← Back to Daily Briefing

UNC6240 (ShinyHunters) conducted a zero-day exploitation campaign targeting Oracle PeopleSoft (PeopleTools 8.61 and 8.62) between May 27 and June 9, 2026. The actors exploited CVE-2026-35273, a critical Server-Side Request Forgery (SSRF) vulnerability (CWE-918) in the Updates Environment Management component, to achieve unauthenticated Remote Code Execution (RCE). Following initial access, the group deployed MeshCentral remote management agents disguised as Microsoft Azure services to maintain persistence and perform reconnaissance. Data was compressed using 'zstd' and exfiltrated for extortion on the ShinyHunters Data Leak Site. CISA added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on June 12, 2026, following widespread targeting of the higher education sector.

  • Incident Overview: Campaign Scale and Targeting

    • Attributed to UNC6240 (ShinyHunters), a financially motivated threat group.
    • Primarily targeted the higher education sector, which comprised 68% of over 100 notified victims.
    • Attack window active from May 27 to June 9, 2026, prior to vendor patching.
  • Vulnerability Mechanics: SSRF to RCE

    • Exploitation of CVE-2026-35273, a critical SSRF (CWE-918) vulnerability.
    • Affects Oracle PeopleTools versions 8.61 and 8.62 via /PSEMHUB/hub and /PSIGW/HttpListeningConnector.
    • Enables unauthenticated Remote Code Execution (RCE) within the target environment.
  • Post-Exploitation: Persistence and Exfiltration

    • Deployment of MeshCentral agents masquerading as legitimate Microsoft Azure services.
    • Use of 'zstd' compression to facilitate efficient data staging and exfiltration.
    • Outbound SMB (TCP 445) activity utilized for NetNTLM hash capture and lateral movement.
    • Stolen enterprise data published on the ShinyHunters Data Leak Site (DLS) for extortion.
  • Indicators of Compromise (IoCs)

    • Network: C2 domain azurenetfiles(.)net and IP range 142.11.200.186 through 142.11.200.190.
    • Files: meshagent64-azure-ops.exe (SHA256: f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc).
    • Artifacts: Unexpected .jsp files in PSEMHUB.war and XMLDecoder persistence in /envmetadata/data/environment/.
  • Remediation and Defensive Actions

    • Immediate application of Oracle's out-of-band patch released on June 10, 2026.
    • Compliance with CISA KEV mandates for federal agencies and critical infrastructure.
    • Forensic auditing of PeopleSoft endpoints for unauthorized MeshCentral agent activity.

Related posts

  1. Mandiant — ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit
  2. fieldeffect.com — ShinyHunters target Oracle PeopleSoft in large-scale data theft campaign
  3. feeds.feedburner.com — ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273) to Breach Universities
  4. rapid7.com — Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273)
  5. cybersecuritydive.com — ShinyHunters linked to exploitation of critical flaw in Oracle PeopleSoft
  6. Arcticwolf
  7. Govinfosecurity
  8. Reddit
  9. Exchange
  10. cybersecuritydive.com — Insurance body confirms hackers posted Oracle PeopleSoft breach data
  11. Pathlock
  12. Cmitsolutions
  13. Blackkite
  14. Esentire
  15. Hivepro
  16. SC Media — NAIC confirms cyberattack after ShinyHunters claims 3.1TB data theft
  17. Insurancebusinessmag
  18. Cybernews
  19. Claimdepot
  20. Insurancejournal
  21. Content
  22. Techradar
  23. Bankinfosecurity
  24. Justice
  25. Ground
  26. Futureproof
  27. Shadowtier
  28. bleepingcomputer.com — NAIC says public data stolen in ShinyHunters' PeopleSoft breach
  29. Nextmsc
  30. Thinkadvisor
  31. Insurancejournal
  32. Insurancebusinessmag
  33. Securityboulevard
  34. SecurityWeek — Insurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack

LINK COPIED TO CLIPBOARD