Practical Cyber Intelligence for Business Leaders in Non-Superpower Nations

Oracle PeopleSoft Zero-Day and the Week Japan's Structural Vulnerabilities Converged

A zero-day exploited for weeks before disclosure, ransomware at a university hospital, and voice phishing that bypasses every technical defense — this week's incidents share one common thread.

THE ORACLE PEOPLESOFT ZERO-DAY ATTACK — THE QUIET BREACH OF CORE SYSTEMS

The incident I regard as most serious this week is the ongoing zero-day exploitation targeting Oracle PeopleSoft Enterprise PeopleTools.

What demands particular attention is the fact that active exploitation began in late May 2026 — weeks before any patch existed. The concern here is not simply that this is a zero-day; it is the duration of exploitation. With attacks continuing for more than two weeks, a significant number of organizations may have been operating in a compromised state without realizing it.

PeopleSoft is a core enterprise platform supporting HR, finance, and procurement operations. The data it holds spans everything from employee personal records to sensitive business intelligence. A remote code execution vulnerability in this system gives an attacker full control — enabling lateral movement through internal networks, backdoor installation, and long-term persistence.

The public disclosure on June 12 means attackers are now aware that defenders are mobilizing. The next 48 hours are the critical window. Every organization running PeopleSoft should apply the patch immediately and, in parallel, review system logs from late May onward for anomalies. If a breach has already occurred, assume backdoors may have been planted before any patch is applied and investigate accordingly.

This was a week in which multiple domestic incidents converged — and it is one that will stay with me. The ransomware attack on Kyushu University, the unauthorized access to the photo-sharing service HaiCheezu Photo, and the voice phishing campaign targeting corporate internet banking appear unrelated at first glance. But they share a common structural thread.

In the Kyushu University case, confidential data — reportedly including surgical video footage of patients — may have been exfiltrated from a laboratory endpoint, a peripheral node on the edge of the main system. This illustrates just how difficult it is to manage the boundary between clinical information systems and research networks within a complex institution like a university hospital. After two decades in this industry, I can say that the gap between healthcare security budgets and actual risk exposure remains stubbornly wide.

HaiCheezu Photo handles personal data belonging to children and their parents. Schools that use education-focused SaaS platforms have limited means to independently assess the security posture of those services and largely rely on vendor self-reporting. This is a systemic problem that no single vendor can resolve on its own.

The addition of remote desktop tools to corporate voice phishing operations is a development that cannot be overlooked. When phone-based social engineering is combined with technical intrusion, purely technical defenses fall short. Staff training and a fundamental review of internal financial procedures are no longer optional.

I want to speak plainly to business owners and executives at small and mid-sized organizations. Reading this week's incidents as someone else's problem — a large enterprise issue or a government concern — is itself the greatest risk.

Oracle PeopleSoft and Ivanti Sentry are enterprise products, and you may not use them directly. But if a large enterprise in your supply chain is compromised through one of these systems, that attack can propagate to you. Targeting smaller suppliers and partners as an entry point into larger organizations has become a standard tactic among APT groups. If your organization does business with a large enterprise, that relationship is itself a signal of value to an attacker.

Corporate voice phishing hits businesses of every size. A call from someone claiming to be from the bank with a security alert, followed by skillful manipulation, is all it takes for a staff member to execute a fraudulent transfer as if it were a routine operation. Rather than leaving the decision to a single employee, require multi-person approval for transfers above a defined threshold. That process can be put in place today.

Additionally, Chrome received its second emergency update of the week — and that affects every device in your organization. Check right now whether automatic updates are enabled.

Multiple incidents with suspected nation-state involvement were reported this week, reflecting geopolitical tensions that are now clearly visible in the cyber threat landscape.

According to an analysis published by ESET on June 11, the Vietnamese-linked APT group OceanLotus, also tracked as APT32, appears to be shifting its operational focus toward domestic targets — a departure from its previously documented focus on foreign governments and corporations across the Asia-Pacific region. ESET characterizes this as a strategic pivot, which suggests the group is revising its targeting criteria internally. Organizations that have not previously considered themselves in scope for this actor may need to reassess.

The Chinese-linked APT group Shadow-Earth-053 is reported to be continuing intrusion operations against government and defense sector organizations across Asia, including Japan, by exploiting unpatched Microsoft Exchange vulnerabilities. The fact that unpatched Exchange servers continue to serve as a viable entry point — despite years of repeated warnings — is, frankly, a cause for serious concern.

What these state-sponsored APT campaigns have in common is the goal of long-term post-compromise persistence. Rather than exfiltrating data immediately, these actors quietly establish a foothold and collect intelligence over months. The longer the intrusion goes undetected, the deeper the damage. Extended log retention and regular threat hunting exercises are worth serious consideration against this class of threat.

Practical defensive actions drawn from this week's incidents

① Apply the emergency Oracle PeopleSoft patch within 48 hours and review logs from late May onward. Organizations running PeopleSoft should complete remediation immediately and examine logs for signs of unauthorized remote code execution. If a breach has already occurred, assume backdoors may have been planted before the patch and investigate before treating the update as a resolution.

② Prioritize patching for Ivanti Sentry and Arista EOS. Arista EOS has been added to the CISA Known Exploited Vulnerabilities catalog, with mandatory remediation deadlines imposed on U.S. federal agencies. Organizations outside the U.S. should treat this with equivalent urgency. Compromised network infrastructure becomes an open door to everything behind it.

③ Review your corporate internet banking approval workflows. To counter attack methods that combine phone-based social engineering with remote access tools, require a second approver or an out-of-band confirmation for transfers above a defined threshold. The friction of an extra approval step is nothing compared to the loss of a fraudulent wire transfer.

④ Review the latest Splunk Enterprise security advisory and apply patches for the critical vulnerabilities identified. If your security monitoring platform is neutralized, every subsequent attack becomes invisible. Disabling the watchdog before striking is a classic and highly effective technique.

⑤ Update Google Chrome to the latest version and confirm that automatic updates are functioning on every device in your organization. Two emergency updates in a single week reflect an active and ongoing threat. This is one of the simplest and least expensive defenses available. There is no justification for leaving it undone.

Next week, we continue tracking the evolving threat landscape — including any further developments on the Oracle PeopleSoft zero-day and ongoing APT campaigns targeting Asia-Pacific. See you Friday.

Written by a Japan-based information security professional with over 20 years of experience, in collaboration with AI assistants.

© 2026 Samurai Cyber Watch. Redistribution with attribution permitted for non-commercial use.