Full Report
University of Nottingham is first of many, Shiny tells The Reg
Analysis Summary
# Incident Report: Exploitation of Oracle PeopleSoft 0-day by ShinyHunters
## Executive Summary
The cybercriminal group "ShinyHunters" exploited a critical zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft to compromise over 100 organizations globally. The University of Nottingham was identified as a primary victim, resulting in the theft and subsequent leak of 40 GB of sensitive student and billing data. The incident highlights a massive supply-chain risk involving enterprise resource planning (ERP) software used by high-value targets.
## Incident Details
- **Discovery Date:** June 9, 2026 (When data appeared on leak site)
- **Incident Date:** Ongoing/June 2026
- **Affected Organization:** University of Nottingham (Confirmed); ~100 others (Claimed)
- **Sector:** Education / Enterprise Software
- **Geography:** Global (United Kingdom confirmed)
## Timeline of Events
### Initial Access
- **Date/Time:** Early June 2026
- **Vector:** Zero-day exploitation (CVE-2026-35273)
- **Details:** Attackers exploited a critical vulnerability in Oracle PeopleSoft Enterprise PeopleTools via unauthenticated HTTP requests.
### Lateral Movement
- **Details:** Upon exploitation, the vulnerability allowed for a full takeover of the PeopleSoft platform, providing access to integrated databases and sensitive application modules.
### Data Exfiltration/Impact
- **Details:** ShinyHunters exfiltrated 40 GB of data from the University of Nottingham, including personal information and billing records of hundreds of thousands of current and former students.
### Detection & Response
- **June 9, 2026:** ShinyHunters posted University of Nottingham data on their leak site.
- **June 10, 2026:** University of Nottingham confirmed the breach; Oracle issued an out-of-band security alert.
- **June 11, 2026:** Mandiant confirmed active exploitation in the wild and noted that Oracle released mitigations.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2026-35273 (CVSS 9.8).
- **Persistence:** Not explicitly detailed, but the vulnerability allows for full platform takeover.
- **Defense Evasion:** Use of a zero-day vulnerability allowed the group to bypass standard signature-based defenses.
- **Lateral Movement:** Native access within the PeopleSoft suite to reach billing and human resources modules.
- **Exfiltration:** Standard data egress of flat files (40 GB).
- **Impact:** Data theft and public extortion (Leaking data when ransom refused).
## Impact Assessment
- **Financial:** Extensive costs associated with forensic investigation, notifications, and potential regulatory fines.
- **Data Breach:** 40 GB containing PII and billing records for hundreds of thousands of individuals.
- **Operational:** Compromise of the primary ERP system used for student management and billing.
- **Reputational:** Public listing on a high-profile extortion site and subsequent media coverage.
## Indicators of Compromise
- **Network indicators:** Unusual HTTP traffic patterns targeting PeopleSoft Enterprise PeopleTools endpoints.
- **Behavioral indicators:** Large-scale data transfers (40 GB+) from PeopleSoft database servers to external IP addresses.
- **Vulnerability:** CVE-2026-35273.
## Response Actions
- **Containment:** Oracle issued an emergency out-of-band security alert and mitigation guidance.
- **Eradication:** Implementation of mitigations provided by Oracle while awaiting final patches.
- **Recovery:** University of Nottingham issued public notification to students and alumni regarding the compromise.
## Lessons Learned
- **Zero-Day Vulnerability Management:** Dependency on massive ERP suites like PeopleSoft creates a single point of failure; organizations must be prepared for "patch-gap" periods.
- **Extortion Tactics:** ShinyHunters continues to follow a "steal-and-leak" methodology, prioritizing data theft over encryption (ransomware).
- **Visibility:** High-value enterprise software requires rigorous monitoring of HTTP traffic for anomalous unauthenticated requests.
## Recommendations
- **Immediate Mitigation:** Apply the out-of-band mitigations provided in the Oracle security alert (June 10, 2026).
- **Patch Management:** Prioritize the installation of the official Oracle patch immediately upon release.
- **Network Segmentation:** Isolate ERP systems behind Web Application Firewalls (WAF) and restrict access to authorized IP ranges where possible.
- **Monitoring:** Implement logging and alerting for unauthenticated access attempts to `PeopleTools` components.