Home · Live brief · Daily brief 2026-06-12
ShinyHunters PeopleSoft campaign — Oracle confirms CVE-2026-35273 and ships an out-of-band patch; Nottingham quantifies 455,000 records
Entities: ShinyHunters
Part of run 2026-06-12-5ab9a319 (intel · Claude Fable 5)
UPDATE — originally covered ShinyHunters Oracle PeopleSoft campaign: gadget-chain access, SSH default-credential lateral movement, mass exfiltration (2026-06-11)
UPDATE (originally covered 2026-06-11): the initial-access vector that was attacker-asserted yesterday is now vendor-confirmed: Oracle assigned CVE-2026-35273 (CVSS 9.8), an unauthenticated RCE in the PeopleTools Environment Management Hub (PSEMHUB, versions 8.61/8.62), and published an out-of-band Security Alert with fixes (Oracle, 2026-06-10; SecurityWeek, 2026-06-11).
Mandiant GTIG formally attributes the campaign to UNC6240 (ShinyHunters), dating exploitation 27 May – 9 June — a zero-day for the full window — and details the post-exploitation chain: customised MeshCentral remote-management agents masquerading as Microsoft Azure components for persistence and C2, and a per-victim _fanout.sh lateral-movement script spraying SSH credentials against internal hosts harvested from /etc/hosts (T1190, T1021.004). Mandiant notified more than 100 organisations with exposed PSEMHUB endpoints; 68 % are higher-education institutions (Mandiant GTIG, 2026-06-11).
The University of Nottingham — confirmed as a victim yesterday — now quantifies the damage: roughly 40 GB exfiltrated covering ~455,000 individuals across its UK, Malaysia and China campuses, including names, contact details, ethnicity, disability, passport and tuition-payment data; the ICO says it is assessing the report (BleepingComputer, 2026-06-11; The Record, 2026-06-11; University of Nottingham, 2026-06-10). Action: see the § 0 callout — patch out-of-band and compromise-assess; yesterday's hardening guidance (default SSH service accounts, PSEMHUB exposure) stands.
“Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure. The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component.” — Google/Mandiant GTIG
“Google's Mandiant attributes it to the group it tracks as UNC6240, and dates the activity between May 27 and June 9. Oracle did not publish its advisory until June 10, so the bug was a zero-day the entire time.” — The Hacker News
Action items
- Patch Oracle PeopleSoft out-of-band and treat every 8.61/8.62 instance as compromised until proven clean (CVE-2026-35273). Apply Oracle's alert, restrict PSEMHUB to management networks, and hunt the post-exploitation chain: SSH credential spraying from the application server against hosts in
/etc/hosts, remote-management agents masquerading as Azure components, and ransom-note markers in PeopleSoft directories. Exploitation ran 27 May – 9 June, before the patch existed.