Full Report
Oracle still hasn't patched the vulnerability the group has been using in its attacks since late May. The post ShinyHunters is actively extorting universities after exploiting an unpatched Oracle flaw appeared first on CyberScoop.
Analysis Summary
# Incident Report: ShinyHunters Exploitation of Oracle PeopleSoft Zero-Day
## Executive Summary
The cybercrime group ShinyHunters is currently conducting a widespread data theft and extortion campaign by exploiting a zero-day vulnerability in Oracle PeopleSoft. The campaign has targeted over 100 organizations, with a significant focus (68%) on the higher education sector. Despite active exploitation and ongoing extortion, a formal patch has not yet been released by the vendor.
## Incident Details
- **Discovery Date:** Early June 2026 (Reported by Mandiant/Google)
- **Incident Date:** Ongoing since at least May 27, 2026
- **Affected Organization:** 100+ organizations (including University of Nottingham)
- **Sector:** Primarily Higher Education (68% of identified victims)
- **Geography:** Global; predominantly United States
## Timeline of Events
### Initial Access
- **Date/Time:** May 27, 2026 (Earliest recorded exploitation)
- **Vector:** Exploitation of CVE-2026-35273
- **Details:** Attackers exploited a defect in Oracle PeopleSoft PeopleTools allowing unauthenticated remote code execution (RCE).
### Lateral Movement
- **Details:** Specific lateral movement techniques were not detailed in the report, though the exploit allows for total server takeover, providing a foothold for further network infiltration.
### Data Exfiltration/Impact
- **Details:** ShinyHunters began exfiltrating sensitive data, specifically targeting student and alumni records. On June 9, 2026 (Tuesday), the group began naming victims and leaking stolen data on public forums to pressure organizations into paying extortion demands.
### Detection & Response
- **Detection:** Mandiant and Google Threat Intelligence identified the activity through ongoing monitoring of ShinyHunters operations.
- **Response:** Google alerted over 100 organizations of vulnerable endpoints. Oracle released a security alert and mitigation steps on June 10, 2026, though a patch remains pending.
## Attack Methodology
- **Initial Access:** RCE via CVE-2026-35273 in Oracle PeopleSoft PeopleTools.
- **Persistence:** Server takeover following successful exploitation.
- **Privilege Escalation:** Exploited vulnerability allows unauthenticated takeover of affected servers.
- **Defense Evasion:** Use of a zero-day vulnerability to bypass standard security signatures.
- **Collection:** Gathering sensitive student, alumni, HR, and CRM data.
- **Exfiltration:** Transfer of data to attacker-controlled infrastructure for extortion.
- **Impact:** Public data leaks and financial extortion.
## Impact Assessment
- **Financial:** Unknown total costs; involve extortion demands and potential regulatory fines.
- **Data Breach:** "Significant amount" of student and alumni data (confirmed by University of Nottingham).
- **Operational:** Disruption to university administration and HR/CRM utility.
- **Reputational:** High public impact due to the naming and shaming of educational institutions.
## Indicators of Compromise
- **Network indicators:** None listed in article (Refer to Google/Mandiant intelligence feeds).
- **File indicators:** Exploitation attempts against Oracle PeopleSoft PeopleTools endpoints.
- **Behavioral indicators:** Unauthenticated traffic attempting to execute code on PeopleTools servers; large-scale outbound data transfers.
## Response Actions
- **Containment:** Google/Mandiant provided early warning to potential victims to isolate vulnerable instances.
- **Eradication:** Implementation of Oracle’s recommended mitigation steps (specific configurations to block the exploit path).
- **Recovery:** Organizations like University of Nottingham are currently managing data breach notifications and student support.
## Lessons Learned
- **Zero-Day Lag:** The delay between active exploitation (May 27) and the vendor’s disclosure (June 10) left a critical window of vulnerability.
- **Sector Targeting:** Threat actors are increasingly targeting the education sector due to the high volume of sensitive personal data and potentially aging ERP infrastructure.
- **Supply Chain Risk:** Reliance on enterprise resource planning (ERP) software like PeopleSoft creates a single point of failure that can impact hundreds of entities simultaneously.
## Recommendations
- **Immediate Mitigation:** Apply Oracle’s temporary mitigation steps immediately as a patch is not yet available.
- **Vulnerability Scanning:** Frequently scan for exposed Oracle PeopleSoft instances and prioritize them for emergency patching/containment.
- **Zero Trust:** Implement strict network segmentation to ensure that compromised web-facing servers cannot easily communicate with internal databases containing student records.
- **Monitoring:** Monitor for unusual outbound traffic patterns from ERP applications to identify data exfiltration in progress.