.png){kind=logo}
An increasing number of data theft breaches that target Oracle PeopleSoft servers at over 100 organizations, mostly universities, have been attributed to the cybercrime gang ShinyHunters.
The organization told BleepingComputer that it used a mix of outdated and zero-day vulnerabilities to compromise about 300 PeopleSoft instances. However, it pointed out that the success of the exploitation seems to rely on the configuration of individual systems.
Large companies utilize Oracle's PeopleSoft enterprise software suite to handle payroll, finance, student administration, human resources, and other tasks. Financial aid, immigration, health, as well as student and applicant records with home addresses, phone numbers, email addresses, and dates of birth, according to extortion texts sent to victims and examined by BleepingComputer.
Nottingham University in the United Kingdom is one of the confirmed victims. ShinyHunters released its data on the group's leak site, and the university acknowledged a cybersecurity incident in a statement. The organization is said to have signed extortion demands at several other campuses.
The group's initial goal was to gain access to an FBI gateway that used PeopleSoft in order to publish a public statement refuting ShinyHunters' involvement in a series of phony emergency call attempts that the FBI discovered last month. However, that attempt was unsuccessful.
Michael R, a cybersecurity researcher, discovered linkages to the attacks, including MeshCentral agents, staging materials, and a credential spray script, in multiple public online directories. ‘exposed’ contains a shell script.
The purpose of the bash_history files was to use common Oracle administrative accounts like ‘psoft,’ ‘oracle,’ and ‘linuxadm’ to connect via SSH and deliver a ransom letter named ‘README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT’ on compromised PeopleSoft servers following a breach.
Also Read: AI Is Reshaping Cybersecurity Careers, Not Replacing Them
The following IP addresses have been discovered by researchers as signs of compromise associated with these attacks, so organizations using Oracle PeopleSoft should examine their logs right away for connections from these IP addresses:
142.11.200.186
142.11.200.187
142.11.200.188
142.11.200.189
142.11.200.190
108.174.202.99
176.120.22.24
The impacted servers should be temporarily cut off from the internet until the environment is examined and secured if any of these addresses show up in logs. The problem should be reported right away.
