ShinyHunters Claims Breach Of Oracle PeopleSoft Servers At 100+ Organizations

A cybercriminal group, ShinyHunters, claimed it breached Oracle PeopleSoft servers of over 100 organizations, including numerous universities, with a member reporting the breach to TechCrunch.

“Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations”

BleepingComputer

TechCrunch said a ShinyHunters member told it the group compromised “more than 100 organizations,” and that the breaches were first reported by BleepingComputer.

BleepingComputer

In a message the hacker said was sent to one of the victims, TechCrunch quoted the claim that “Student, applicant, financial aid, immigration, health, and administrative data has been exfiltrated.”

The stolen data described by TechCrunch included student records with home addresses, phone numbers, emails, and dates of birth, while the group’s original goal was to compromise an FBI PeopleSoft server.

TechCrunch also reported that the attempt to access the FBI server failed and that Oracle did not respond to a request for comment.

BleepingComputer reported that ShinyHunters confirmed it was behind ongoing data theft attacks targeting both cloud and on-premises Oracle PeopleSoft customer instances.

BleepingComputer said the threat actor claimed to have stolen data from 300 instances across more than 100 organizations, and that it used a “gadget chain” of old and zero-day vulnerabilities.

Crypto Briefing

The same BleepingComputer account said ShinyHunters’ initial goal was to breach an FBI portal running PeopleSoft to “publish a statement and set the record straight on some misinsformation that has been spreading.”

BleepingComputer also described cybersecurity researcher “Michael R” finding exposed online directories with tooling for the attack, including staging materials such as MeshCentral agents and a defacement and credential spray script.

BleepingComputer listed multiple IP addresses as IOCs, including 142.11.200[.]186 and 108.174.202[.]99, and said some servers exposed a .bash_history file with a script designed to create a ransom note named “README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT.”

The TechCrunch account framed the breach as a mass compromise campaign in which ShinyHunters turned “mass hacks into its specialty,” with many targeted schools described as universities.

“A notorious cybercrime group claims a large scale intrusion into widely used enterprise software, targeting universities among other organizations”

mezha.net

TechCrunch reported that the hacker said most targeted schools had already been compromised in earlier, unrelated campaigns, while ShinyHunters claimed it had exfiltrated student and administrative data.

In parallel, Zamin.uz said the group’s message to victims stated that data regarding students, applicants, financial aid, immigration, healthcare, and administrative records were stolen, including students’ home addresses, phone numbers, email addresses, and dates of birth.

Zamin.uz also reported that ShinyHunters said its original goal was to breach the FBI’s PeopleSoft server to issue a statement denying involvement in the “swatting” attacks warned about by the FBI last month, but that the attempt to access the FBI server was unsuccessful.

Zamin.uz added that Oracle had not yet commented on the situation, leaving affected organizations to contend with the claimed exposure of PeopleSoft-linked records and the prospect of further verification and response.