Tuesday, June 30, 2026 | Jonathan Brown

Washington puts a $10 million price tag on the FSB unit that's been phishing Signal backup keys

The State Department's Rewards for Justice program announced up to $10 million for information identifying members of UNC5792 (tied to FSB Border Guards) and UNC4221 (Russian military services), the clusters BCG covered Monday in connection with the FBI/CISA advisory update on Signal and WhatsApp targeting. The new detail beyond Monday's coverage: officials now confirm the campaign has compromised thousands of individual messaging accounts. Officials emphasized that the operators are not breaking Signal or WhatsApp encryption. Instead, the campaign has shifted toward harvesting Signal Backup Recovery Keys specifically — credentials that, per the FBI, can remain valid even after a victim creates a new account on the same phone number. Targets named in the advisory include U.S. and NATO officials, defense and intelligence personnel, journalists covering Russia and Ukraine, and Ukraine-focused NGOs.

Watch for: whether Rewards for Justice tips lead to any individual identification within the program's typical multi-year timeline, or whether this functions primarily as a deterrence signal.

Sources: U.S. Department of State, Rewards for Justice announcement, June 29, 2026; FBI/CISA joint advisory update, June 26, 2026; The Record from Recorded Future News, June 29, 2026; SecurityWeek, June 29, 2026.

A second Oracle 9.8 in five weeks: E-Business Suite Payments now under live exploitation

Threat intelligence firm Defused said its Oracle E-Business Suite honeypots recorded the first confirmed in-the-wild exploitation of CVE-2026-46817 over the weekend of June 27–28 — an unauthenticated, network-exploitable takeover of the Oracle Payments File Transmission component (CVSS 9.8), affecting EBS versions 12.2.3 through 12.2.15. Oracle patched the flaw in its May 2026 Critical Patch Update. Defused reports the attack used no public proof-of-concept code, meaning whoever is exploiting it built their own. Help Net Security's technical breakdown identifies the attack as a single targeted source running an unauthenticated file-read against the ibytransmit endpoint, not broad opportunistic scanning. This is the second 9.8-rated Oracle n-day in five weeks, following CVE-2026-35273 in PeopleSoft, which ShinyHunters exploited as a true zero-day in May and which BCG covered extensively at the time.

Watch for: attribution — Defused has not named an actor, and the targeted (not scanning) nature of the observed traffic is the detail likeliest to firm up first.

Sources: Defused (via X/Twitter), June 29, 2026; Help Net Security, June 30, 2026; The Hacker News, June 29, 2026; Cyber Security News, June 29, 2026.

One vulnerable third-party component, six ISPs, 14.2 million exposed Japanese email accounts

KDDI Corporation disclosed that a flaw in unnamed third-party software running its shared email backend exposed up to 14.22 million email addresses and passwords across six Japanese ISPs — NIFTY, BIGLOBE, J:COM, STNet, Commufa, and KDDI Web Communications — including current, former, and dormant accounts. KDDI detected the intrusion June 17, blocked it the same day, and notified Japan's Personal Information Protection Commission and Ministry of Internal Affairs and Communications. The company says some passwords were hashed or encrypted but has not disclosed which algorithm, what percentage, or whether salting was used — a gap multiple outlets have flagged as material to assessing real-world cracking risk. This is a single shared-infrastructure compromise propagating across telecom subsidiaries that present as separate companies to customers, the same structural pattern BCG has flagged in other shared-backend incidents this year.

Watch for: KDDI's 60-day final report, due mid-August under Japan's APPI, which should specify the vulnerable third-party component — info KDDI has so far withheld.

Sources: KDDI Corporation public notice, June 23, 2026; BleepingComputer, June 29, 2026; Infosecurity Magazine, June 29, 2026; Security Affairs, June 29, 2026.

Princeton undergrad finds root-level holes in the controllers running highway signs and stadium scoreboards

CISA published ICSA-26-176-04 for Daktronics VFC-DMP-5000, DMP-5000, and DMP-8000 controllers — the boards behind digital billboards, highway signage, and stadium displays worldwide — covering three flaws (path traversal, unrestricted file upload, hard-coded credentials) that CISA says could together hand an unauthenticated attacker complete root-level control. Researcher Thomas Jou, an undergraduate at Princeton, reported the bugs through CISA's VINCE platform in January; patched firmware was ready by early March, with the multi-month gap to publication spent on coordinated advisory preparation. Jou told SecurityWeek he identified multiple internet-exposed controllers in the wild, while Daktronics states that securing internet exposure is the responsibility of system operators.

Watch for: whether any of the internet-exposed controllers Jou found get scanned or exploited now that the advisory and patch details are public — CISA notes no known exploitation as of publication.

Sources: CISA ICS Advisory ICSA-26-176-04, June 25, 2026; SecurityWeek, June 30, 2026; TechNadu, June 30, 2026.

NAIC disputes ShinyHunters' 3.1TB claim, but confirms the breach and the Oracle zero-day vector

The National Association of Insurance Commissioners (NAIC) confirmed it was among the 100-plus organizations hit in the Oracle PeopleSoft zero-day campaign BCG covered when it broke (CVE-2026-35273, exploited by ShinyHunters/UNC6240 as a true zero-day from May 27 to June 9). NAIC serves as the U.S. insurance industry's regulatory coordinating body and falls under the financial services critical infrastructure sector. What's new since that earlier coverage: NAIC has now pushed back directly on ShinyHunters' claimed haul, stating the stolen data was limited to already-public statutory financial reports, outdated logs, and configuration files — not the 3.1TB of regulatory filings, customer PII, and credit-rating data ShinyHunters posted to its leak site. Fitch Ratings separately confirmed some of its data submitted to NAIC was affected, though its own systems were untouched.

Watch for: whether any third party independently verifies either NAIC's minimization claim or ShinyHunters' claimed figure — right now this is a credibility standoff with no neutral confirmation on either side.

Sources: NAIC security incident notice, June 26, 2026; BleepingComputer, June 29, 2026; SecurityWeek, June 29, 2026; Cybersecurity Dive, June 29, 2026.

Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.

If you would like to support our work — useful, well-researched, ad-free cybersecurity intelligence — subscribe, comment, or buy us a coffee! Thanks.