ShinyHunters gang targets Oracle PeopleSoft servers in data theft attacks

Oracle PeopleSoft servers are currently being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations. PeopleSoft is an enterprise business software suite used by large organizations to manage various business operations, according to a recent report by Bleeping Computer.

The ShinyHunters gang is exploiting a combination of old and zero-day vulnerabilities, referred to as a "gadget chain," to target both cloud and on-premises Oracle PeopleSoft instances. While the success rate varies depending on system configuration, the attackers claim to have compromised data from approximately 300 instances across more than 100 organizations, with a significant number of victims in the education sector. Nottingham University has confirmed a cybersecurity incident, and its data has reportedly been published on the ShinyHunters data leak site. The attackers' initial goal was to breach an FBI portal, but this attempt was unsuccessful.

Security researchers have identified exposed directories containing attack tooling, including MeshCentral agents and credential spray scripts, and have shared IP addresses linked to the attacks. Some of these IPs used TLS certificates associated with ShinyHunters. Evidence suggests the attackers create ransom notes on breached servers and attempt to connect to other PeopleSoft systems using common administrative credentials. Organizations running PeopleSoft are advised to analyze logs for suspicious connections and initiate incident response if targeting is detected.

Source: Bleeping Computer