Oracle PeopleSoft servers breached in ShinyHunters data theft

▼ Summary
– ShinyHunters is conducting widespread data theft attacks on Oracle PeopleSoft servers, claiming to have stolen data from over 100 organizations.
– The gang exploits a “gadget chain” of old and zero-day vulnerabilities, though success depends on the system’s configuration.
– Most targeted organizations are in the education sector, with Nottingham University confirmed as a victim and its data published on ShinyHunters’ leak site.
– Cybersecurity researchers discovered exposed directories containing attack tools, including MeshCentral agents and a ransom note script.
– Indicators of compromise include specific IP addresses and a TLS certificate linked to the domain “azurenetfiles[.]net”, previously associated with ShinyHunters.
Ongoing data theft attacks are targeting Oracle PeopleSoft servers, with the ShinyHunters extortion gang claiming responsibility for breaching over 100 organizations. The group asserts it has already stolen data from hundreds of instances, raising urgent concerns for enterprises relying on this business software suite.
PeopleSoft is a widely used enterprise platform that helps large organizations manage critical operations including human resources, payroll, finance, supply chain management, procurement, and student administration. The attacks are hitting both cloud and on-premises customer instances, according to reports from BleepingComputer.
Yesterday, multiple customers received extortion demands signed by the ShinyHunters gang. Today, the threat actor confirmed to BleepingComputer that they are behind the breaches, claiming to have stolen data from 300 instances across more than 100 organizations.
ShinyHunters says they are exploiting a “gadget chain” that combines old vulnerabilities with zero-day exploits. However, the attack does not work on all systems, and success may depend on how each instance is configured.
BleepingComputer reached out to Oracle this morning for comment on whether the company is aware of an exploited PeopleSoft zero-day. Oracle had not responded at the time of publication.
According to the threat actor, most of the impacted organizations are in the education sector, and many have been targeted by ShinyHunters before. The group claimed their initial goal was to breach an FBI portal running PeopleSoft to “publish a statement and set the record straight on some misinformation that has been spreading.” However, they said the attack was unsuccessful and they could not access that instance.
The threat actor told BleepingComputer that Nottingham University is among the victims, and its data has already been published on the ShinyHunters data leak site. The university acknowledged the breach in a statement today, confirming a cybersecurity incident.
While Oracle has not publicly disclosed details, cybersecurity researcher “Michael R” discovered several exposed online directories containing tooling linked to the attack. “ShinyHunters, (or a group impersonating them) exposed several directories revealing ongoing targeting of PeopleSoft (Enterprise Resource Planning software) environments,” the researcher posted. “Also visible were staging materials, including MeshCentral agents, and a defacement and credential spray script.”
The researcher shared the following IP addresses as indicators of compromise (IOCs): 142.11.200[.]186, 142.11.200[.]187, 142.11.200[.]188, 142.11.200[.]189, 142.11.200[.]190, 108.174.202[.]99, and 176.120.22[.]24. Some of these IPs used a TLS certificate with the common name “azurenetfiles[.]net,” a domain previously linked to ShinyHunters.
Five of the servers exposed a .bash_history file offering insight into the attack methods. One shell script was designed to create a ransom note named “README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED. TXT” on an internal PeopleSoft server after a breach. The script parses the /etc/hosts file to identify PeopleSoft-related systems and attempts SSH connections using common administrative accounts like ‘psoft’, ‘oracle’, and ‘linuxadm’. If password authentication fails, it falls back to SSH key-based authentication. Once connected, the script drops the ransom note into directories tied to PeopleSoft web and application servers.
If your organization runs Oracle PeopleSoft, it is strongly advised to analyze logs for any connections from the listed IP addresses to determine if you were targeted. If these IOCs are found, immediately begin incident response, investigate whether your PeopleSoft instance was compromised, and consider temporarily removing affected servers from internet access until the environment can be secured and reviewed.
(Source: BleepingComputer)




