The ShinyHunters extortion gang is using a chain of old and zero-day vulnerabilities to breach Oracle PeopleSoft instances, with at least 300 environments across more than 100 organizations hit so far. Education institutions are bearing the brunt, and researchers have already recovered the attackers' tooling, including ready-made ransom scripts and a list of IP addresses defenders can hunt for right now.
The ShinyHunters extortion crew is back, and this time it has set its sights on Oracle PeopleSoft. According to reporting from BleepingComputer, the group is running ongoing data theft attacks against both cloud-hosted and on-premises PeopleSoft instances, and claims to have already pulled data from roughly 300 instances spread across more than 100 organizations.
For anyone unfamiliar with the platform, PeopleSoft is one of the heavyweight enterprise suites that large institutions use to run their core operations: human resources, payroll, finance, supply chain, procurement, and, critically for this campaign, student administration. That last function explains why the education sector is taking the worst of it. Universities tend to run sprawling, long-lived PeopleSoft deployments that accumulate technical debt and rarely get torn down and rebuilt, which is exactly the kind of target an opportunistic extortion group wants.
What the attackers are actually doing
ShinyHunters confirmed to BleepingComputer that they are behind the campaign, and they described their method as a "gadget chain" of old and zero-day vulnerabilities. That phrasing matters. They are not relying on a single magic exploit. They are stringing together known, unpatched bugs alongside at least one flaw that does not appear to be publicly documented, and the combination is what gets them in.
The attackers themselves admit the chain does not work everywhere. They believe success depends heavily on how a given instance is configured, which is consistent with what we usually see in ERP exploitation: default accounts left enabled, management interfaces exposed to the internet, and inconsistent patch levels across the web, application, and database tiers. Oracle had not responded to questions about a possible PeopleSoft zero-day at the time of reporting, so for now the only authoritative description of the technique comes from the threat actor and from independent researchers.
The tooling leaked into the open
The most useful detail for defenders came not from the attackers but from their own sloppiness. Cybersecurity researcher "Michael R" found several exposed online directories belonging to the group, or to someone impersonating them, that revealed live targeting of PeopleSoft environments.
"ShinyHunters, (or a group impersonating them) exposed several directories revealing ongoing targeting of PeopleSoft (Enterprise Resource Planning software) environments," the researcher wrote. "Also visible were staging materials, including MeshCentral agents, and a defacement and credential spray script."
Five of the exposed servers leaked a .bash_history file, which is about as candid a confession as an attacker can leave behind. The history revealed a shell script that drops a ransom note named README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT onto a compromised internal PeopleSoft server.
The script's logic is worth understanding because it tells you how to harden against it. It parses /etc/hosts to find PeopleSoft-related systems, then tries to connect to them over SSH using common PeopleSoft and Oracle administrative accounts such as psoft, oracle, and linuxadm. If password authentication fails, it falls back to SSH key-based authentication. Once it lands, it writes the ransom note into directories tied to the PeopleSoft web and application servers. The use of MeshCentral agents as staging material also signals that the group wants persistent remote access, not just a smash-and-grab.
The FBI portal claim and confirmed victims
ShinyHunters told BleepingComputer that their original goal was to breach an FBI portal running PeopleSoft in order to "publish a statement and set the record straight on some misinsformation that has been spreading." By their own account that attempt failed and they never got into the instance. Treat the motive narrative with skepticism; extortion groups routinely inflate their ambitions for attention.
The confirmed damage is more concrete. The University of Nottingham has been named as a victim, with data already posted to the ShinyHunters leak site, and the university released its own statement acknowledging a cybersecurity incident. Many of the affected organizations had reportedly been extorted by this same group before, which suggests the attackers are working from a list of known PeopleSoft operators rather than scanning the internet blindly.
Indicators of compromise to hunt now
This is the part to act on today. Michael R published a set of IP addresses tied to the campaign:
142.11.200[.]186142.11.200[.]187142.11.200[.]188142.11.200[.]189142.11.200[.]190108.174.202[.]99176.120.22[.]24
Several of these servers presented a TLS certificate with a common name of azurenetfiles[.]net, a domain previously linked to ShinyHunters. That overlap is a reasonable signal that this is the genuine group rather than an imitator, though the researcher kept the door open on attribution.
Practical takeaways
If you run Oracle PeopleSoft, the immediate move is straightforward. Pull your logs and search for any connections from the IP addresses above across your web, application, and SSH-facing hosts. If any of those indicators turn up, start incident response now rather than waiting for confirmation, investigate whether the instance was actually compromised, and strongly consider pulling affected servers off the internet until you have reviewed and secured the environment.
Beyond the immediate hunt, the script tells you where the soft spots are. Audit your PeopleSoft and Oracle service accounts, especially psoft, oracle, and linuxadm, and confirm none of them allow password authentication over SSH or carry reused keys. Lock down which hosts can even reach those SSH endpoints, since the attack relies on lateral movement discovered through /etc/hosts. And because exploitation success depends on configuration, treat any internet-exposed PeopleSoft management interface as a liability until proven otherwise.
The broader lesson here echoes a problem defenders keep running into: organizations log far more attacker activity than they ever alert on. Detection that exists on paper but never fires is the gap groups like ShinyHunters live in. The value of this particular incident is that the attackers handed everyone a concrete set of behaviors and indicators to test their detections against. Use them while they are fresh, and verify that your SIEM and EDR rules would actually catch an SSH credential spray against an Oracle service account before someone runs one against you.
Comments
Please log in or register to join the discussion