15th June – Threat Intelligence Report

What Happened

Several major cyberattacks and software vulnerabilities were reported this week, impacting organizations like the University of Nottingham, Mackay Sugar, and Novo Nordisk. Hackers known as ShinyHunters exploited a critical flaw in Oracle software to steal student data, while other attackers targeted VPN systems and backup servers. These incidents highlight the ongoing risk of data theft and operational disruption from unpatched software and supply chain compromises. Organizations should urgently apply the latest security updates from Microsoft, Check Point, Veeam, and Oracle to protect their networks.

Key Takeaways

• ShinyHunters exploited an Oracle PeopleSoft zero-day (CVE-2026-35273) to breach the University of Nottingham and over 100 other organizations.
• Active exploitation of a Check Point VPN IKEv1 authentication bypass (CVE-2026-50751) has been observed and linked to Qilin ransomware.
• Microsoft's Patch Tuesday addressed over 200 vulnerabilities, including a critical CVSS 9.8 network propagation flaw (CVE-2026-45657).
• A supply-chain attack on the Arch User Repository deployed Rust stealers and eBPF rootkits via modified build scripts.
• AI-related threats are expanding, including LangGraph RCE flaws, Gemini-powered phishing-as-a-service, and prompt injections in GitHub Actions.

Affected Systems

• Oracle PeopleSoft
• LangGraph
• Check Point Remote Access VPN (IKEv1)
• Windows
• Microsoft Defender
• Veeam Backup & Replication
• Arch Linux
• WinRAR

Vulnerabilities (CVEs)

• CVE-2026-35273
• CVE-2026-27022
• CVE-2026-50751
• CVE-2026-45657
• CVE-2026-41091
• CVE-2026-50507
• CVE-2025-8088

Attack Chain

Threat actors are leveraging newly discovered vulnerabilities, such as CVE-2026-35273 in Oracle PeopleSoft and CVE-2026-50751 in Check Point VPNs, to gain initial access to enterprise networks. In supply chain attacks, adversaries compromised the Arch User Repository to inject malicious build scripts that deploy Rust-based stealers and eBPF rootkits. Phishing campaigns are also utilizing legitimate RMM tools like NinjaOne and exploiting WinRAR flaws (CVE-2025-8088) to deploy credential stealers and establish persistence.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Check Point IPS

Check Point IPS provides protection against the Oracle PeopleSoft SSRF (CVE-2026-35273), LangGraph SQL Injection (CVE-2026-27022), and Check Point IKEv1 Auth Bypass (CVE-2026-50751).

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect post-exploitation activities like Rust stealers, eBPF rootkits, and unauthorized RMM tool usage (NinjaOne), but may lack visibility into network-edge exploits like VPN auth bypasses. Network Visibility: High — Network sensors and IPS are critical for detecting exploitation of public-facing applications (Oracle PeopleSoft, Check Point VPNs) and malicious traffic from stealers. Detection Difficulty: Moderate — While IPS signatures exist for the specific CVEs, detecting the abuse of legitimate RMM tools (NinjaOne) and supply chain compromises requires behavioral baselining and careful analysis of execution chains.

Required Log Sources

• VPN Gateway Logs
• Web Application Firewall (WAF) Logs
• Endpoint Process Execution Logs
• Linux Syslog/Auditd

Hunting Hypotheses

Control Gaps

• Lack of MFA on legacy VPN protocols
• Insufficient monitoring of third-party package repositories (AUR)
• Permissive execution of legitimate RMM tools

Key Behavioral Indicators

• Unexpected eBPF program loading on Linux
• NinjaOne agent execution from non-standard directories or untrusted installers
• WinRAR extracting files to startup directories

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Apply vendor patches for Oracle PeopleSoft (CVE-2026-35273), Check Point VPNs (CVE-2026-50751), Microsoft Windows, and Veeam Backup & Replication immediately.
• Disable the deprecated IKEv1 protocol on Check Point Remote Access VPN and Mobile Access deployments if currently enabled.

Infrastructure Hardening

• Evaluate whether to restrict or block the execution of unapproved Remote Monitoring and Management (RMM) tools like NinjaOne.
• Review and secure CI/CD pipelines, specifically checking for prompt-injection vulnerabilities in AI agents like Claude Code GitHub Action.

User Protection

• If your EDR supports it, ensure behavioral rules are active to detect credential stealers and unauthorized eBPF rootkits on Linux systems.
• Deploy phishing protections to block malicious archives exploiting WinRAR vulnerabilities (CVE-2025-8088).

Security Awareness

• Educate developers on the risks of supply-chain compromises in community repositories like the Arch User Repository.
• Train employees to recognize social engineering tactics involving fake business portals and phone-based instructions to install software.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1566.001 - Phishing: Spearphishing Attachment
• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1556 - Modify Authentication Process
• T1014 - Rootkit
• T1219 - Remote Access Software