GoKawiilOracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations.
PeopleSoft is an enterprise business software suite used by large organizations to manage business operations such as human resources, payroll, finance, supply chain management, procurement, and student administration.
Yesterday, BleepingComputer learned of widespread data theft attacks targeting both cloud and on-premises Oracle PeopleSoft customer instances.These customers were receiving extortion demands that were signed by the ShinyHunters extortion gang.
Today, the threat actor confirmed to BleepingComputer that they were behind the attacks, claiming to have stolen data from 300 instances across more than 100 organizations.
ShinyHunters says they are using a "gadget chain" of old and zero-day vulnerabilities to conduct the attacks. However, they state that their attack is not working on all systems and believe that exploitation success may depend on how an instance is configured.
BleepingComputer contacted Oracle this morning to ask whether it is aware of an Oracle PeopleSoft zero-day being exploited in data theft attacks, but had not received a reply at this time.
According to the threat actor, most of the organizations impacted by these attacks are in the education sector, with many previously extorted by the threat actor.
They claim their initial goal was to breach an FBI portal running PeopleSoft to "publish a statement and set the record straight on some misinsformation that has been spreading." However, they said their attack was not successful, and they were unable to gain access to the instance.
The threat actor told BleepingComputer that Nottingham University is a victim of these attacks, and that its data has already been published on the ShinyHunters data leak site. The University also released a statement today, acknowledging that it suffered a cybersecurity incident.
While Oracle has not publicly disclosed any information about these attacks, cybersecurity researcher "Michael R" found several exposed online directories containing tooling related to this attack.
... continue reading