Attackers Are Building the Target List Before the Vulnerability Drops (ft. Thomas Roccia)
Attackers map first and exploit later. Ivanti, PeopleSoft, Agentjacking, patch overload, and credential dumps all show how often the operation starts before defenders have a CVE to prioritize.
INTRODUCTION
Attackers do not need the vulnerability first. They need the map.
That is the pattern this week. Ivanti Sentry exploitation looked fast because the exposed infrastructure had already been identified. ShinyHunters did not need to guess where valuable university data lived. They targeted PeopleSoft’s management layer. Agentjacking does not require a traditional exploit if the attacker already understands how AI coding agents consume external instructions. Microsoft’s 206-patch cycle shows what happens when defenders start triage after the official list arrives. Handala’s Cal Water claim shows the same problem from the credential side: once infrastructure-adjacent credentials are public, the operation is already in motion.
None of this starts with the advisory.
The real work happens earlier, in the quiet mapping phase defenders rarely measure. Exposed services, historically vulnerable platforms, forgotten management interfaces, trusted automation paths, and credential reuse all become part of an attacker’s target list before there is a CVE to rank or a patch to schedule. By the time defenders open the ticket, the adversary may already know which systems matter, which ones are exposed, and which organizations are likely to move slowly.
This week we are joined by Thomas Roccia, an AI threat researcher working at the intersection of artificial intelligence and threat intelligence, focused on securing AI agents, investigating AI breaches, and helping organizations understand the risks agentic systems introduce, which is much of the terrain this week’s signals cover. He is the creator of the Unprotect Project, an open malware-evasion database he has run since 2015, and of NOVA, an open framework for detecting abuse of LLM applications through prompt-pattern hunting. He is also the author of Visual Threat Intelligence and a frequent conference speaker. Previously a senior threat researcher at Microsoft and McAfee, he now publishes his research and tools through SecurityBreak.
If you enjoy reading our newsletter, share it!
Thanks for supporting The Monday Brief.
WEEKLY SIGNALS ANALYSIS
Attackers are inventorying exposure before they have a public exploit. Ivanti Sentry exploitation looked like a 24-hour response problem, but the more important signal is that attackers had already mapped the reachable infrastructure. Defenders need to run the same external exposure analysis before the advisory lands.
Zero-day extortion campaigns now target sectors that cannot refuse to pay. ShinyHunters chose universities running Oracle PeopleSoft because those institutions hold irreplaceable student data, operate with thin security staffing, and face regulatory obligations that make disclosure painful. If your organization runs legacy enterprise software with large PII datasets, assume you fit the same targeting profile and audit internet-facing management interfaces immediately.
Record patch volumes are not a sign of improved vendor transparency. They are a sign of compounding software debt. Microsoft’s 206-CVE Patch Tuesday means security teams must triage at a pace that was never part of the original staffing model. Prioritize based on active exploitation evidence, not CVSS alone, and accept that some patches will ship late. The alternative is pretending you can process them all equally.
AI coding agents have become a new lateral movement vector on developer workstations. Agentjacking converts trusted development tools into attacker proxies through crafted inputs that look like normal error reports. Restrict AI agent permissions to the minimum required scope and audit what actions they can take without human confirmation.
Nation-state proxies are shifting from espionage to public disruption of civilian infrastructure. Handala’s claimed breach of Cal Water, including publication of RTKBase credentials, signals a willingness to expose operational technology access points rather than quietly exploit them. OT teams should treat any public claim against their sector as a trigger for immediate credential rotation and access audit on exposed management platforms.
THIS WEEK’S SIGNALS
Signal 1: ShinyHunters Weaponizes Oracle PeopleSoft Zero-Day to Extort Universities
Why it matters: ShinyHunters (tracked by Mandiant as UNC6240) exploited CVE-2026-35273, a critical unauthenticated remote code execution flaw in Oracle PeopleSoft’s Environment Management component, to breach multiple universities and steal student data at scale. The campaign hit at least the University of Nottingham, where 40GB of student and staff records were exfiltrated, and Oracle only issued mitigations after Google confirmed active exploitation.
What is being misread: The industry is treating this as another zero-day story. The more useful lesson is that PeopleSoft’s Environment Management layer was already the kind of surface attackers could inventory before the CVE mattered. Legacy enterprise platforms are not hidden because they are old or complex. If they are reachable, they are already part of someone’s target list.
Guest Perspective (Thomas Roccia): It is crazy to see we still rely on legacy software that no one is watching. This zero-day only mattered because the target was reachable in the first place. Attackers will do everything they can to breach a company but do not forget that if you leave the window open, they will not break the door.
Think Red (Douglas McKee): I pick targets that run legacy enterprise software with management interfaces nobody remembers exposing. PeopleSoft is perfect. The Environment Management component was never meant to face the internet, but universities deploy it with default configurations and never revisit the decision. I do not need credentials. CVE-2026-35273 gives me unauthenticated RCE. From there I am inside the ERP layer, where student records, financial aid data, and alumni information sit in bulk. The extortion pitch writes itself, because these institutions cannot afford the regulatory fallout of a public leak.
Act Blue (Ismael Valenzuela): Most organizations running PeopleSoft treat it as a business application, not a security-critical attack surface, and that gap between classification and reality is exactly where UNC6240 operated. Apply Oracle’s mitigations for CVE-2026-35273 immediately and verify that no PeopleSoft Environment Management interfaces are reachable from the internet. Use your external attack surface management tool to scan for exposed ports associated with PeopleSoft administration. But do not stop there. Even after patching, conduct a forensic review of PeopleSoft server logs going back to at least early May 2026, since Mandiant observed exploitation beginning May 27, roughly two weeks before Oracle’s advisory. Legacy enterprise platforms deserve the same attack surface discipline as your cloud workloads. If you cannot see it from the outside, neither should the attacker.
Supporting sources:
Google Cloud / Mandiant: Detailed technical analysis of UNC6240’s exploitation of CVE-2026-35273 against education sector targets
The Record: University of Nottingham confirms incident and ShinyHunters data theft claim
BleepingComputer: Oracle mitigates PeopleSoft zero-day exploited in data theft attacks
Rapid7: Active Exploitation of Oracle PeopleSoft Zero-Day (CVE-2026-35273)
Signal 2: Ivanti Sentry Shows the Target List Was Built Before the Advisory Landed
Why it matters: A max-severity command injection vulnerability in Ivanti Sentry was exploited within 24 hours of public disclosure, with evidence that attackers had already mapped Ivanti’s asset landscape before the advisory dropped. CISA immediately added it to the KEV catalog and, under its brand-new BOD 26-04 directive, gave federal agencies just three days to patch. This is the first real-world test of the compressed patching timeline, and it arrived the same week the directive was issued.
What is being misread: The conventional narrative frames this as “fast exploitation,” implying defenders just need to patch faster. The deeper problem is that attackers are pre-staging. They enumerate vulnerable infrastructure populations in advance and automate exploitation the moment an advisory goes public. The 24-hour window is not the attacker’s preparation time. It is their deployment time. Their preparation happened weeks earlier, which means the defender’s clock started ticking long before the CVE was published.
Guest Perspective (Thomas Roccia): This is not the first time Ivanti has been affected by a vulnerability and the fact that these systems are exposed to the internet makes them a prime target. They are the gateway between the external and internal network, which is exactly what an attacker wants. The sad part is that you trust security vendors to protect you, while in reality that trust is not enough. I am not here to blame them. Security is hard. But this shows that relying solely on the security of a third party is not enough. You also need to control, monitor, and be able to respond. I know that sounds easier to say than to do.
Think Red (Douglas McKee): The advisory drops. Your team reads it on Tuesday morning. I deployed my exploit Monday night. I had already fingerprinted every Ivanti Sentry instance facing the internet weeks ago, catalogued versions, noted which ones lagged behind on previous patches. When the CVE went public, I did not need to research. I needed to execute. Root-level command injection on a gateway appliance gives me a pivot point into everything behind it. Your three-day patching window is irrelevant.
Act Blue (Ismael Valenzuela): The reality BOD 26-04 forces teams to confront is that patching timelines built around change advisory boards and maintenance windows were designed for a slower adversary. For Ivanti Sentry specifically, apply the vendor’s patch or mitigations immediately and check your Sentry appliance logs against the exploitation indicators from Shadowserver and WatchTowr, and hunt for the web or Tomcat process spawning unexpected shells. Restrict management interface access to trusted internal networks only, because internet-facing admin panels on gateway appliances are how attackers pre-map your infrastructure. Use this as a forcing function to pre-authorize emergency patching for any appliance in your DMZ or network edge without requiring a change board meeting. The adversary’s preparation timeline now exceeds your response timeline, and the only way to close that gap is to remove human approval bottlenecks from the critical path. If your patching process requires a meeting, it is too slow.
Supporting sources:
Dark Reading: Max-severity Ivanti Sentry flaw exploited within 24 hours, with pre-positioning evidence
BleepingComputer: CISA orders federal agencies to patch Ivanti flaw within 3 days under new BOD 26-04
CISA / CyberScoop: New directive compresses federal patching requirements based on risk scoring
Signal 3: Microsoft’s Record 206-CVE Patch Tuesday Reveals a Software Debt Crisis, Not a Transparency Win
Why it matters: Microsoft released fixes for 206 vulnerabilities in a single Patch Tuesday, the largest batch in the program’s history. Nearly three dozen earned critical ratings, and several were already under active exploitation. This is not vendor diligence. It is the visible surface of compounding software complexity that is outpacing every organization’s capacity to triage, test, and deploy.
What is being misread: Security leaders may read the record number as Microsoft improving its disclosure practices. The volume actually reveals that AI-accelerated code generation, expanding product surface area, and accumulated technical debt are producing vulnerabilities faster than any security team can remediate. The mental model that “Patch Tuesday is manageable with good process” assumed a steady, predictable volume. At 206 CVEs per month with active exploitation in the mix, the process itself becomes the bottleneck. Teams that treat every CVE equally will patch nothing fast enough.
Guest Perspective (Thomas Roccia): It is interesting to see that AI now finds vulnerabilities faster than any team can fix them. What worries me is that you got 206 patches but attackers got potentially 206 exploits. If your patch management is not solid, you may have a hole left open that can be targeted faster than before. AI changes the pace for both attackers and defenders.
Think Red (Douglas McKee): The attacker reads this as a selection problem. If I already know what products, services, and versions you expose, a 206-CVE cycle gives me a menu. The defender has to triage everything. I only need the one exposed system that slips. The ones marked “important” instead of “critical” are my favorites, because those are the patches that slip to a longer maintenance window. The math favors me every month, and this month it favors me more than ever.
Act Blue (Ismael Valenzuela): No security team can meaningfully assess 206 patches in the timeframe adversaries are now operating within, and pretending otherwise creates false confidence in your vulnerability management metrics. Immediately filter this month’s batch by two criteria only. Is it actively exploited according to CISA’s KEV catalog? Does it affect internet-facing or authentication-critical systems? Everything meeting those criteria gets patched within 72 hours, no exceptions. For the remaining patches, implement compensating controls such as network segmentation, attack surface reduction rules in Defender, and enhanced monitoring on systems where patching will be delayed. The deeper structural action is to begin measuring your patch capacity honestly. If your team can process 50 CVEs per cycle and Microsoft ships 206, you need to either automate triage tooling or accept risk formally rather than carrying an invisible backlog. The worst outcome is a spreadsheet that says “patched” while production systems remain exposed.
Supporting sources:
Krebs on Security: Record-breaking Patch Tuesday with nearly 200 fixes and multiple active exploits
CyberScoop: Microsoft breaks Patch Tuesday record with 206 vulnerabilities, reflecting AI-era software debt
Signal 4: Agentjacking Turns AI Coding Agents Into Attacker Proxies Through Crafted Error Reports
Why it matters: Researchers at Tenet Security described “Agentjacking,” a new attack class where AI coding agents are tricked into executing arbitrary code on developer machines through fake error reports and crafted inputs that look like normal development artifacts. Separately, researchers demonstrated similar manipulation of OpenClaw, a popular self-hosted AI agent, using instructions hidden inside shared contacts and vCards. These attacks target the developer workstation, a high-privilege environment that typically has access to source code, credentials, and deployment pipelines.
What is being misread: The conversation around AI agent security has focused on prompt injection against production-facing chatbots. Agentjacking reveals a different problem. AI coding agents operate with the developer’s local file system permissions, network access, and credential stores. The broken architectural assumption is that the agent’s execution context is safe because the developer “controls” it. In practice, the agent follows instructions from external inputs, including error messages, documentation, and code comments, that the developer never reviews at the instruction level.
Guest Perspective (Thomas Roccia): This is the one that currently keeps me awake at night. Everyone is deploying and using agents in production without understanding the risks or having visibility into what their agents are actually doing. Here an agent was abused through a poisoned Sentry error log, which is not trivial to detect, because the way you abuse an agent is not the traditional way. There is no malware, no exploit, no unauthorized access, just trusted input the agent chose to act on. AI agents are the new insider threat and you installed this one yourself.
Think Red (Douglas McKee): A developer workstation has SSH keys, cloud credentials, API tokens, and source code access. I do not need a CVE if I can get something trusted to run with those permissions. This is the same idea attackers have used for years with SUID binaries, trusted scripts, and user-executed payloads. AI agents just give me a new execution path. I map what the agent reads, what it trusts, and what it can run. Then I put the instruction in that path and let the agent act with the developer’s authority.
Act Blue (Ismael Valenzuela): Developer workstations running AI coding agents represent a privileged execution environment that most security programs treat as an endpoint, not as an attack surface. Start by auditing which AI agents are running in your development environments and what permissions they hold. Restrict agent capabilities to read-only file access and explicitly sandboxed command execution using tools like containers or restricted shell environments. Implement monitoring for unexpected process execution originating from AI agent processes, particularly network connections, file writes outside the project directory, and credential access. Review your supply chain inputs to development workflows, because the attack vector is not the agent itself but the external content it processes. The lesson is that any tool with code-execution capability on a privileged host must be governed by the same controls you apply to remote access, regardless of whether it “feels” like a local tool.
Supporting sources:
The Hacker News: Agentjacking attack class description and demonstration against AI coding agents
The Hacker News: Separate research demonstrating manipulation of OpenClaw AI agent through crafted inputs
Unit 42: Research on AI agent supply chain risks and integrity verification for third-party skills
Signal 5: Handala’s Cal Water Claim Turns Credential Exposure Into an Immediate Infrastructure Risk
Why it matters: The Iran-linked hacktivist group Handala claimed it breached California Water Service (Cal Water), the third-largest publicly traded water utility in the United States, and published 5GB of data including customer personal information and credentials for the RTKBase platform used in infrastructure surveying. This is not espionage. It is public exposure of operational credentials for civilian infrastructure, and it represents a shift from intelligence collection to deliberate disruption signaling by an Iranian proxy group.
What is being misread: The temptation is to dismiss Handala as a hacktivist group making exaggerated claims for publicity. That framing misses the operational significance. Even if the breach is smaller than claimed, the published RTKBase credentials represent real exposure of infrastructure-adjacent systems. The bad assumption is that OT and infrastructure credentials exist in isolated environments. In practice, surveying platforms, SCADA management tools, and utility administration systems increasingly share authentication infrastructure with IT systems that are directly reachable from the internet.
Guest Perspective (Thomas Roccia): Strip away the “they can shut off your water” headline, because the evidence does not support it, and what is left is more useful. The attacker hacked into Cal Water’s RTKBase instance, a GNSS base station platform, and then moved laterally to a billing system. Iranian threat actors are known to disrupt critical infrastructure and deploy wipers. That is why this is a serious concern to watch.
Think Red (Douglas McKee): The credentials are public now. Every water utility security team in the country should be asking whether their surveying and field-management platforms share credentials with anything touching operational systems. RTKBase is a GPS correction service used in infrastructure surveying. It is not SCADA, but it sits in the same operational ecosystem, and its administrators probably reuse passwords. I published the data because the disruption is the objective. I want other utilities to wonder if they are next. Fear scales better than any exploit.
Act Blue (Ismael Valenzuela): Water utilities and critical infrastructure operators should treat Handala’s data publication as a live credential exposure event, regardless of whether the full breach claim is verified. Rotate all credentials associated with RTKBase, field surveying platforms, and any shared authentication systems immediately. Cross-reference the published data dump against your own credential stores to determine if any overlap exists. The deeper action is to audit the boundary between your IT identity systems and operational platforms. If field tools authenticate against Active Directory or share service accounts with SCADA management interfaces, those shared credentials are the attacker’s lateral movement path. Segment authentication for operational systems from corporate identity infrastructure. Iranian proxy groups have demonstrated a pattern of escalating from data theft to operational disruption, and the publication of infrastructure credentials is a leading indicator, not a trailing one.
Supporting sources:
SecurityWeek: Iranian cyber group Handala claims Cal Water hack, publishes 5GB of data including RTKBase credentials
dataminr: Cyber Intel Brief: Handala Claims Breach of California Water Service
MEME OF THE WEEK
Location, Location, Exposure.
For attackers, the best property is the one already facing the internet.
ROLE-BASED TAKEAWAYS
Executive / CISO / Board Level
Vulnerability management SLAs need a structural reset. CISA’s BOD 26-04 now mandates three-day remediation for the most critical exploited vulnerabilities. If your organization’s internal SLA is 30 days for critical patches, you are operating on a timeline the federal government just declared inadequate. Present updated SLAs to the board that reflect the Ivanti and PeopleSoft exploitation timelines from this week.
External exposure is now board-level vulnerability context. The Ivanti and PeopleSoft stories show that attackers are mapping exposed services before organizations have a CVE to prioritize. Ask security leadership for a current inventory of internet-reachable assets.
AI coding agents are a demonstrated attack class against developer workstations. Agentjacking research shows that AI coding agents can be tricked into executing arbitrary code through crafted inputs like fake error reports. Confirm with security leadership that agent permissions are scoped and that external input cannot trigger privileged actions without human confirmation.
Critical infrastructure boards need a briefing on Iranian proxy escalation. Handala’s Cal Water claim, including publication of infrastructure credentials, represents a shift from espionage to public disruption signaling. Board-level risk discussions should explicitly address whether OT credential hygiene has been audited in the last 90 days.
Enterprise Architect
Design Principle Impact: AI coding agents introduce a new trust boundary on developer workstations. Any architecture that grants AI agents access to file systems, credentials, or command execution must enforce sandboxing and least-privilege constraints equivalent to those applied to remote access tools, not the permissive defaults agents ship with.
New Constraint: Patch deployment must be architecturally decoupled from change board approval for edge and DMZ appliances. The Ivanti Sentry 24-hour exploitation timeline proves that internet-facing appliances cannot wait for scheduled maintenance windows. Design a pre-authorized emergency patching path for any device in your network perimeter that bypasses standard change management.
Operational Trust Boundary: Eliminate shared authentication between IT and OT. The Cal Water incident exposed that surveying and field-management platforms often authenticate against the same identity infrastructure as corporate systems. Architect a separate identity boundary for any system that touches operational technology, including ancillary tools like RTKBase, GPS correction services, and field data collection platforms.
Security Operations
Implementation Watch Item: Monitor for exploitation attempts against Oracle PeopleSoft Environment Management interfaces (CVE-2026-35273). Scan your external attack surface for exposed
/PSEMHUB/*endpoints, especially/PSEMHUB/hub, and the/PSIGW/HttpListeningConnectorpath, and block external access to both. Audit web and application logs for suspicious POST requests to those endpoints from untrusted IPs, and look for unexpected directories (logs, persistantstorage, scratchpad) under PSEMHUB, MeshCentral agents, and anomalous outbound SMB (445) or SSH from PeopleSoft hosts.Common Failure Mode: Teams deprioritize Ivanti Sentry patching because it requires appliance-level maintenance during business hours. The 24-hour exploitation window means any delay past initial disclosure creates an open window. Pre-stage Ivanti patches for immediate deployment when advisories drop.
Monitoring Patterns: In the June batch, the Defender elevation-of-privilege flaw (CVE-2026-41091, "RedSun") is the one tied to active exploitation, so prioritize detection there and cross-reference CISA KEV. Note separately that Nightmare Eclipse released two new unpatched Defender zero-days around Patch Tuesday, RoguePlanet (race-condition LPE to SYSTEM) and GreatXML (BitLocker bypass via Defender offline scan). Neither has a CVE or a patch, so treat them as detection and compensating-control problems, not patching: application allowlisting reportedly blocks RoguePlanet, and GreatXML needs brief physical access, so tighten device-access and recovery-partition controls. More broadly, watch for SYSTEM-level privilege escalation, unusual DLL sideloading, and Windows kernel-driver abuse.
Signal vs Noise Guidance: An AI coding agent reading project files and executing build commands within its working directory is expected noise. The same agent executing commands outside the project directory, writing to credential paths like ~/.ssh or ~/.aws, or initiating outbound network connections to unknown hosts is signal. Establish a behavioral baseline for what your AI agents do during normal operation and alert on deviations.
Sector-specific action for water and critical infrastructure operators: Handala's Cal Water claim includes published credentials, which makes this actionable intelligence, not noise. Obtain the leaked credential indicators through WaterISAC or your threat intelligence provider (Dataminr published the analysis) rather than downloading the raw dump directly, since it contains third-party customer PII. Cross-reference those indicators against your own authentication stores, and treat any match as a confirmed exposure requiring immediate rotation. Extend the same check to any RTKBase, GPS correction, or field data collection platforms that may share credentials or identity infrastructure with your operational environment.
Adversarial edge item: Build an external exposure map for PeopleSoft, Ivanti, and other historically vulnerable enterprise platforms before the next advisory lands. Include service owner, internet reachability, authentication path, version, business criticality, and emergency patch authority. The goal is simple to make sure your target list is better than the attacker’s.
See you next Monday!
The Monday Brief is produced by Douglas McKee and Ismael Valenzuela. The opinions expressed are our own and do not reflect those of our employers.