PeopleSoft zero-day affects hundreds of organizations, steals gigabytes of data
Active exploitation of a PeopleSoft zero-day vulnerability has led to data theft from hundreds of organizations, with stolen information published by the ShinyHunters group. Security firms Mandiant and Rapid7 are providing guidance.
Mandiant researchers have discovered an actively exploited zero-day vulnerability in Oracle PeopleSoft systems affecting hundreds of organizations. The attacks resulted in the theft of gigabytes of data, which were subsequently published on the ShinyHunters data leak site (DLS).
Analysis of a bash script left in the staging environment revealed that the attackers conducted reconnaissance on compromised organizations, including mapping PeopleSoft configurations, viewing process scheduler and WebLogic server XML configurations. They then established an outbound SSH connection to IP address 176.120.22.24, which hosts the ShinyHunters DLS. The stolen data was compressed using the zstd tool before exfiltration.
The DLS claimed to have recovered 48GB of data from a single victim. ShinyHunters has been active since at least 2019 and has executed numerous hacks against major companies such as Ticketmaster (through the Snowflake breach), Santander, and Salesforce, affecting millions of people downstream.
ShinyHunters employs various initial access techniques, including exploiting cloud misconfigurations and software vulnerabilities, stealing OAuth tokens, supply chain attacks, voice phishing, and other social engineering methods.
Mandiant and Rapid7 have released detailed indicators of compromise and are advising PeopleSoft customers on immediate steps to take. Given ShinyHunters' track record, all PeopleSoft users are urged to heed these warnings.
