Home/News/News article/

Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks

Oracle

Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations.

PeopleSoft is an enterprise business software suite used by large organizations to manage business operations such as human resources, payroll, finance, supply chain management, procurement, and student administration.

Yesterday, BleepingComputer learned of widespread data theft attacks targeting both cloud and on-premises Oracle PeopleSoft customer instances.These customers were receiving extortion demands that were signed by the ShinyHunters extortion gang.

image

Today, the threat actor confirmed to BleepingComputer that they were behind the attacks, claiming to have stolen data from 300 instances across more than 100 organizations.

ShinyHunters says they are using a "gadget chain" of old and zero-day vulnerabilities to conduct the attacks. However, they state that their attack is not working on all systems and believe that exploitation success may depend on how an instance is configured.

BleepingComputer contacted Oracle this morning to ask whether it is aware of an Oracle PeopleSoft zero-day being exploited in data theft attacks, but had not received a reply at this time.

According to the threat actor, most of the organizations impacted by these attacks are in the education sector, with many previously extorted by the threat actor.

They claim their initial goal was to breach an FBI portal running PeopleSoft to "publish a statement and set the record straight on some misinsformation that has been spreading." However, they said their attack was not successful, and they were unable to gain access to the instance.

The threat actor told BleepingComputer that Nottingham University is a victim of these attacks, and that its data has already been published on the ShinyHunters data leak site. The University also released a statement today, acknowledging that it suffered a cybersecurity incident.

While Oracle has not publicly disclosed any information about these attacks, cybersecurity researcher "Michael R" found several exposed online directories containing tooling related to this attack.

"ShinyHunters, (or a group impersonating them) exposed several directories revealing ongoing targeting of PeopleSoft (Enterprise Resource Planning software) environments," the researcher posted.

"Also visible were staging materials, including MeshCentral agents, and a defacement and credential spray script."

The researcher shared the following IP addresses as IOCs related to these attacks:

142.11.200[.]186
142.11.200[.]187
142.11.200[.]188
142.11.200[.]189
142.11.200[.]190
108.174.202[.]99
176.120.22[.]24

Some of these IP addresses used a TLS certificate that has a common name of "azurenetfiles[.]net," which is a domain previously linked to the ShinyHunters extortion gang.

Five of the servers exposed a .bash_history file that gave some insight into the attacks, including a shell script designed to create a ransom note named "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT" on an internal PeopleSoft server after it is breached.

ShinyHunters script
ShinyHunters scriptSource: Michael R

The script parses the /etc/hosts to identify PeopleSoft-related systems and attempts to connect to them over SSH using common PeopleSoft and Oracle administrative accounts such as 'psoft', 'oracle', and 'linuxadm'.

If password authentication fails, the script attempts to use SSH key-based authentication as a fallback.

Once connected, the script drops the ransom note into directories associated with PeopleSoft web and application servers.

If you are running Oracle PeopleSoft, it is strongly advised that you analyze logs for any connections from the above IP addresses to determine whether you were targeted in these attacks.

If these IOCs are found, organizations should immediately begin incident response, investigate whether their PeopleSoft instance was compromised, and consider temporarily removing affected servers from internet access until the environment can be secured and reviewed.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Top News: