Full Report
Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations. [...]
Analysis Summary
# Incident Report: ShinyHunters PeopleSoft Data Theft Campaign
## Executive Summary
The ShinyHunters extortion gang is conducting a widespread campaign targeting Oracle PeopleSoft instances across more than 100 organizations. By leveraging a "gadget chain" of vulnerabilities (including alleged zero-days), the group has exfiltrated sensitive data primarily from the education sector for extortion purposes. The attack involves the automated deployment of MeshCentral agents and credential spraying directed at administrative accounts.
## Incident Details
- **Discovery Date:** June 9, 2026 (Publicly reported June 10, 2026)
- **Incident Date:** Ongoing (June 2026)
- **Affected Organization:** 100+ organizations (including Nottingham University; attempted attack on FBI)
- **Sector:** Education (Primary), Government, Finance, Healthcare
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Early June 2026
- **Vector:** Exploitation of Oracle PeopleSoft "gadget chain" (Old and Zero-day vulnerabilities)
- **Details:** Attackers target internet-facing PeopleSoft web/application servers. Success appears dependent on specific instance configurations.
### Lateral Movement
- **Mechanism:** Shell scripts parse `/etc/hosts` to identify internal PeopleSoft-related systems.
- **Method:** Automated SSH connections to internal hosts using common administrative accounts via credential spraying and SSH key fallback.
### Data Exfiltration/Impact
- **Details:** Data stolen from an estimated 300 PeopleSoft instances. Nottingham University data was published on the ShinyHunters leak site. Extortion demands are issued to victims via automated ransom notes.
### Detection & Response
- **Discovery:** Triggered by organizations receiving extortion demands and subsequent discovery of exposed attacker staging directories by independent researchers.
- **Response actions:** Nottingham University acknowledged a cybersecurity incident; researchers published IOCs to facilitate industry-wide hunting.
## Attack Methodology
- **Initial Access:** Exploitation of PeopleSoft vulnerabilities (vulnerability chain).
- **Persistence:** Deployment of MeshCentral agents (Remote Monitoring and Management tool).
- **Privilege Escalation:** Not explicitly detailed, but targets administrative accounts (`psoft`, `oracle`, `linuxadm`).
- **Defense Evasion:** Use of legitimate TLS certificates (e.g., `azurenetfiles[.]net`) to mimic cloud services.
- **Credential Access:** Credential spraying and testing for unauthorized SSH key-based access.
- **Discovery:** Parsing of local `/etc/hosts` files to map internal network architecture.
- **Lateral Movement:** SSH-based movement from compromised web headers to internal application/database servers.
- **Collection:** Targeting ERP data including HR, payroll, and finance records.
- **Exfiltration:** Transfer of data to ShinyHunters-controlled infrastructure.
- **Impact:** Data breach and extortion; defacement via ransom notes (`README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT`).
## Impact Assessment
- **Financial:** Significant potential costs due to extortion demands and recovery efforts.
- **Data Breach:** High volume; PII, payroll, and student administration data from 100+ organizations.
- **Operational:** Business disruption for organizations needing to take PeopleSoft instances offline for remediation.
- **Reputational:** Public disclosure of stolen data on leak sites.
## Indicators of Compromise
### Network Indicators
- 142.11.200[.]186
- 142.11.200[.]187
- 142.11.200[.]188
- 142.11.200[.]189
- 142.11.200[.]190
- 108.174.202[.]99
- 176.120.22[.]24
- azurenetfiles[.]net (C2 domain)
### File Indicators
- `README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT` (Ransom note)
- MeshCentral agent binaries
- `.bash_history` files on staging servers containing attack scripts
## Response Actions
- **Containment:** Affected organizations advised to remove PeopleSoft servers from internet access immediately.
- **Eradication:** Identification and removal of MeshCentral agents and unauthorized SSH keys.
- **Recovery:** Restoring from backups and patching PeopleSoft instances to the latest secure configuration.
## Lessons Learned
- **ERP Vulnerability:** Large-scale ERP systems like PeopleSoft are high-value targets due to the concentration of sensitive data.
- **Dependency on Config:** The attacker noted that some configurations are more resistant, suggesting that hardening and "least privilege" configurations are effective.
- **Monitoring Infrastructure:** Legitimate RMM tools (MeshCentral) continue to be a preferred method for persistence by extortion groups.
## Recommendations
- **Immediate Patching:** Apply all Oracle Critical Patch Updates (CPU) for PeopleSoft and WebLogic.
- **Network Segmentation:** Ensure PeopleSoft application and database servers are not directly reachable from the internet; use a VPN or zero-trust gateway.
- **Account Security:** Disable or rename default accounts like `psoft` and `oracle`. Implement MFA for all administrative access.
- **Egress Filtering:** Restrict servers from communicating with unauthorized external IP addresses or RMM-related domains.