NAIC breached via Oracle PeopleSoft zero-day; ShinyHunters publishes 3.1 TB of insurance-regulatory data

The National Association of Insurance Commissioners (NAIC) — the US standard-setting body governing all 50 state insurance regulators — confirmed on 2026-06-26 that an unauthorised party gained access to part of its environment on 2026-06-11 by exploiting an Oracle PeopleSoft vulnerability that was unknown to the vendor at the time, then used the PeopleSoft foothold to obtain credentials that pivoted into NAIC data-storage areas (NAIC, 2026-06-26). The flaw is reported as CVE-2026-35273, a critical unauthenticated remote-code-execution vulnerability in Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 (Insurance Business Mag, 2026-06-24). NAIC states the access path has since been blocked and remediated and that the FBI plus external forensics are engaged. The extortion group ShinyHunters claimed responsibility on 2026-06-18 and by 2026-06-25 had published the data, which corroborating reporting puts at ~3.1 TB (TechRadar, 2026-06-26); the corpus is reported to include insurer statutory financial-reporting documents and files from major credit-rating agencies (Insurance Journal, 2026-06-25). NAIC says it has not confirmed ShinyHunters' claim to have taken SERFF, OPTins, UCAA, EDP and RDC, and that employee PII, EFT, policyholder and producer data were not accessed. The operationally significant consequence: several rating agencies paused their data feeds to NAIC, forcing it to temporarily suspend assigning investment-risk designations to insurer portfolios — a direct disruption to US insurance-sector solvency monitoring. The incident is reported as part of a broader PeopleSoft campaign affecting 100+ organisations (Insurance Business Mag, 2026-06-24).

Why it matters to us: Oracle PeopleSoft is widely deployed for HR/finance in European and Swiss public-sector and large enterprises; the kill chain here is T1190 (exploit a public-facing PeopleSoft app) → T1078 (abuse the obtained credentials/session to pivot to data stores) → T1567 (web-service exfiltration). Verify PeopleSoft patch status against the in-the-wild zero-day campaign, segment PeopleSoft data-bus/integration accounts to least privilege, and put DLP/volume alerting on bulk export from PeopleSoft repositories. EU/Swiss insurance supervisors (EIOPA, national NCAs) and reinsurers whose data is in the rating-agency corpus should treat affected feeds as potentially tampered until NAIC confirms integrity restoration.

Oracle's June Critical Security Patch Update shipped 245 fixes on 2026-06-17, around 100 remotely exploitable without authentication, headlined by an unauthenticated Solaris Remote Administration Daemon flaw (CVE-2026-46978, CVSS 10.0) and a PeopleSoft RCE (CVE-2026-35278, 9.8) (Oracle CSPU; daily 06-18). The PeopleSoft fix lands in the middle of the ShinyHunters PeopleSoft campaign (§ 2) — prioritise PeopleSoft and any internet-reachable Solaris RAD instances.

Oracle's June 2026 Critical Security Patch Update shipped 245 fixes on 2026-06-17, ~100 of them remotely exploitable without authentication (SecurityWeek, 2026-06-17 · Oracle, 2026-06-17). The two standouts for this audience are both pre-auth: CVE-2026-46978 (CVSS 10.0) in the Oracle Solaris 11.4 Remote Administration Daemon (RAD), reachable by an unauthenticated attacker over its default HTTPS management interface, and CVE-2026-35278 (CVSS 9.8), a missing-authentication RCE in PeopleSoft PeopleTools 8.61/8.62 Performance Monitor (T1190). Oracle reports no in-the-wild exploitation at publication; the unauthenticated network vectors warrant emergency prioritisation. Patch internet-facing PeopleSoft and middleware tiers first; as interim hardening, scope the Solaris RAD daemon to localhost where remote administration is not required.

UPDATE (originally covered 2026-06-12/2026-06-13): ShinyHunters listed the Council of Europe — the 46-member Strasbourg human-rights body, of which Switzerland is a member — claiming 297 GB across ~429,000 files taken via the Oracle PeopleSoft Environment Management Hub zero-day CVE-2026-35273, and set a 16 June leak deadline (SecurityWeek, 2026-06-15). This is the first European intergovernmental institution named in the 100+-organisation PeopleSoft campaign previously covered as an education-sector wave.

The claimed dataset spans payroll for 10,000+ current and former staff (2011–2026), 14,000+ CVs, and HR records with names, dates of birth, addresses, bank-account, tax/social-security and medical data. The Council of Europe confirmed it "is currently investigating the matter and assessing the situation" and has not confirmed exfiltration (The Register, 2026-06-15; BleepingComputer, 2026-06-15). The vector — unauthenticated HTTP to the /PSEMHUB/hub servlet (T1190) — is unchanged; treat any externally-reachable PeopleSoft Environment Management Hub as compromised pending forensic review and block perimeter access to /PSEMHUB/*. Confidence on the victim claim is MEDIUM pending Council of Europe confirmation (extortion-site claim).

If you did nothing this week: if you run internet-reachable Oracle PeopleSoft, assume data-theft exposure — the initial-access vector that was merely attacker-asserted last week is now vendor-confirmed as a zero-day, with 100+ organisations already breached.

What was a claim-only story on 11 June became vendor-confirmed within 48 hours. Oracle assigned CVE-2026-35273 (CVSS 9.8), an unauthenticated flaw in the PeopleSoft Environment Management Hub, and shipped an out-of-band patch (Oracle security alert; daily 06-12). Mandiant and Google GTIG then formally attributed the campaign to UNC6240 (ShinyHunters) and confirmed active exploitation against 100+ organisations, with the education sector disproportionately represented; the University of Nottingham quantified roughly 455,000 affected records (Google GTIG; daily 06-13).

This is a direct hit on a sector dense with European public-sector entities — universities and research institutions running PeopleSoft for HR and campus systems. Apply Oracle's out-of-band fix, then assume data exfiltration on any instance that was internet-reachable before patching: review Environment Management Hub access logs, rotate exposed credentials, and prepare for extortion contact, which is ShinyHunters' standard follow-through.

UPDATE (originally covered 2026-06-11): Mandiant and Google GTIG formally attribute the PeopleSoft Environment Management Hub exploitation campaign to UNC6240 (ShinyHunters) and confirm the activity ran from 27 May to 9 June 2026 — predating Oracle's 10 June out-of-band advisory, establishing CVE-2026-35273 (CVSS 9.8) as a zero-day at time of exploitation (Mandiant/GTIG, 2026-06-11). The unauthenticated SSRF→RCE is reached via the /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints in PeopleTools 8.61/8.62.

GTIG notified over 100 organisations whose endpoints correlated with exploitation; 68% are higher-education institutions. Post-exploitation, the actor deployed MeshCentral remote-management agents disguised as Azure binaries, used SSH fan-out scripts with PeopleSoft admin credentials for lateral movement, and exfiltrated to the ShinyHunters leak site (Rapid7, 2026-06-12). The University of Nottingham confirmed 454,600 student and alumni records were taken, including passport numbers (University of Nottingham; BleepingComputer, 2026-06-11). CISA added the CVE to KEV on 12 June. Swiss/EU universities running Campus Solutions should treat this as P1 (see § 0 Immediate Action and § 6).

UPDATE (originally covered 2026-06-11): the initial-access vector that was attacker-asserted yesterday is now vendor-confirmed: Oracle assigned CVE-2026-35273 (CVSS 9.8), an unauthenticated RCE in the PeopleTools Environment Management Hub (PSEMHUB, versions 8.61/8.62), and published an out-of-band Security Alert with fixes (Oracle, 2026-06-10; SecurityWeek, 2026-06-11).

Mandiant GTIG formally attributes the campaign to UNC6240 (ShinyHunters), dating exploitation 27 May – 9 June — a zero-day for the full window — and details the post-exploitation chain: customised MeshCentral remote-management agents masquerading as Microsoft Azure components for persistence and C2, and a per-victim _fanout.sh lateral-movement script spraying SSH credentials against internal hosts harvested from /etc/hosts (T1190, T1021.004). Mandiant notified more than 100 organisations with exposed PSEMHUB endpoints; 68 % are higher-education institutions (Mandiant GTIG, 2026-06-11).

The University of Nottingham — confirmed as a victim yesterday — now quantifies the damage: roughly 40 GB exfiltrated covering ~455,000 individuals across its UK, Malaysia and China campuses, including names, contact details, ethnicity, disability, passport and tuition-payment data; the ICO says it is assessing the report (BleepingComputer, 2026-06-11; The Record, 2026-06-11; University of Nottingham, 2026-06-10). Action: see the § 0 callout — patch out-of-band and compromise-assess; yesterday's hardening guidance (default SSH service accounts, PSEMHUB exposure) stands.

CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalog on 2026-06-01 "based on evidence of active exploitation" (The Hacker News, 2026-06-02). The flaw (CVSS 7.5) lets an unauthenticated, network-positioned attacker abuse the T3 or IIOP protocol listeners — exposed by default on ports 7001/7002 — to obtain unauthorized access to WebLogic-accessible data, and on some configurations a more complete server compromise. It affects Oracle WebLogic Server 12.2.1.4.0 and 14.1.1.0.0 and was fixed in Oracle's July 2024 Critical Patch Update (Oracle CPU, 2024-07-16). The operationally relevant fact is the fresh exploitation against a patch that has been available for 23 months, not the FCEB remediation date attached to the KEV entry; WebLogic is heavily deployed J2EE middleware in EU financial-services and public-sector estates (Security Affairs, 2026-06-02). Defenders: apply the July 2024 (or later) CPU; block T3/IIOP at the perimeter and restrict it to internal admin subnets via WebLogic connection filters; alert on unauthenticated T3/IIOP initiators reaching 7001/7002 from external sources.