ctipilot.ch

Home · Live brief · Weekly 2026-W27

NAIC breached through an Oracle PeopleSoft zero-day; ShinyHunters dumps 3.1 TB and US rating-agency feeds stall

high synthesis discovered 2026-06-29 00:20 UTC

Entities: ShinyHunters

Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))

If you did nothing this week: any internet-reachable Oracle PeopleSoft instance is a live pre-auth foothold — the same zero-day path that put the US National Association of Insurance Commissioners into ShinyHunters' hands, and PeopleSoft is widely deployed across European public administration, higher education and HR/finance back offices. The W25 looking-ahead flagged that ShinyHunters PeopleSoft notifications were still landing and that EU universities were a probable next-named class; NAIC is the fresh high-profile confirmation that the campaign is still acquiring victims.

NAIC — the standard-setting body for all 50 US state insurance regulators — confirmed on 2026-06-26 that an unauthorised party reached its environment on June 11 via an Oracle PeopleSoft vulnerability, then pivoted from PeopleSoft to temporary access to data-storage areas. ShinyHunters claims 3.1 TB exfiltrated (TechRadar, Insurance Journal). The operational tell is the downstream impact NAIC itself disclosed: credit-rating agencies paused their data feeds and NAIC suspended assigning designations to insurer investments — a regulatory-process outage, not just a data-confidentiality event. This is the same PeopleSoft exploitation wave (CVE-2026-35273, the unauthenticated RCE in PeopleTools Environment Management) Google GTIG attributes to UNC6240/ShinyHunters and has been tracking against the education sector — 68% of identified targets were higher-education institutions; Treat any externally-reachable PeopleSoft portal (/PSEMHUB/, /PSIGW/HttpListeningConnector) as a hunt target, not a patch-later item. (daily 06-28)

“Unauthorized access to a portion of the NAIC's environment was identified on June 11 via an Oracle PeopleSoft vulnerability. While in PeopleSoft, the unauthorized party was able to obtain information needed to gain temporary access to certain data storage areas.” — NAIC

“Due to the incident, certain credit rating agencies have paused their data feeds and consequently, the NAIC has temporarily suspended assigning designations to insurer investments.” — NAIC

data-breach zero-day actively-exploited organized-crime us europe CVE-2026-35273