Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks
Security researchers are tracking a widespread data-theft campaign against Oracle PeopleSoft servers by the ShinyHunters gang, claiming access to about 300 instances across more than 100 organizations, many in the education sector. The attackers are using a mix of old vulnerabilities and zero-days, issuing extortion demands and leaving ransom notes on compromised systems. Nottingham University is named as a victim with some data reportedly published on a ShinyHunters leak site. Defenders are advised to review logs for specific IPs and indicators, look for TLS certificates linked to azurenetfiles.net, and isolate affected servers from the internet while conducting incident response.
ORACLE PEOPLESOFT SERVERS HACKED IN SHINYHUNTERS DATA THEFT ATTACKS
Introduction and contextOracle PeopleSoft customer environments are reporting ongoing data theft incidents linked to the ShinyHunters extortion group. The attackers claim to have targeted both cloud-based and on-premises PeopleSoft instances, applying a mix of old vulnerabilities and zero-day weaknesses. According to the threat actor, the attacks have touched hundreds of instances across more than a hundred organizations, with many of the victims identified in the education sector. Extortion demands bearing the ShinyHunters sign appear to accompany the incidents.
Understanding PeopleSoft in brief
- PeopleSoft is an enterprise software suite used by large organizations to manage core operations, including human resources, payroll, finance, supply chain management, procurement, and student administration.
- The platform’s reach in educational institutions means a wide variety of sensitive records and administrative data can be at risk when a breach occurs.
Attack landscape and scope
- The group claims data theft from approximately 300 PeopleSoft instances across more than 100 organizations, signaling a broad campaign rather than isolated incidents.
- The attacks utilize what has been described as a “gadget chain” consisting of both known vulnerabilities and recently discovered weaknesses. The success of exploitation reportedly varies by how each instance is configured.
- While the attackers suggest widespread targeting, Oracle has not publicly disclosed details of a zero-day exploit tied specifically to PeopleSoft at the time of reporting.
Tactics, tooling, and ransom activities
- The threat actor describes using a combination of legacy vulnerabilities and zero-days to gain access to susceptible environments.
- A notable part of the attacker’s operation involves staging materials, including MeshCentral agents, and a ransom note workflow intended to appear on breached systems.
- A distinctive ransom note has been identified in the attackers’ toolkit naming the file README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT, designed to appear on internal PeopleSoft servers after compromise.
- A script associated with the campaign parses the /etc/hosts file to locate PeopleSoft-related systems and then attempts SSH access using common administrative accounts such as psoft, oracle, and linuxadm. If password-based authentication fails, the script falls back to key-based authentication.
- Once access is established, the attackers drop their ransom note and related artifacts into directories used by PeopleSoft web and application servers.
Indicators of compromise and artifacts to watch for
- Exposed network ranges associated with known IOCs:
- 142.11.200.186
- 142.11.200.187
- 142.11.200.188
- 142.11.200.189
- 142.11.200.190
- 108.174.202.99
- 176.120.22.24
- TLS indicators: some servers used a TLS certificate with a common name pointing to azurenetfiles.net, a domain previously linked to ShinyHunters.
- File access and history artifacts: several exposed servers contained a .bash_history file revealing shell activity and scripts related to the attack, including the ransom-note deployment workflow.
- Ransom and defacement components: a series of scripts and tools associated with credential spraying, defacement activities, and credential usage patterns targeting One or more PeopleSoft components.
Victims, public disclosures, and notable mentions
- The attackers have claimed Nottingham University as a victim, with data allegedly published on the ShinyHunters’ data leak site. The university acknowledged a cybersecurity incident in a public statement.
- Education sector institutions are repeatedly singled out by the threat actor as heavily affected, often after previous extortion attempts or breaches.
- Public research through security researchers has identified exposed directories containing tooling related to this campaign, including “PeopleSoft”–specific targets and staging materials.
Research observations and analyst commentary
- A cybersecurity researcher reported the existence of exposed directories connected to ongoing PeopleSoft targeting, including staging materials and a ransom-access workflow.
- The presence of MeshCentral agents among staging materials points to remote management tools being leveraged as part of the intrusions.
- The attacker’s tooling and IOCs are shared in public forums and social channels, underscoring the risk of publicly accessible reconnaissance artifacts that can aid other actors or survivors trying to detect similar activity.
Context and implications for organizations
- The blend of old vulnerabilities and newly disclosed weaknesses creates a multifaceted threat surface for PeopleSoft environments.
- Education sector institutions, as well as large enterprises with complex ERP deployments, may be particularly attractive targets due to the sensitive student, payroll, and financial data ETL processes involved.
- The combination of ransomware-style notes and credential-based access attempts suggests a dual aim: gain persistence and monetize access through extortion while potentially enabling follow-on data exfiltration.
- The exposure of directories and tooling in public channels increases the risk of reuse by other attacker groups, amplifying the potential damage and the breadth of exploited configurations.
Closing perspective
- The ongoing reports highlight the importance of vigilant monitoring around enterprise ERP deployments, particularly Oracle PeopleSoft environments exposed to the internet or connected through hybrid cloud configurations.
- The campaign’s public indicators—IP addresses, TLS certificates associated with known malicious domains, and the presence of ransom-related notes and shell history—provide concrete signals for defenders to correlate with their own environment logs.
- As the situation evolves, organizations with PeopleSoft deployments should consider reviewing access patterns, authentication methods, and network exposure as part of a broader defense-in-depth posture, while awaiting additional official disclosures from Oracle and affected institutions.
