Weekly Brief, June 15, 2026
Cybersecurity Events & Incidents
- UNC6240, ShinyHunters, exploited Oracle PeopleSoft CVE-2026-35273 as a zero day against over 100 organizations, with heavy U.S. higher education targeting. Source: https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
- Qilin affiliates exploited Check Point VPN CVE-2026-50751 in targeted ransomware activity affecting IKEv1 remote access deployments. Source: https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/
Vendor & Security Product Updates
- Microsoft June Patch Tuesday addressed 204 vulnerabilities, including 38 critical issues and three publicly disclosed flaws. Source: https://isc.sans.edu/diary/Microsoft%2BJune%2B2026%2BPatch%2BTuesday/33064
- Oracle issued an out of band PeopleSoft advisory for CVE-2026-35273 after observed exploitation. Source: https://www.helpnetsecurity.com/2026/06/11/oracle-peoplesoft-under-attack-cve-2026-35273/
- Palo Alto Networks published PAN OS advisories, including CVE-2026-0266. Source: https://security.paloaltonetworks.com/
Geopolitical & Political Developments
- CrowdStrike assessed China linked actors as the largest espionage threat to technology firms, especially AI and semiconductor adjacent targets. Source: https://www.reuters.com/business/media-telecom/chinese-hackers-pose-biggest-espionage-threat-tech-firms-crowdstrike-says-2026-06-09/
- North Korea linked Famous Chollima activity remains focused on fraudulent IT worker placement, insider access, payroll diversion, and IP theft. Source: https://www.techradar.com/pro/security/north-korea-accounts-for-almost-half-of-all-attacks-against-tech-industry-and-the-proceeds-go-straight-into-developing-new-weapons-of-mass-destruction-for-the-hermit-kingdom
Notable Vulnerabilities & Patches
- CVE-2026-50751, Check Point Security Gateway improper authentication, was added to CISA KEV with a June 11 remediation deadline for federal agencies. Source: https://nvd.nist.gov/vuln/detail/CVE-2026-50751
- CVE-2026-35273, Oracle PeopleSoft PeopleTools RCE, has CVSS 9.8 and confirmed exploitation against exposed PSEMHUB endpoints. Source: https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
- Microsoft M365 Copilot CVE-2026-45497 and CVE-2026-42824 were highlighted as critical command injection issues. Source: https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-june-2026/
Threat Actors
- UNC6240, ShinyHunters, used MeshCentral agents masquerading as Azure services, PeopleSoft reconnaissance, zstd compression, and DLS based extortion. Source: https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
- Qilin, also tracked as Agenda, continues RaaS operations with VPN exploitation, double extortion, and critical infrastructure targeting.
Analyst Comments / Defender Impact Summary
- Highest priority is exposed edge access, especially Check Point VPN using IKEv1 and Oracle PeopleSoft PSEMHUB endpoints reachable from the internet. Source: https://www.rapid7.com/blog/post/etr-critical-check-point-vpn-zero-day-exploited-in-the-wild-cve-2026-50751/
- Hunt for external POST requests to /PSEMHUB/hub and /PSIGW/HttpListeningConnector, suspicious JSP files, MeshCentral agent execution, sshpass use, and zstd archive creation. Source: https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
U.S.-Focused Threat Intelligence Snapshot
- Google reported most notified PeopleSoft exposed organizations were U.S. based, with 68 percent in higher education. Source: https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
- DOJ reported a Ukrainian national pleaded guilty in connection with Conti ransomware activity that impacted more than 1,000 computers and networks worldwide. Source: https://www.justice.gov/opa/pr/ukrainian-national-pleads-guilty-wire-fraud-conspiracy-connection-conti-ransomware
Security Community Trends (GitHub & Twitter/X)
- GitHub repositories appeared for CVE-2026-35273, increasing exploit reproducibility risk around PeopleSoft. Source: https://github.com/HORKimhab/CVE-2026-35273
- PoC tracking repositories listed new June 2026 entries including Palo Alto Networks PAN OS CVE-2026-0273. Source: https://github.com/nomi-sec/PoC-in-GitHub
Emerging Technical Intelligence (Moderate Confidence)
- Moderate Confidence, open directories observed by researchers exposed ShinyHunters staging hosts, customized MeshCentral agents, and command history tied to PeopleSoft exploitation. Source: https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
- Moderate Confidence, ThreatFox shows fresh June 15 ScreenConnect related RAT infrastructure, useful for RMM abuse hunting. Source: https://threatfox.abuse.ch/browse/
Summary
- Immediate threats, Oracle PeopleSoft CVE-2026-35273 exploitation by ShinyHunters and Check Point VPN CVE-2026-50751 exploitation by Qilin affiliates. Source: https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit
- Actionable steps, patch Oracle PeopleSoft and Check Point VPN, disable exposed PSEMHUB where possible, retire IKEv1, and hunt for MeshCentral, suspicious VPN sessions, zstd, sshpass, and unauthorized JSP files. Source: https://blog.checkpoint.com/security/check-point-releases-important-hotfix-for-vulnerabilities-in-deprecated-ikev1-vpn-protocol/
- Longer term needs, harden internet facing ERP and VPN assets, enforce asset discovery, monitor RMM misuse, and validate third party higher education and SaaS exposures. Source: https://www.runzero.com/blog/check-point-devices/
IOCs
- 142.11.200.186 (UNC6240, ShinyHunters, PeopleSoft staging infrastructure)
- 142.11.200.187 (UNC6240, ShinyHunters, PeopleSoft staging infrastructure)
- 142.11.200.188 (UNC6240, ShinyHunters, PeopleSoft staging infrastructure)
- 142.11.200.189 (UNC6240, ShinyHunters, PeopleSoft staging infrastructure)
- 142.11.200.190 (UNC6240, ShinyHunters, PeopleSoft staging infrastructure)
- 176.120.22.24 (UNC6240, ShinyHunters, DLS mirror connection)
- 139.59.137.44 (Remus, C2 activity)
- 85.137.52.21 (Stealc, SmartLoader related activity)
- 124.198.131.74 (Unknown RAT, ScreenConnect RMM abuse)
- 77.83.39.195 (Unknown RAT, ScreenConnect RMM abuse)