Saturday Catch-Up: This Week's Most Impactful Breaches and the Patterns Connecting Them

1. California Water Service: Iran-Linked Handala Claims Breach

California Water Service (Cal Water), the largest water utility in the western United States, confirmed it is investigating a cyberattack claim made on June 11 by the Iran-linked threat group Handala. According to Check Point Research, Handala posted screenshots appearing to show access to the utility's customer relationship management and billing systems, global navigation satellite systems, customer information, and internal credentials.

The group claimed the attack was retaliation for recent U.S. military operations in Iran and stated it deliberately avoided disrupting water distribution. Cal Water spokespersons said preliminary forensic results show no operational disruptions to water systems or customer billing, and the company is working with federal and state law enforcement.

However, the incident underscores a broader pattern. CISA and the FBI had previously issued an advisory warning of threats to water and energy facilities by state-linked hackers, confirming multiple sites had been attacked with resulting disruption and financial impacts. Handala is considered one of the most notorious Iran-linked threat actors, previously claiming credit for an attack against medical device maker Stryker. Federal officials have seized domains linked to the group after it used websites to publicize attacks and target political dissidents.

How bad was it: No confirmed operational disruption yet, but the group demonstrated access to IT systems including customer data and internal credentials — a serious breach with potential for data theft and downstream phishing campaigns.

How it could have been prevented: Network segmentation between IT and OT systems (which appears to have limited the impact here), multi-factor authentication on all externally accessible systems, and continuous monitoring for anomalous access patterns.

What your business should do: If you operate critical infrastructure or hold sensitive customer data, segment your IT and operational technology networks now. Review all external access points and enforce MFA universally. Monitor for credential exposure and rotate any credentials that touch externally facing systems.

2. ShinyHunters Exploits Oracle PeopleSoft Zero-Day (CVE-2026-35273)

Mandiant, Google's incident response unit, disclosed that the ShinyHunters threat group exploited a critical remote-code execution vulnerability in Oracle PeopleSoft between May 27 and June 9. The flaw, tracked as CVE-2026-35273, carries a CVSS severity score of 9.8 and affects PeopleSoft PeopleTools versions 8.61 and 8.62. It can be exploited remotely without authentication through the Environment Management component.

More than 100 organizations have been notified of potential impact, with roughly two-thirds being colleges and universities. The University of Nottingham confirmed a "significant amount of data" in its student records was compromised, and the matter is now subject to a criminal investigation. CISA added the flaw to its Known Exploited Vulnerabilities catalog and confirmed it has been used in ransomware attacks. Federal agencies were given until Monday to remediate.

The attackers used customized MeshCentral agents disguised as legitimate cloud endpoints to maintain remote access. Censys researchers identified approximately 40 internet-facing PeopleSoft hosts worldwide — a conservative estimate. Halcyon researchers noted this fits a pattern, as ShinyHunters was also linked to the campaign against Instructure, the company behind the Canvas Learning Management System.

How bad was it: Over 100 organizations potentially affected, student records compromised at multiple universities, and confirmed ransomware involvement. Stolen data was posted on a ShinyHunters leak site.

How it could have been prevented: The Environment Management Hub should not be internet-facing. Mandiant specifically recommends disabling it in multi-server configurations or removing the PSEM hub in single-server setups. Oracle labeled its remediation guidance as "high-priority risk reduction."

What your business should do: Audit every internet-facing service and ask whether it needs to be there. If you run PeopleSoft, patch to the latest version immediately and disable the Environment Management Hub. Monitor outbound firewall logs and NetFlow data for traffic to untrusted destinations. If you have third-party vendors maintaining platforms on your behalf, contractually require timely patching and hold them accountable.

3. Fortinet FortiSandbox: Three Critical Vulnerabilities Under Active Exploitation

Security firm Defused reported that three separate vulnerabilities in Fortinet's FortiSandbox — an AI-powered malware analysis and isolation tool — are being actively exploited by attackers. This is particularly ironic: the tool designed to detect and contain threats is itself being used as an attack vector.

The three flaws are:

• CVE-2026-25089: An OS command-injection vulnerability allowing unauthenticated attackers to execute commands via crafted HTTP requests. Patched June 9.
• CVE-2026-39808: A second OS command-injection flaw allowing code execution via crafted HTTP requests. Originally disclosed in April.
• CVE-2026-39813: A path-traversal vulnerability enabling authentication bypass. Also disclosed in April.

Defused has no information yet on who is behind the attacks, whether customers were directly impacted, or what post-exploitation activity is occurring. This follows an April incident where a critical zero-day in FortiClient Endpoint Management Server was targeted in attacks, prompting an emergency hotfix.

How bad was it: Full scope unknown, but the vulnerabilities allow unauthenticated remote code execution and authentication bypass on security infrastructure — potentially giving attackers a foothold inside the very systems meant to detect them.

How it could have been prevented: Both April-disclosed vulnerabilities should have been patched already. Organizations running FortiSandbox need to treat their security tooling as critical attack surface, not just defensive infrastructure.

What your business should do: Check your FortiSandbox version immediately and confirm all three patches are applied. Apply the same patching urgency to security tools as you would to any other internet-facing service. Any security appliance that touches untrusted input is itself an attack surface.

FAQ

Conclusion

Three attacks, three sectors, one pattern: attackers exploit exposed and unpatched systems to gain initial access, then move laterally to steal data or deploy ransomware. The common denominator is not sophisticated zero-day research — it's basic security hygiene failures. Internet-facing management interfaces, unpatched April disclosures still exploitable in June, and critical infrastructure with inadequate IT/OT segmentation.

Your action items for this week:

1. Patch everything on the CISA KEV catalog — especially if you run Fortinet or Oracle products
2. Audit internet-facing services — disable or restrict any management interface that does not need external access
3. Verify IT/OT segmentation — if you operate critical infrastructure, confirm your operational systems are isolated from corporate IT
4. Review third-party vendor security — if a vendor maintains your platforms, confirm they are patching on schedule

Visit consult.lil.business for a free cybersecurity assessment. We will identify your exposed attack surface and prioritize remediation before attackers find it for you.

References

1. CISA Known Exploited Vulnerabilities Catalog
2. Oracle PeopleSoft PeopleTools Security Advisory — CVE-2026-35273
3. Fortinet PSIRT Security Advisories
4. CISA and FBI Joint Advisory: Threats to Water and Energy Facilities
5. Cybersecurity Dive: California Water Utility Probes Breach Claim by Iran-Linked Actor