A large-scale attack campaign is currently targeting organizations that use Oracle PeopleSoft. The ShinyHunters extortion group claims to have stolen data from hundreds of PeopleSoft environments.
According to information that has come to light, including via BleepingComputer, the attackers are using a combination of older vulnerabilities and as-yet-unknown security flaws. This is said to have granted them access to both cloud environments and locally managed PeopleSoft installations. However, not every environment appears to be vulnerable. The success of the attacks seems to depend in part on how systems are configured and managed.
Hundreds of organizations affected
The scale of the campaign became apparent after several organizations received ransom notes claiming that data had been stolen. ShinyHunters subsequently confirmed that it was behind the attacks and claims that hundreds of PeopleSoft instances have been affected. The group states that this involves more than a hundred separate organizations.
Researchers also found evidence that the attackers had set up their own infrastructure for the operation. Tools related to attacking PeopleSoft environments were discovered on publicly accessible servers. Scripts were also uncovered that are designed to identify PeopleSoft systems and gain access via known administrative accounts.
Traces on these systems indicate that, following a successful breach, attackers automatically post ransom notes on servers within the PeopleSoft environment. In doing so, they attempt to gain SSH access using both passwords and existing authentication keys.
One of the organizations that has since publicly confirmed it was the victim of a cyber incident is the University of Nottingham. According to the attackers, data from this institution has since been published on their data leak platform.
Oracle has not yet responded
Oracle has not yet issued a public statement regarding the attacks. As a result, it remains unclear whether the company is investigating a potential zero-day vulnerability in PeopleSoft or whether the attacks are based solely on already known vulnerabilities.
For organizations using PeopleSoft, the campaign serves as a clear warning. Security researchers advise carefully checking log files for suspicious connections and verifying whether systems show signs of unauthorized access. The scale of the attacks suggests that ShinyHunters is actively seeking new targets within the PeopleSoft ecosystem.