a NATO-aligned contractor. Finish session termination and credential rotation, then hunt for post-compromise AD persistence (Kerberos abuse, DCSync, DFS-backup exfiltration) rather than assuming the reset closed it. (CISA; daily 06-24)
  • The Klue/Icarus extortion surface is multiplying after the "resolution" — a second group is now extorting ~195 listed organisations. Any firm with a Klue/Salesforce integration should expect renewed extortion contact regardless of Icarus's stated data deletion; complete OAuth-grant revocation and CRM-egress monitoring. (SecurityWeek; daily 06-27)
  • CRA Single Reporting Platform go-live is ~75 days out (11 September); ENISA's dry-run schedule is due now. In-scope manufacturers — including Swiss exporters to the EU — should register and wire the 24/72-hour reporting flow into their PSIRT process before the obligation binds. (ENISA SRP)
  • EDPB Article 33 harmonised breach-notification template consultation closes 5 August. Still open with no in-window change; multi-jurisdiction breach-response owners have a closing window to comment before the EDPB sets a mandatory-adoption timeline. (EDPB)
  • npm v12 will disable install scripts by default — the week's Miasma worm wave is the reminder to audit CI now. Miasma's postinstall-and-SessionStart-hook propagation is exactly the kill chain --ignore-scripts / npm v12 defaults neutralise; inventory pipelines and AI-coding-tool hook configs that rely on build scripts. (Socket; daily 06-27)
  • libssh2 CVE-2026-55200 has a public PoC and an upstream fix commit, but tagged releases lag across the binding ecosystem — track the embedded-dependency fix pipeline. Inventory appliances, tooling and language bindings that ship libssh2 and chase each vendor's release rather than assuming a single library bump closes it. (NCSC-NL; daily 06-28)
  • Scattered Spider TfL sentencing is set for 16 July. First UK court outcome on the campaign; the vishing/social-engineering TTP precedent is directly relevant to European transport and public-sector identity-desk hardening. (UK NCA; daily 06-23)
cloud global

2026-06-29 · view entry permalink →

ShinyHunters / UNC6240 Oracle PeopleSoft campaign

notable synthesis discovered 2026-06-29 00:21 UTC

The campaign behind the § 1 NAIC breach. GTIG/Mandiant attributes to UNC6240 an active zero-day exploitation of Oracle PeopleSoft (CVE-2026-35273) between May 27 and June 9, predating Oracle's advisory; staging environments deployed customised MeshCentral agents masquerading as cloud endpoints, then ran a per-victim [victim]_fanout.sh lateral-movement-and-defacement script (Google GTIG). ~300 PeopleSoft instances compromised, ~100 organisations notified, 68% higher education, with the University of Nottingham among the first named public victims (SecurityWeek). The status this week: NAIC confirmed (§ 1), and notifications are still landing, so more European education and public-finance victims are likely. The weekly lens: this is ShinyHunters operating as a zero-day-capable ERP attacker — a capability shift from the brand's 2021–2024 credential-stuffing persona. Outstanding question: which EU universities running PeopleSoft are in the un-notified tail.

“The campaign behind the § 1 NAIC breach.” — ctipilot v2 brief (migrated)

data-breach zero-day actively-exploited organized-crime global us europe CVE-2026-35273

2026-06-29 · view entry permalink →

Education

notable synthesis discovered 2026-06-29 00:21 UTC

Education was a structural victim class. The ShinyHunters Canvas/Instructure breach hit 160 UK universities per the UK CMC sector review (ransom paid, limited downstream damage). The unpatched ILIAS 11.0 SQL-injection (CVE-2026-12789, PoC-public, no patch) directly exposes the DACH learning-management estate, and self-hosted Gitea CI (§ 3) is concentrated in universities. The common thread: education runs exposed CMS/LMS/forum and developer stacks with thin operational security.

data-breach vulnerabilities sqli uk dach europe

2026-06-29 · view entry permalink →

ShinyHunters (UNC6240) — one cluster, multiple reported tradecraft paths in one week

notable synthesis discovered 2026-06-29 00:20 UTC

The week is a compact case study in how a single extortion cluster's reported activity spans very different initial-access tradecraft. The two firmly UNC6240-attributed events are the Oracle PeopleSoft zero-day behind the NAIC breach (GTIG/Mandiant attribution, § 1) and the April 2026 Instructure Canvas LMS breach, whose UK Cyber Monitoring Centre sector review landed 06-27 (160 UK universities, extortion, ransom paid). Alongside them, 404 Media's reconstruction (06-26) showed the Madison Square Garden intrusion began with a single vishing call into the company's identity platform — the operator phoned a low-level employee and talked them through authorising access; the 404 Media account documents the technique but names no actor, and the ShinyHunters link rests on the operators' own claims and the SSO-vishing TTP overlap Abnormal Security attributes to the cluster.

The cross-day pattern matters more than any single victim: a server-side zero-day, a SaaS-platform compromise and SSO-targeting vishing all appear under (or adjacent to) one extortion banner in one week, so defending against this cluster is not a single control. It is externally-reachable enterprise-app patching/hunting, third-party SaaS exposure management, and help-desk/identity-platform vishing resistance (callback verification, no MFA-reset-on-call) — all at once. (daily 06-26, daily 06-27, daily 06-28)

organized-crime data-breach identity phishing uk us europe

2026-06-29 · view entry permalink →

NAIC breached through an Oracle PeopleSoft zero-day; ShinyHunters dumps 3.1 TB and US rating-agency feeds stall

high synthesis discovered 2026-06-29 00:20 UTC

If you did nothing this week: any internet-reachable Oracle PeopleSoft instance is a live pre-auth foothold — the same zero-day path that put the US National Association of Insurance Commissioners into ShinyHunters' hands, and PeopleSoft is widely deployed across European public administration, higher education and HR/finance back offices. The W25 looking-ahead flagged that ShinyHunters PeopleSoft notifications were still landing and that EU universities were a probable next-named class; NAIC is the fresh high-profile confirmation that the campaign is still acquiring victims.

NAIC — the standard-setting body for all 50 US state insurance regulators — confirmed on 2026-06-26 that an unauthorised party reached its environment on June 11 via an Oracle PeopleSoft vulnerability, then pivoted from PeopleSoft to temporary access to data-storage areas. ShinyHunters claims 3.1 TB exfiltrated (TechRadar, Insurance Journal). The operational tell is the downstream impact NAIC itself disclosed: credit-rating agencies paused their data feeds and NAIC suspended assigning designations to insurer investments — a regulatory-process outage, not just a data-confidentiality event. This is the same PeopleSoft exploitation wave (CVE-2026-35273, the unauthenticated RCE in PeopleTools Environment Management) Google GTIG attributes to UNC6240/ShinyHunters and has been tracking against the education sector — 68% of identified targets were higher-education institutions; Treat any externally-reachable PeopleSoft portal (/PSEMHUB/, /PSIGW/HttpListeningConnector) as a hunt target, not a patch-later item. (daily 06-28)

“Unauthorized access to a portion of the NAIC's environment was identified on June 11 via an Oracle PeopleSoft vulnerability. While in PeopleSoft, the unauthorized party was able to obtain information needed to gain temporary access to certain data storage areas.” — NAIC

“Due to the incident, certain credit rating agencies have paused their data feeds and consequently, the NAIC has temporarily suspended assigning designations to insurer investments.” — NAIC

data-breach zero-day actively-exploited organized-crime us europe CVE-2026-35273

2026-06-28 · view entry permalink →

NAIC breached via Oracle PeopleSoft zero-day; ShinyHunters publishes 3.1 TB of US insurance-regulatory data and rating-agency feeds pause

high incident discovered 2026-06-28 05:05 UTC

The National Association of Insurance Commissioners (NAIC) — the US standard-setting body governing all 50 state insurance regulators — confirmed on 2026-06-26 that an unauthorised party gained access to part of its environment on 2026-06-11 by exploiting an Oracle PeopleSoft vulnerability that was unknown to the vendor at the time, then used the PeopleSoft foothold to obtain credentials that pivoted into NAIC data-storage areas (NAIC, 2026-06-26). The flaw is reported as CVE-2026-35273, a critical unauthenticated remote-code-execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 (Insurance Business Mag, 2026-06-24). NAIC states the access path has since been blocked and remediated and that the FBI plus external forensics are engaged. The extortion group ShinyHunters claimed responsibility on 2026-06-18 and by 2026-06-25 had published the data, which corroborating reporting puts at ~3.1 TB (TechRadar, 2026-06-26); the corpus is reported to include insurer statutory financial-reporting documents and files from major credit-rating agencies (Insurance Journal, 2026-06-25). NAIC says it has not confirmed ShinyHunters' claim to have taken SERFF, OPTins, UCAA, EDP and RDC, and that employee PII, EFT, policyholder and producer data were not accessed. The operationally significant consequence: several rating agencies paused their data feeds to NAIC, forcing it to temporarily suspend assigning investment-risk designations to insurer portfolios — a direct disruption to US insurance-sector solvency monitoring. The incident is reported as part of a broader PeopleSoft campaign affecting 100+ organisations (Insurance Business Mag, 2026-06-24).

Why it matters to us: Oracle PeopleSoft is widely deployed for HR/finance in European and Swiss public-sector and large enterprises; the kill chain here is T1190 (exploit a public-facing PeopleSoft app) → T1078 (abuse the obtained credentials/session to pivot to data stores) → T1567 (web-service exfiltration). Verify PeopleSoft patch status against the in-the-wild zero-day campaign, segment PeopleSoft data-bus/integration accounts to least privilege, and put DLP/volume alerting on bulk export from PeopleSoft repositories. EU/Swiss insurance supervisors (EIOPA, national NCAs) and reinsurers whose data is in the rating-agency corpus should treat affected feeds as potentially tampered until NAIC confirms integrity restoration.

“Unauthorized access to a portion of the NAIC's environment was identified on June 11 via an Oracle PeopleSoft vulnerability. While in PeopleSoft, the unauthorized party was able to obtain information needed to gain temporary access to certain data storage areas.” — NAIC

“Due to the incident, certain credit rating agencies have paused their data feeds and consequently, the NAIC has temporarily suspended assigning designations to insurer investments.” — NAIC

data-breach zero-day actively-exploited organized-crime us europe

2026-06-27 · view entry permalink →

UK Cyber Monitoring Centre publishes sector review of the Canvas/Instructure LMS breach — 160 universities, ShinyHunters extortion, ransom paid

notable incident discovered 2026-06-27 05:17 UTC

The UK Cyber Monitoring Centre (CMC) published a post-incident sector review on 2026-06-25 of the April 2026 ShinyHunters (UNC6240) breach of Instructure's Canvas learning-management platform, which affected roughly 160 UK higher-education institutions (Computer Weekly, 2026-06-25). Attackers exfiltrated usernames, email addresses, course/enrolment data and student IDs, then pursued extortion by publishing victim lists, disrupting LMS access and defacing virtual learning environments; Instructure reportedly paid an undisclosed sum to have the stolen data destroyed (Computer Weekly, 2026-06-25), though Instructure's own incident statement describes only reaching an agreement and receiving deletion logs, without confirming a monetary payment (Instructure incident update). The CMC found no evidence of lateral movement into institutional networks but flagged residual phishing risk from the exfiltrated student/staff identity data. Its hardening recommendations are directly transferable: separate application and data layers to support clean recovery; inventory and contractually govern dependencies on offshore SaaS providers not subject to local law; and rehearse breach/business-continuity scenarios in tabletop exercises. Defender takeaway: Canvas is deployed at Swiss universities, German Hochschulen and Austrian Fachhochschulen; the same exfiltrated-identity → downstream-phishing risk applies. Education-sector SOCs should treat a third-party LMS breach as a phishing-enablement event for their entire student/staff population and pre-stage user comms, not only assess data-loss scope.

data-breach organized-crime supply-chain uk europe

2026-06-26 · view entry permalink →

ShinyHunters used a single vishing call into the company's identity platform to breach Madison Square Garden

high incident discovered 2026-06-26 04:54 UTC

404 Media's review of the stolen Madison Square Garden data and the attackers' own account confirm the intrusion began with a vishing call — the operators phoned a low-level employee and talked them into letting them into MSG's systems (404 Media, 2026-06-24). Reporting attributes the breach to ShinyHunters; after MSG missed a 15 June ransom deadline, roughly 45 GB / 26M+ records were published (The Next Web, 2026-06-16). The wider pattern this fits — and the one worth detecting — is the vishing → identity-platform (Entra/Okta) → MFA-enrollment → SSO-pivot chain that Abnormal Security documents generically: an IT-impersonation call manufacturing MFA-reset urgency, real-time credential and one-time-code capture on a tenant-branded phishing page, enrollment of an attacker-controlled MFA device, then a pivot into connected SaaS (Abnormal Security, 2026-02-06). Maps to T1566.004 (vishing), T1078.004 (cloud accounts), and T1556.006 (MFA manipulation).

Why it matters to us: the victim is a US private entity, but the kill chain is identity-platform-agnostic and lands the same way against EU public-sector Entra/Okta tenants. Hunt Entra audit logs for new MFA-method registration events correlated with anomalous sign-in geo/user-agent and post-enrollment impossible-travel risk events; the durable control is phishing-resistant FIDO2/passkey MFA that cannot be relayed in real time, plus Conditional Access requiring a compliant device for MFA enrollment.

phishing identity data-breach organized-crime us global

2026-06-22 · view entry permalink →

Looking ahead — 2026-W25

notable outlook discovered 2026-06-22 00:15 UTC

A focused, justified list — items already in motion, not predictions.

  • RoguePlanet (CVE-2026-50656) has no patch and a PoC that works on June builds — watch MSRC for an out-of-band fix. Microsoft says a fix is "in development" with no timeline; the researcher warns mitigations are not reliable. Decide now whether to hold for July Patch Tuesday or push application allowlisting as an interim control. (MSRC; daily 06-19)
  • FortiBleed credential resets are not a one-and-done — expect more named victims and AD-persistence findings. CISA confirmed full AD domain takeover at multiple organisations; finish session termination, credential rotation and PBKDF2 migration, then hunt for post-compromise persistence rather than assuming the reset closed it. (SecurityWeek; daily 06-20)
  • ShinyHunters PeopleSoft notifications are still landing — more European victims are likely. Google GTIG has notified 100+ organisations (68% higher education); EU universities are a probable next-named class. Patch internet-reachable PeopleSoft and hunt the /PSEMHUB/ and /PSIGW/HttpListeningConnector paths. (daily 06-16)
  • CRA Single Reporting Platform go-live is ~82 days out (11 September). ENISA's access manual and a dry-run window are due now; in-scope manufacturers (including Swiss exporters to the EU) should register and wire the 24/72-hour reporting flow into their PSIRT process before the obligation binds. (ENISA SRP)
  • EDPB Article 33 harmonised-template consultation closes 5 August. Multi-jurisdiction breach-response owners have a window to review and comment before the EDPB sets a mandatory-adoption timeline. (EDPB)
  • npm v12 will disable install scripts by default — the Mastra compromise is this week's reminder to audit CI before the change. Sapphire Sleet's postinstall dropper is exactly the kill chain --ignore-scripts / npm v12 defaults neutralise; inventory pipelines that rely on build scripts now. (Microsoft; daily 06-21)
  • France's NIS2 transposition remains unresolved into late 2026. Organisations with French counterparts should track the next parliamentary session; NIS2-derived notification flows from French partners are not yet enforceable. (Viktoria Compliance)
vulnerabilities global

2026-06-22 · view entry permalink →

Education — exposed CMS and forum software stack a structural risk

notable synthesis discovered 2026-06-22 00:14 UTC

Education entities sat under two pressures this week: the continuing ShinyHunters PeopleSoft campaign that W24 documented landing disproportionately on universities, and a cluster of critical web-application CVEs in software ubiquitous across European universities and student communities — JCE for Joomla (CVE-2026-48907, exploited), phpBB (CVE-2026-48611), Drupal core (CVE-2026-55803, BSI critical) and LiteSpeed shared-hosting (CVE-2026-54420, exploited), all in § 3. The pattern is not a single incident but an attack-surface concentration: the open-source CMS/forum/hosting stack that the education sector runs widely all took critical, partly-exploited disclosures in one week.

vulnerabilities data-breach europe global

2026-06-22 · view entry permalink →

Public administration — named European institutions and government data in the firing line

notable synthesis discovered 2026-06-22 00:14 UTC

The public sector again carried high-severity activity on multiple vectors. The Council of Europe — a Strasbourg human-rights body of which Switzerland is a member — was named in the ShinyHunters PeopleSoft campaign (§ 2). Iran-aligned Handala breached California Water Service through an internet-exposed RTKBase GNSS platform, leaking billing PII for ~2M customers though without OT access (SecurityWeek, 2026-06-14; daily 06-15). Texas Parks & Wildlife disclosed a third-party-vendor breach exposing 3.08M licence holders' names and driver's-licence numbers (BleepingComputer, 2026-06-18; daily 06-21). And the recurring lesson for CH/EU administration is the PTC Windchill emergency (§ 1), where the BSI's after-hours calls underline how government CERTs are now treating internet-exposed public-sector and industrial software.

data-breach hacktivism iran-nexus us europe

2026-06-22 · view entry permalink →

CVE-2026-46978 / CVE-2026-35278 — Oracle June 2026 CSPU: unauthenticated Solaris RAD flaw (10.0) and PeopleSoft RCE (9.8)

notable vulnerability discovered 2026-06-22 00:14 UTC

Oracle's June Critical Security Patch Update shipped 245 fixes on 2026-06-17, around 100 remotely exploitable without authentication, headlined by an unauthenticated Solaris Remote Administration Daemon flaw (CVE-2026-46978, CVSS 10.0) and a PeopleSoft RCE (CVE-2026-35278, 9.8) (Oracle CSPU; daily 06-18). The PeopleSoft fix lands in the middle of the ShinyHunters PeopleSoft campaign (§ 2) — prioritise PeopleSoft and any internet-reachable Solaris RAD instances.

vulnerabilities rce pre-auth patch-available global CVE-2026-46978 CVE-2026-35278

2026-06-22 · view entry permalink →

ShinyHunters extortion brand — Council of Europe named, Kodak and One Medical added to the leak-site pressure

high synthesis discovered 2026-06-22 00:14 UTC

The ShinyHunters extortion brand (the data-theft cluster Google tracks as UNC6240) ran on two fronts this week. The technical core remains the Oracle PeopleSoft zero-day campaign (CVE-2026-35273) consolidated in the W24 weekly, and Google's Threat Intelligence Group sharpened it this week: GTIG's analysis confirms UNC6240 exploited the flaw between 27 May and 9 June as a zero-day, has notified 100+ organisations (68% in higher education), and documented the TTPs — JSP shell implant, a customised MeshCentral agent masquerading as Azure cloud endpoints, [victim]_fanout.sh SSH credential-spraying and zstd-compressed exfiltration (Google GTIG). On 2026-06-16 ShinyHunters listed the Council of Europe — the 46-member Strasbourg human-rights body of which Switzerland is a member — claiming roughly 297 GB exfiltrated; per W1's assessment it is the only named European-institution victim in the campaign to date (SecurityWeek, 2026-06-16; daily 06-16). In parallel the brand expanded its leak-site extortion pressure beyond PeopleSoft: Eastman Kodak confirmed on 2026-06-17 that "an unauthorized third party illegally gained access to a limited amount of company data" after a ShinyHunters listing (SecurityWeek, 2026-06-19; daily 06-20), and Amazon's One Medical confirmed a legacy third-party file-storage breach while ShinyHunters' unverified 8.8 TB claim ran a deadline that expired 2026-06-21 (BankInfoSecurity, 2026-06-20; daily 06-21).

The cross-day pattern for a CH/EU SOC: the same brand is simultaneously running a confirmed enterprise-SaaS zero-day (PeopleSoft, vendor-confirmed) and a higher-noise leak-site operation where claims (Kodak data volume, the One Medical 8.8 TB figure) are attacker-asserted and partly unverified. Triage the two differently — the PeopleSoft exposure is a patch-and-hunt emergency for internet-reachable instances; the leak-site listings warrant victim-notification monitoring but the headline data volumes should be treated as unconfirmed until the victim corroborates.

data-breach organized-crime espionage global europe

2026-06-21 · view entry permalink →

Amazon's One Medical confirms a legacy-storage breach; ShinyHunters' 8.8TB claim is unverified and its deadline expires today

notable incident discovered 2026-06-21 04:54 UTC single-source

One Medical (Amazon) confirmed on 2026-06-13 that an unauthorised party accessed a legacy third-party file-storage system retaining archived records for One Medical Seniors (formerly Iora Health), during a 2026-06-08 to 2026-06-11 window, affecting demographic and clinical records for patients at nine clinics (BankInfoSecurity, 2026-06-19). One Medical states the breach is confined to that legacy system. Separately, ShinyHunters claims theft of 8.8 TB and set a 2026-06-22 negotiation deadline — today — but the company has not confirmed ShinyHunters' involvement or the data volume, and no sample has been released to validate the claim. [SINGLE-SOURCE]

data-breach organized-crime us

2026-06-20 · view entry permalink →

Kodak confirms breach after ShinyHunters leak-site listing; June 18 deadline passed without publication

notable incident discovered 2026-06-20 05:12 UTC

Eastman Kodak acknowledged on 17 June 2026 that "an unauthorized third party illegally gained access to a limited amount of company data," after ShinyHunters listed it on their dark-web leak site on 15 June claiming 2.2 million PII records and set an 18 June contact deadline (SecurityWeek, 2026-06-18; BleepingComputer, 2026-06-17). As of the deadline ShinyHunters had not published samples — consistent with the group's pattern of withholding proof to maximise leverage. Kodak did not disclose the access vector; ShinyHunters' 2026 campaign has leaned on misconfigured Salesforce Experience/Aura guest-user access, Oracle PeopleSoft (CVE-2026-35273) and Snowflake credential stuffing across 100+ victims, with the group claiming a 1.5-billion-record Salesforce corpus (BleepingComputer, 2026-06-17).

data-breach organized-crime us global

2026-06-16 · view entry permalink →

Council of Europe named as a victim of the Oracle PeopleSoft (CVE-2026-35273) campaign

UPDATE — originally covered ShinyHunters PeopleSoft campaign — Oracle confirms CVE-2026-35273 and ships an out-of-band patch; Nottingham quantifies 455,000 records (2026-06-12)

high vulnerability discovered 2026-06-16 05:09 UTC

UPDATE (originally covered 2026-06-12/2026-06-13): ShinyHunters listed the Council of Europe — the 46-member Strasbourg human-rights body, of which Switzerland is a member — claiming 297 GB across ~429,000 files taken via the Oracle PeopleSoft Environment Management Hub zero-day CVE-2026-35273, and set a 16 June leak deadline (SecurityWeek, 2026-06-15). This is the first European intergovernmental institution named in the 100+-organisation PeopleSoft campaign previously covered as an education-sector wave.

The claimed dataset spans payroll for 10,000+ current and former staff (2011–2026), 14,000+ CVs, and HR records with names, dates of birth, addresses, bank-account, tax/social-security and medical data. The Council of Europe confirmed it "is currently investigating the matter and assessing the situation" and has not confirmed exfiltration (The Register, 2026-06-15; BleepingComputer, 2026-06-15). The vector — unauthenticated HTTP to the /PSEMHUB/hub servlet (T1190) — is unchanged; treat any externally-reachable PeopleSoft Environment Management Hub as compromised pending forensic review and block perimeter access to /PSEMHUB/*. Confidence on the victim claim is MEDIUM pending Council of Europe confirmation (extortion-site claim).

data-breach organized-crime identity europe

2026-06-14 · view entry permalink →

CrowdStrike 2026 Technology Threat Landscape Report — "technology = most-targeted" reads as prophecy against this week's incidents

notable annual-report discovered 2026-06-14 23:57 UTC single-source

CrowdStrike's report (published 9 June, distilled in the 06-11 daily) found technology to be the most-targeted sector. Rather than re-recap it, the weekly's lens is corroboration: this very week supplied the evidence. The Shai-Hulud/Atomic Arch supply-chain wave (§ 2), the ShinyHunters PeopleSoft zero-day (§ 1), and the run of AI-developer-platform flaws (Langflow, LangGraph, LiteLLM in § 3) are all attacks on the technology supply chain and the developer toolchain rather than merely through it. For a public-sector SOC the implication is that the technology vendors and open-source components in your stack are themselves now the front line — SBOM-driven component inventory ( is the prerequisite for reasoning about it.

supply-chain nation-state global

+ 32 earlier entries — see the timeline above.