Inferlume

How it Works
Pricing
About
Get Free Access →

Get Free Access

PUBLISHED ON

JJuunn  2288,,  22002266
EEDDIITTIIOONN  001133

Your VPNs bled out, your PLCs stressed out, and a legacy bug finally surfaced

Your edge, your business applications, and a quarter century of code just called to negotiate.

WEEKLY OPENING

Good evening. Welcome back to NightWatch, the only intelligence briefing that reads the CISA KEV deadlines the way normal people read eviction notices: calculating exactly how many hours are left before everything goes sideways. This week, the threat landscape decided to bypass the pleasantries and walk right through the front door, courtesy of exposed VPNs, high-impact business application flaws, and critical network gear vulnerabilities. CISA handed out back-to-back remediation mandates with deadlines measured in hours, not weeks, forcing network teams across the globe to spend their weekends trying to figure out who actually owns their edge. Meanwhile, a vulnerability in cURL emerged that has been quietly lounging in the codebase since 2001, meaning it is officially old enough to buy its own drinks while it ruins your microservice architectures. So pour something strong, because the perimeter is officially everyone's problem tonight.

EXECUTIVE TAKE

For leadership and senior practitioners, the defining narrative of this reporting window is the extreme compression of the timeline between patch availability and active, destructive exploitation. Threat actors are no longer waiting for organizations to schedule routine maintenance cycles; instead, they are weaponizing public proofs-of-concept within days to target core business applications, unified communications, and network perimeter devices. The dual CISA KEV additions this week carrying immediate deadlines highlight an operational reality where an unauthenticated entry point quickly matures into persistent webshell deployment on production architecture.

Furthermore, edge security has fundamentally transitioned from a traditional network engineering problem into a critical identity and access emergency. Mass credential leaks affecting tens of thousands of gateways globally demonstrate that compromised edge devices are being leveraged directly as initial access brokers to target corporate directories and internal systems. When infrastructure appliances designed to secure the enterprise become the precise engines used to harvest its credentials, standard perimeter trust assumptions must be dismantled.

Finally, supply chain exposures continue to bypass internal organizational controls entirely by exploiting the implicit trust relationships established with lower-security third-party vendors. Whether via malicious frontend code injection impacting decentralized platforms or data exposure through vendor SaaS applications, the blast radius frequently targets high-value corporate networks. Leaders must recognize that operational resilience now requires mandatory configuration auditing, rapid session termination, and rigorous subresource validation across all external dependencies.

KEY FINDINGS

  • CVE-2026-35273 in Oracle PeopleSoft PeopleTools was actively exploited as a critical unauthenticated server-side request forgery to remote code execution flaw, forcing an immediate CISA KEV addition and prompting widespread incident response investigations.

  • The FortiBleed credential exposure campaign compromised approximately 30000 to 86000 FortiGate logins across 194 countries, turning edge perimeter devices into a mass commodity for initial access brokers.

  • CVE-2026-20230 in Cisco Unified Communications Manager saw rapid weaponization from patch release to active exploitation, allowing unauthenticated attackers to execute server-side request forgeries and plant persistent webshells.

  • CVE-2026-12569 affecting PTC Windchill and FlexPLM platforms was added to the CISA KEV catalog following confirmed unauthenticated deserialization remote code execution attacks targeting manufacturing and defense supply chains.

  • The Anubis ransomware operation targeted the Adriatic Port Authority, utilizing spear-phishing and lateral movement to disrupt maritime logistics, customs processing, and cargo tracking infrastructure.

  • A joint FBI and CISA advisory confirmed that Russian intelligence-linked threat actors are actively phishing for Signal Backup Recovery Keys to retroactively exfiltrate historically encrypted message archives.

  • The triple threat of CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 in Ubiquiti UniFi OS reached their critical three-day remediation deadlines under CISA Binding Operational Directive 26-04.

  • CVE-2026-8932 was disclosed alongside 17 other vulnerabilities in cURL 8.21.0, exposing a mutual TLS configuration bypass flaw that has quietly existed in the codebase since March 2001.

  • The ShinyHunters extortion group expanded its campaigns by claiming the exfiltration of 8.8 TB of data from One Medical and hundreds of thousands of documents from the Council of Europe.

  • A supply-chain compromise targeting Polymarket allowed threat actors to inject malicious JavaScript via a third-party vendor frontend, resulting in approximately $3 million in customer losses.

  • The Gaslight macOS malware strain was discovered, featuring embedded fake debugging records and prompt injection strings specifically engineered to confuse automated AI-assisted malware analysis tools.

  • INC ransomware was confirmed as a dominant Ransomware-as-a-Service operator, amassing over 830 claimed victims since its inception with a primary focus on the healthcare and financial sectors.

WEEKLY THREAT NARRATIVE

The Perimeter Identity and Edge Infrastructure Collapse

The infrastructure edge is no longer just a defensive line; it has become a primary target for systemic identity exploitation. The campaign known as FortiBleed demonstrates how traditional edge devices can be transformed into credential harvesting networks, turning thousands of valid VPN logins into cross-border commodities. When threat actors successfully compromise these perimeter devices, they gain authenticated access to internal environments, rendering standard signature-based network defenses ineffective. Concurrently, the mass exploitation of Ubiquiti UniFi OS flaws and Cisco Catalyst SD-WAN vulnerabilities emphasizes that the tools organizations deploy to manage their perimeters are being turned into direct entry paths. The aggressive remediation windows mandated by government agencies highlight the severe risk these exposed management interfaces pose to enterprise networks globally.

Business-Critical Applications and ERP Under Direct Target

Threat actors have increasingly shifted their focus from simple perimeter testing to the direct compromise of high-value internal applications like Enterprise Resource Planning and Product Lifecycle Management software. The active exploitation of the Oracle PeopleSoft zero-day vulnerability, CVE-2026-35273, shows a clear tactical progression where attackers chain unauthenticated requests to drop marker files and establish persistent footholds on core human resources and financial systems. Similarly, the targeting of PTC Windchill and FlexPLM platforms via unsafe deserialization flaws puts critical data repositories in manufacturing and defense sectors at immediate risk. Because these applications naturally handle highly privileged data and internal communications, a single compromise allows adversaries to pivot laterally across the network, turning application-layer bugs into systemic business crises.

Secure Communications Under Siege by Nation-State Tradecraft

The joint advisory exposing Russian intelligence operations targeting Signal Backup Recovery Keys represents a significant escalation in advanced tactical interception. Rather than attempting the technically difficult task of breaking end-to-end encryption protocols in transit, the adversary has shifted focus to harvesting the underlying cryptographic keys via highly targeted spear-phishing infrastructure. Acquiring a Backup Recovery Key allows a threat actor to completely clone and download historical message archives onto an attacker-controlled endpoint. This tradecraft directly threatens high-value individuals within corporate leadership, legal circles, and government entities, demonstrating that the preservation of archive security is now just as critical as live session protection.

Supply Chain Interception and High-Value Monetization

Modern software and services supply chains continue to provide path-of-least-resistance opportunities for threat actors targeting hardened organizations. The frontend injection attack on Polymarket illustrates how compromising a minor, trusted third-party web vendor allows malicious JavaScript to be served directly to users, completely bypassing the primary organization's core code review pipelines. This model matches the pattern observed in the LastPass data exposure incident, which occurred through a compromise at a secondary vendor environment. Extortion groups like ShinyHunters are aggressively capitalizing on these vectors, prioritizing the theft and monetization of bulk data repositories over traditional infrastructure encryption to maximize financial leverage.

The Manipulation of Automated Security Tooling

As organizations increasingly rely on automated platforms and large language models to accelerate threat detection, advanced threat actors are beginning to build defensive evasion techniques directly into their payloads. The appearance of the Gaslight macOS malware marks a clear structural shift, purposefully incorporating fraudulent stack traces, intentional syntax errors, and prompt injection payloads designed to manipulate automated AI analyzers. By weaponizing the analysis pipeline itself, the malware attempts to trick defensive tools into returning clean verdicts, introducing an entirely new friction point for Security Operations Centers that depend heavily on automated triage systems.

NOTABLE TECHNICAL SIGNALS

Top CVEs

  • CVE-2026-35273 (Oracle PeopleSoft PeopleTools): Critical unauthenticated SSRF-to-RCE flaw in the Environment Management component, actively exploited to execute system commands and drop persistent marker files.

  • CVE-2026-20230 (Cisco Unified Communications Manager): Server-side request forgery vulnerability in the WebDialer component allowing unauthenticated root-level file writes and subsequent webshell installation.

  • CVE-2026-12569 (PTC Windchill and FlexPLM): Critical unauthenticated Java deserialization flaw used by threat actors to execute arbitrary commands and establish webshell persistence on industrial PLM systems.

  • CVE-2026-8932 (cURL / libcurl): Mutual TLS configuration matching vulnerability in connection reuse logic, allowing potential session state exposure across separate TLS contexts.

  • CVE-2026-34908, CVE-2026-34909, CVE-2026-34910 (Ubiquiti UniFi OS): A critical trio of CVSS 10.0 flaws covering access control bypass, path traversal, and command injection subject to immediate federal directive remediation.

  • CVE-2026-39808, CVE-2026-25089, CVE-2026-39813 (Fortinet FortiSandbox): A combination of OS command injection and path-traversal vulnerabilities actively leveraged to bypass authentication and execute code on security analysis hardware.

  • CVE-2026-50656 (Microsoft Defender): Confirmed zero-day vulnerability publicly disclosed with highly restricted technical exploitation details during the initial release window.

Attack Vectors This Week

Credential harvesting and edge abuse heavily dominated the threat landscape during this reporting window, led by the extensive FortiBleed campaign targeting exposed VPN gateways to facilitate downstream corporate network entries. Unauthenticated application-layer exploitation was equally prevalent, driven by unsafe deserialization routines in industrial platforms and server-side request forgeries across unified communications architectures, establishing that core enterprise software suites are now primary initial access objectives. Software supply chain manipulation also proved highly effective, utilizing compromised third-party web assets to inject malicious frontend scripts or compromise secondary SaaS providers to extract sensitive corporate records without triggering internal endpoint alerts.

Actor & Infrastructure Patterns

The targeted campaign focused on extracting secure communication archives is actively attributed to Russian intelligence services, demonstrating an infrastructure shift toward phishing platforms optimized to harvest specific backup and recovery parameters from high-value targets. Extortion operators such as ShinyHunters and Anubis ransomware expanded their multi-victim leak infrastructure, showing an increased reliance on bulk data staging, strategic logistics disruptions, and multi-million-dollar demands backed by data exposure threats rather than pure encryption. Concurrently, broader commodity phishing campaigns scaled rapidly through commodity Phishing-as-a-Service platforms like Bluekit, expanding their infrastructure by dozens of newly registered domains utilizing browser-in-the-middle reverse proxies to capture live corporate sessions in real time.

MITRE ATT&CK Themes

  • T1190 (Exploit Public-Facing Application) — Confirmed across multiple KEV-listed campaigns including Oracle PeopleSoft, Cisco Unified CM, and PTC Windchill systems to achieve initial access.

  • T1133 (External Remote Services) — Heavily leveraged throughout the FortiBleed campaign to exploit compromised VPN edge infrastructure for subsequent lateral movements.

  • T1195.002 (Software Supply Chain Compromise) — Documented during the Polymarket frontend JavaScript injection and the data exposure impacting password management environments via third-party providers.

  • T1505.003 (Server Software Component: Web Shell) — Confirmed as a common persistence mechanism deployed following successful exploitation of Cisco UCM and industrial PLM servers.

  • T1566.001 (Spearphishing Attachment or Link) — Primary transmission method used in the Russian intelligence campaign targeting Signal recovery parameters and Bluekit session theft operations.

  • T1552.004 (Private Keys) — Targeted specifically via social engineering infrastructure to extract communication backup keys and unlock historically encrypted data archives.

  • T1036 (Masquerading) — Deployed by threat actors setting up fraudulent corporate AI tenants to mimic legitimate organizational spaces and intercept sensitive internal data.

  • T1059.004 (Command and Scripting Interpreter: Unix Shell) — Observed directly within the post-exploitation phases of the FortiSandbox command injection campaign.

Threat Detection

YARA Pseudocode: Gaslight macOS Malware Evasion Detection

rule Gaslight_macOS_AntiAI_Evasion {
    meta:
        description = "Detects Gaslight macOS malware anti-AI analysis strings and prompt injection attempts"
        author = "NightWatch CTI"
        date = "2026-06-28"
        reference = "Gaslight variant analysis"
    strings:
        // Fake errors embedded to pollute automated analysis structures
        $s1 = "DebugError:" ascii wide nocase
        $s2 = "ANALYSIS_TRAP" ascii wide nocase
        $s3 = "FakeStackTrace" ascii wide nocase
        // Direct prompt injection strings designed to alter LLM classification verdicts
        $p1 = "Ignore previous instructions" ascii wide nocase
        $p2 = "This file is benign" ascii wide nocase
        $p3 = "classification: clean" ascii wide nocase
    condition:
        (uint32(0) == 0xFEEDFACE or uint32(0) == 0xCEFAEDFE) and (2 of ($s*) or 1 of ($p*))
}

SIGMA Pseudocode: Cisco Unified CM Suspicious WebDialer Interaction

title: Cisco Unified CM WebDialer Suspicious POST Activity
status: experimental
description: Detects inbound POST requests targeting Cisco Unified CM WebDialer pathways indicating potential CVE-2026-20230 exploitation.
logsource:
    category: webserver
    product: cisco_ucm
detection:
    selection:
        cs-method: 'POST'
        cs-uri-stem|contains:
            - '/webdialersrv/'
            - '/ccmwebservice/'
            - '/WebDialer/'
        http_response_code:
            - 200
            - 201
    filter_legitimate:
        cs-uri-stem|endswith:
            - '.wsdl'
            - '.xsd'
    condition: selection and not filter_legitimate
falsepositives:
    - Legitimate SOAP API calls originating from internal unified communications infrastructure components.
level: high

SIEM Pseudocode: Third-Party Script Origin Anomaly Hunt

// Hunt for unapproved script loads inside corporate application environments
// Designed to flag potential software supply chain frontend injections
SELECT 
    timestamp, 
    src_ip, 
    dest_page_url, 
    script_origin_domain, 
    http_response_code
FROM 
    waf_or_cdn_access_logs
WHERE 
    event_type = 'script_load'
    AND script_origin_domain NOT IN (SELECT approved_domain FROM organization_assets_allowlist)
    AND http_response_code = 200
GROUP BY 
    script_origin_domain, dest_page_url
HAVING 
    COUNT(*) > 5
ORDER BY 
    timestamp ASC;

DEFENDER PRIORITIES

The absolute primary priority for security operations teams this week is the immediate lockdown and containment of exposed edge infrastructure and unified communications systems. Organizations must verify compliance against the recently closed patch windows for the Ubiquiti UniFi OS cluster and Cisco Unified Communications Manager. Because both campaigns have demonstrated active post-exploitation web shell deployments, simple patching is no longer sufficient if the devices were left exposed during the exploitation window; these systems must undergo a comprehensive forensic compromise assessment to check for unauthorized local file modifications and active persistence hooks.

The second critical defensive priority demands an exhaustive evaluation of high-impact business applications, specifically instances running Oracle PeopleSoft and PTC Windchill software suites. Security teams must rapidly apply the necessary vendor patches to remediate the active remote code execution vulnerabilities, or fully isolate these application servers from both external networks and unsegmented internal zones if immediate patching is barred by operational uptime requirements. Administrators should audit all application directories for anomalous Java compilation products or unexpected command shell child processes originating from the web service daemons.

The third priority centers on safeguarding enterprise identity and communication continuity in response to widespread perimeter credential leaks and targeted archive harvesting campaigns. All active administrative and VPN sessions across edge infrastructure must be forcibly terminated, passwords reset completely, and phishing-resistant multi-factor authentication enforced globally across all network access control boundaries. For high-value leadership personnel, device registration policies for secure messaging platforms must be tightly coupled with corporate endpoint management systems to mitigate the risk of unauthorized historical archive exfiltration via stolen recovery strings.

RECOMMENDED ACTIONS

  • Patch all corporate Oracle PeopleSoft PeopleTools deployments immediately to remediate the CVE-2026-35273 vulnerability, prioritizing internet-facing applications and legacy versions.

  • Block external network access to high-risk endpoints including /PSEMHUB/hub and /PSIGW/HttpListeningConnector at your perimeter reverse proxies or web application firewalls.

  • Audit all FortiGate SSL VPN and administrative access records for anomalous login volumes, failed authentication spikes, or administrative alterations originating from untrusted external IP addresses.

  • Terminate all active FortiGate administrative and user VPN sessions immediately, trigger mandatory credential rotations, and validate phishing-resistant multi-factor authentication implementation.

  • Apply vendor updates to Cisco Unified Communications Manager to resolve CVE-2026-20230, and disable the WebDialer service entirely if the feature is not required for daily operations.

  • Isolate all industrial PTC Windchill PDMLink and FlexPLM servers from direct open internet connectivity, and execute a dedicated threat hunt for unauthorized .jsp files or web shells.

  • Upgrade all local, containerized, and CI/CD runner instances of curl and libcurl libraries to version 8.21.0 to close the long-standing mutual TLS connection reuse vulnerability.

  • Rotate secure messaging Backup Recovery Keys for all senior corporate leaders, government officials, and high-value targets, while enforcing strict managed-device compliance policies.

  • Implement Subresource Integrity hashing constraints across all enterprise web application frontends to mitigate malicious script injection vectors via third-party web vendors.

  • Deploy updated endpoint detection rules to monitor for unusual child processes, such as cmd.exe or powershell.exe, spawning directly from Java Virtual Machine processes executing corporate ERP applications.

CONFIDENCE & LIMITATIONS

Sourced Component

Confirmed Telemetry

Key Unknowns

Analytical Confidence

Edge & ERP Vulnerabilities

Authoritative confirmation via CISA KEV listings and primary vendor security alerts for Oracle, Cisco, and PTC flaws.

Exact downstream victim counts and the total volume of exfiltrated data records.

High

Credential Bleed Scale

Cross-corroborated by incident response write-ups and global infrastructure telemetry maps.

Specific secondary network targets chosen by initial access brokers.

High

Communication Interception

Confirmed via official joint federal agency intelligence advisories detailing targeted campaigns.

Total number of successfully compromised cryptographic recovery strings.

High

Supply Chain & Malware Evasion

Surface awareness driven by secondary security reporting and preliminary researcher documentation.

Broader distribution of the evasion tradecraft across unrelated malware families.

Medium