Key takeaways
- Two separate Oracle flaws are driving the same outcome — CVE-2026-35273 in PeopleSoft (linked to the ShinyHunters campaign) and CVE-2026-46817 in E-Business Suite, a CVSS 9.8 unauthenticated flaw under active exploitation as of this week.
- These enterprise apps sit on top of enormous file and record estates. Once an attacker is inside via the app, reading at scale looks like ordinary application I/O.
- In the NAIC case, ShinyHunters alleged 3.1 TB and more than 105,000 files; NAIC says only publicly available filings, outdated logs, and configuration data were taken. An immutable, per-operation audit trail is what settles that kind of dispute.
- No systems were locked in these incidents. The leverage is the data itself — and once it is published, no backup or vault un-publishes it.
Through mid-2026 a pattern has repeated across the Oracle enterprise-application stack. According to public reporting from outlets including BleepingComputer, SC Media, Insurance Journal, and Cybersecurity Dive, the National Association of Insurance Commissioners (NAIC) identified unauthorized access to its PeopleSoft environment on or about June 11 via a zero-day tracked as CVE-2026-35273 — part of a broader campaign attributed to the ShinyHunters group that reportedly touched more than 100 organizations before Oracle shipped an emergency fix. Separately, and still unfolding, a critical flaw in Oracle E-Business Suite (CVE-2026-46817, CVSS 9.8) is under active exploitation in the wild; public reporting from BleepingComputer, The Hacker News, and Security Affairs puts roughly 950 exposed instances online, with the first in-the-wild exploitation observed in late June.
Two different products, two different bugs, one recurring outcome: attackers reach a trusted business application and use it to read files and regulated records at scale. Nothing gets encrypted. The leverage is exfiltration — steal the data, threaten to publish it, and demand payment for silence.
The app is trusted. The data behind it is the target.
Enterprise applications like PeopleSoft and E-Business Suite are not the prize — they are the door. Behind them sit years of accumulated unstructured and semi-structured data: regulatory filings, financial statements, payment records, HR documents, and the file shares those applications draw on. When an attacker is authenticated as the application, or is running code inside it, pulling that data down looks like the application doing its job.
The NAIC case shows how contested the aftermath can be. ShinyHunters allegedly claimed 3.1 terabytes and more than 105,000 files — insurer regulatory PDFs, statistical filings, and rating-agency data. NAIC has publicly stated that the exposed material was limited to publicly available statutory financial reporting, credit-rating data, outdated logs, and configuration information, with no personally identifiable or payment data taken. Both things can drive the same architectural conclusion: a trusted path read a large volume of files, and the reading itself is what nobody was watching. Attribute-based access control enforced per file and per operation is what keeps a compromised application account boxed into what it legitimately needs, rather than free to sweep an entire regulatory data estate reachable over SMB, NFS, S3, and Web Drive.
Bulk reads through a trusted app still look like bulk reads at the data layer
The reason these campaigns succeed is that the controls most organizations rely on sit upstream of the read that matters. A network sensor sees a session to an application it trusts. An endpoint agent sees the app process behaving normally. The application logs a lot of queries. None of that is watching the storage layer, where a single session is steadily reading tens of thousands of files it has no prior relationship with — a pattern that is behaviorally unmistakable if something is actually analyzing every operation.
That is what Active Defense is built to do: profile normal access per user, host, and dataset, recognize when a burst of reads departs from it, and terminate the session before the staging completes. RackTop filed for the inline Active Defense architecture on September 8, 2020 — ten months before Gartner named the Cyberstorage category in July 2021 — and it has shipped inline in the data path since October 2020. It is one of four U.S. patents on the architecture. Mass exfiltration through a trusted application is precisely the scenario it exists to catch.
The data-layer lessons
First, patch and least privilege are both necessary and both incomplete on their own. CVE-2026-46817 is a reminder to close known holes fast — but the next zero-day, or the next stolen application credential, will route around a patched perimeter. Detection has to reach the live data itself, because that is the one place every one of these attacks has to pass through.
Second, an immutable, per-operation audit trail turns a public argument into a precise answer. The NAIC and ShinyHunters offered very different accounts of what left the building; an authoritative record of exactly which files were read, by which session, and when, is the difference between a scoped disclosure and a worst-case assumption. When exfiltration does happen, that same record drives surgical recovery — restoring exactly what was touched rather than rolling back blindly.
Third, none of this is un-doable after the fact. These groups did not encrypt anything; they copied files and threatened to leak them, and in the NAIC case data was ultimately published online. No backup or vault un-publishes a file. With Oracle E-Business Suite still being exploited as of this week, any organization running these applications should assume the file and record estate behind them is the objective — and ask the one question that decides the outcome: when a trusted session starts reading your data at scale, does anything see it?
Frequently asked questions
- Not in the encrypt-and-extort sense. Public reporting describes data theft and extortion: attackers exploited the applications to exfiltrate files and records, then demanded payment to avoid leaking them. Nothing was locked, which is why backups alone do not resolve the exposure.
- By watching the data path itself. Behavioral detection on live storage flags a session reading tens of thousands of files outside its normal pattern and can stop it mid-exfiltration, ABAC limits how far any one application credential can reach, and an immutable per-operation audit trail lets you prove precisely what was and was not accessed.
Sources
