Full Report
Mandiant and Google Threat Intelligence Group (GTIG) have identified an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure. The activity was observed between May 27, 2026, and June 9, 2026 and is consistent with the exploitation of CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component. The exploitation of this vulnerability directly aligns with the observed targeting of Environment Management Hub (PSEMHUB) endpoints. Because this activity predates Oracle's June 10, 2026 advisory, the vulnerability was exploited as a zero-day. Upon becoming aware of active scanning and exploitation, we initiated notifications to over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints. Most of these organizations were based in the United States, and 68 percent operated within the higher education sector. Subsequently, public reports by @nahamike01 on X highlighted open attacker directories on the staging servers, allowing GTIG to perform a detailed triage of the threat actor's operations.
Analysis Summary
# Incident Report: UNC6240 (ShinyHunters) Targeting Oracle PeopleSoft
## Executive Summary
Between May 27 and June 9, 2026, threat actor UNC6240 (ShinyHunters) executed a global extortion campaign exploiting a zero-day vulnerability (CVE-2026-35273) in Oracle PeopleSoft. The attackers targeted the Environment Management Hub (PSEMHUB) to gain remote code execution, primarily focusing on the higher education sector. The incident resulted in significant data theft and public leaks on the ShinyHunters extortion site.
## Incident Details
- **Discovery Date:** June 9, 2026 (via public reports/open directories)
- **Incident Date:** May 27, 2026 – June 9, 2026
- **Affected Organization:** Over 100 global organizations
- **Sector:** Higher Education (68%), diverse global sectors
- **Geography:** Predominantly United States; Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 27, 2026
- **Vector:** Exploitation of CVE-2026-35273 (Zero-Day)
- **Details:** Attackers exploited a critical RCE vulnerability (CVSS 9.8) in the PeopleSoft Environment Management component by targeting PSEMHUB endpoints.
### Lateral Movement
- **Technique:** Deployment of custom scripts and remote access tools.
- **Details:** The threat actor used a custom shell script titled `[victim_abbreviation]_fanout.sh` for propagation and lateral movement across the infrastructure.
### Data Exfiltration/Impact
- **Date:** June 9, 2026 (Public leak date)
- **Details:** Stolen organizational data was published on the ShinyHunters Data Leak Site (DLS). Attackers also placed defacement markers titled `README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT` on compromised systems.
### Detection & Response
- **Detection:** Mandiant/GTIG observed active scanning; subsequently, security researcher @nahamike01 identified open attacker staging directories.
- **Response Actions:** GTIG notified over 100 affected organizations; Oracle released an emergency advisory/patch on June 10, 2026.
## Attack Methodology
- **Initial Access:** RCE via CVE-2026-35273 targeting `/PSEMHUB/hub`.
- **Persistence:** Installation of customized MeshCentral agents (Windows/Linux).
- **Defense Evasion:** Masquerading agents as "Azure" services; using the domain `azurenetfiles[.]net` to mimic legitimate Microsoft traffic; hosting staging files on Python SimpleHTTP servers.
- **Discovery:** Active scanning of PSEMHUB endpoints.
- **Lateral Movement:** Execution of `fanout.sh` scripts tailored to specific victims.
- **Exfiltration:** Transfer of sensitive data to attacker-controlled infrastructure for extortion.
- **Impact:** Administrative command execution, data breach, and system defacement.
## Impact Assessment
- **Financial:** Potential extortion payments and high remediation costs for 100+ entities.
- **Data Breach:** High volume of stolen data leaked publicly on June 9, 2026.
- **Operational:** Disruption of PeopleSoft applications; requirement to disable critical services (EMHub) for mitigation.
- **Reputational:** Significant public exposure for universities and academic institutions.
## Indicators of Compromise
- **Network Indicators:**
- `142[.]11[.]200[.]186` through `142[.]11[.]200[.]190`
- `azurenetfiles[.]net`
- `wss://azurenetfiles[.]net:443/agent[.]ashx`
- **File Indicators (Hashes):**
- `meshagent64-azure-ops.exe` (f02a924c9ff92a8780ce812511341182c6b509d45bc59f3f7b522e37225d24fc)
- `meshagent` (68257a6f9ff196179ec03624e849927f26599eb180a7c82e14ef5bc4e93bc309)
- **Behavioral Indicators:** Unexpected `.jsp` files in `PSEMHUB.war` directory; outbound SMB traffic from PeopleSoft servers to untrusted IPs.
## Response Actions
- **Containment:** Recommended disabling the Environment Management Hub (EMHub) Service.
- **Eradication:** Blocked external access to `/PSEMHUB/*` and `/PSIGW/HttpListeningConnector`.
- **Recovery:** Applied Oracle Critical Patch Update for CVE-2026-35273; purged unexpected `.xml` files in `envmetadata` directories.
## Lessons Learned
- **Zero-Day Preparedness:** Critical infrastructure components like PeopleSoft must be shielded by robust network perimeter controls (WAF/IP whitelisting) even before patches exist.
- **Sector Targeting:** Threat actors like ShinyHunters continue to view the Education sector as a "soft target" with high-value data.
- **Staging Visibility:** Attackers' operational security failures (open directories) can provide vital intelligence for rapid incident response.
## Recommendations
1. **Immediate Patching:** Apply all Oracle Critical Security Updates for PeopleSoft.
2. **Hardening:** Permanently disable PSEMHUB if not required for business operations.
3. **Egress Filtering:** Restrict outbound SMB and non-standard protocol traffic from application servers to the internet.
4. **Monitoring:** Implement file integrity monitoring (FIM) for web-tier directories to detect unauthorized `.jsp` or `.xml` uploads.