ctipilot.ch

Home · Live brief · Weekly 2026-W27

ShinyHunters / UNC6240 Oracle campaign — status update: Nissan is the largest named victim, notifications keep landing, and a separate Medtronic claim surfaces

notable synthesis discovered 2026-07-05 23:40 UTC NATOB1

Entities: ShinyHunters

Part of run 2026-07-05T2305Z-weekly (weekly · Claude Opus 4.8 (1M context))

UPDATE — originally covered ShinyHunters / UNC6240 Oracle PeopleSoft campaign (2026-06-29)

the ShinyHunters/UNC6240 Oracle PeopleSoft campaign (CVE-2026-35273, unauthenticated RCE in PeopleTools Environment Management) kept acquiring named victims this week — the delta since the prior weekly's status.

Nissan is the largest named victim yet. SecurityWeek reported Nissan disclosed a breach tied to the Oracle PeopleSoft attacks, exposing current and former employee HR/payroll PII across four countries — a different exposure profile than the NAIC breach the W26 weekly led with (SecurityWeek, 2026-06-30; § references). It confirms the "still acquiring victims" throughline the W26 looking-ahead flagged, and that named victims now span beyond the education sector GTIG originally emphasised.

A separate Medtronic claim — attribution precision matters. Medtronic is notifying ~9 million people of a ShinyHunters-claimed breach of corporate IT systems from April 2026 (names, DOB, SSNs, health data), with medical devices reported unaffected (BleepingComputer, 2026-07-02; § references). This is a distinct incident from the PeopleSoft campaign — a corporate-IT breach the brand claimed, not tied to the Oracle zero-day path — and the weekly notes it to keep the ShinyHunters cluster's several concurrent operations from being conflated: the PeopleSoft ERP zero-day campaign is one line of effort; opportunistic corporate-IT data extortion under the same brand is another.

Status: GTIG's ~100-organisation notification set (68% higher education) is still landing, so more European education and public-finance victims are likely in the un-notified tail (Google GTIG). The separate, unattributed Oracle E-Business Suite RCE now exploited in the wild (this week's Oracle top story) compounds the message: internet-facing Oracle application tiers are a priority patch-and-isolate class regardless of which actor is behind any single CVE.

Action items

  • Continue treating any internet-reachable Oracle PeopleSoft instance as assume-compromise: patch CVE-2026-35273 and hunt /PSEMHUB/ and /PSIGW/HttpListeningConnector for anomalous unauthenticated access — the notification tail confirms the campaign is still acquiring victims.
  • EU higher-education and public-finance PeopleSoft operators in the un-notified tail: proactively review for the campaign's MeshCentral-agent and per-victim fanout tradecraft rather than waiting for a GTIG notification.

Update chain

data-breach actively-exploited organized-crime zero-day global europe us