ShinyHunters Targets Oracle PeopleSoft Servers, Claims Over 100 Organizations Compromised
The ShinyHunters extortion gang is actively compromising Oracle PeopleSoft servers, stealing data from over 100 organizations and demanding ransom.
The notorious ShinyHunters extortion gang has launched a widespread campaign targeting Oracle PeopleSoft servers, claiming to have successfully compromised over 100 organizations and exfiltrated sensitive data. The attacks, which impact both cloud-hosted and on-premises instances of the enterprise software, have resulted in extortion demands being sent to affected companies.
Oracle PeopleSoft is a comprehensive suite of business applications used by large enterprises for managing critical operations such as human resources, payroll, finance, and student administration. Its widespread adoption makes it a lucrative target for threat actors seeking to disrupt operations or extort organizations.
ShinyHunters confirmed their involvement in these attacks to BleepingComputer, stating they have stolen data from approximately 300 instances across more than 100 organizations. The group claims to be leveraging a combination of older and zero-day vulnerabilities, suggesting that the success of their exploits may depend on the specific configuration of the targeted PeopleSoft environment.
While Oracle has not yet publicly commented on the matter, cybersecurity researcher 'Michael R' has identified exposed online directories containing tools and artifacts related to the attacks. These findings include MeshCentral agents, defacement scripts, and credential spraying tools, providing valuable indicators of compromise (IOCs).
Further analysis of exposed files revealed a shell script designed to create a ransom note on compromised PeopleSoft servers. This script reportedly parses the /etc/hosts file to identify relevant systems and attempts SSH connections using common administrative credentials. If password authentication fails, it falls back to SSH key-based authentication.
The threat actor indicated that many of the targeted organizations are in the education sector, with some having been previously extorted by ShinyHunters. The group also mentioned an unsuccessful attempt to breach an FBI portal running PeopleSoft, stating their initial goal was to issue a public statement.
Nottingham University has publicly acknowledged a cybersecurity incident and is confirmed by ShinyHunters as a victim, with its data allegedly published on the gang's data leak site. The identified IOCs include several IP addresses and a TLS certificate with a common name previously linked to ShinyHunters, urging organizations to review their logs for suspicious activity.
Organizations running Oracle PeopleSoft are strongly advised to examine their logs for connections from the provided IP addresses. If any compromise is suspected, immediate incident response, thorough investigation, and potentially temporary isolation of affected servers are recommended to secure the environment.