Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks

At a glance:

• ShinyHunters extortion gang claims to have stolen data from over 100 organizations via Oracle PeopleSoft servers.
• Attackers used a mix of old and zero-day vulnerabilities, targeting education sector organizations including Nottingham University.
• Exposed IP addresses and tools suggest ongoing exploitation, with organizations urged to audit systems for compromise.

Attack Details and Scope

Oracle PeopleSoft, an enterprise business software suite used for HR, payroll, finance, and supply chain management, has become the latest target of the ShinyHunters extortion gang. The group confirmed to BleepingComputer that it has compromised 300 instances across more than 100 organizations, primarily in the education sector. These attacks target both cloud-hosted and on-premises PeopleSoft deployments, with victims receiving extortion demands signed by the threat actor. Notably, the group attempted to breach an FBI portal running PeopleSoft to publish a statement but failed. Nottingham University confirmed it was a victim, with its data already published on the ShinyHunters leak site.

Technical Indicators and Exploitation Methods

Cybersecurity researcher Michael R identified exposed online directories containing attack tooling, including MeshCentral agents and scripts for defacement and credential spraying. Five servers exposed .bash_history files revealing a shell script that creates a ransom note named "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT" on compromised PeopleSoft servers. The script scans /etc/hosts for PeopleSoft-related systems, attempts SSH connections using common administrative accounts like 'psoft', 'oracle', and 'linuxadm', and falls back to SSH key-based authentication if password attempts fail. The following IP addresses were flagged as indicators of compromise (IOCs):

• 142.11.200[.]186
• 142.11.200[.]187
• 142.11.200[.]188
• 142.11.200[.]189
• 142.11.200[.]190
• 108.174.202[.]99
• 176.120.22[.]24

Some IPs used a TLS certificate tied to "azurenetfiles[.]net," a domain previously linked to ShinyHunters. The group claims exploitation success depends on system configurations, suggesting not all instances are vulnerable.

Impact and Organizational Response

Organizations running Oracle PeopleSoft are advised to audit logs for connections from the listed IP addresses and initiate incident response protocols if IOCs are detected. Oracle has not publicly acknowledged the attacks or responded to inquiries about potential zero-day vulnerabilities. The education sector appears to be a primary target, with many affected institutions having prior extortion history with ShinyHunters. Nottingham University's acknowledgment of the breach underscores the real-world consequences of these attacks.

Broader Security Implications

This incident highlights the persistent threat of extortion-focused cyberattacks targeting enterprise software ecosystems. The use of both known and unknown vulnerabilities complicates defense strategies, emphasizing the need for proactive vulnerability management and network monitoring. Security teams should prioritize reviewing PeopleSoft configurations and access controls, as well as implementing robust detection mechanisms for anomalous SSH activity.

What to Watch Next

Oracle may release patches or mitigation guidance as details emerge. The ShinyHunters group could expand its targeting beyond education sectors, and further IOCs may be discovered as researchers analyze the exposed tooling. Organizations should monitor threat intelligence feeds for updates on PeopleSoft vulnerabilities and consider temporary network isolation of affected systems until thorough security reviews are completed.