ShinyHunters Steals Data From 100+ Organizations via PeopleSoft

Key Takeaways

• ShinyHunters claims to have stolen data from 300 PeopleSoft instances across 100+ organizations
• The attack uses a 'gadget chain' combining old vulnerabilities with zero-days
• Education sector organizations are the primary targets, with Nottingham University confirmed as a victim

Oracle PeopleSoft servers are under active attack. The ShinyHunters extortion gang claims to have stolen data from more than 100 organizations by exploiting the enterprise resource planning software used to manage HR, payroll, and financial operations.

The group told BleepingComputer it has compromised 300 PeopleSoft instances. Both cloud-hosted and on-premises deployments are affected. Victims are now receiving extortion demands signed by ShinyHunters, threatening to publish stolen data unless payment is made.

How the Attack Works

ShinyHunters says it is using a "gadget chain" of vulnerabilities. This means stringing together multiple security flaws, some old and some zero-day, to gain access. The group admits the technique does not work on every system. Success appears to depend on how each PeopleSoft instance is configured.

Oracle has not responded to BleepingComputer's request for comment about whether a zero-day vulnerability is being exploited. The company has not publicly disclosed any information about these attacks.

Cybersecurity researcher Michael R found several exposed online directories containing attack tooling. These directories revealed staging materials including MeshCentral agents, a defacement script, and a credential spray script.

Who Is Being Targeted

Most victims are in the education sector. Many of these organizations were previously extorted by ShinyHunters. The group specifically named Nottingham University as a confirmed victim. The university released a statement acknowledging it suffered a cybersecurity incident.

In an unusual admission, ShinyHunters revealed its original goal was to breach an FBI portal running PeopleSoft. The group wanted to "publish a statement and set the record straight on some misinformation that has been spreading." That attack failed. They could not gain access to the FBI instance.

Indicators of Compromise

Security teams can check for connections to the following IP addresses linked to the attack campaign:

• 142.11.200.186
• 142.11.200.187
• 142.11.200.188
• 142.11.200.189
• 142.11.200.190
• 108.174.202.99
• 176.120.22.24

Some of these IP addresses used a TLS certificate with the common name "azurenetfiles.net". This domain has been previously linked to ShinyHunters operations.

The Legacy ERP Problem

PeopleSoft is a legacy system. Oracle acquired it in 2005, and many organizations continue to run older versions for mission-critical operations. This creates a security challenge. Administrators on forums like r/sysadmin and r/cybersecurity are expressing frustration with Oracle's patch cycles.

The discussion points to a shift in defensive thinking. Perimeter security is not enough when attackers use gadget chains that exploit internal configuration weaknesses. Organizations running PeopleSoft need to audit their configuration settings, not just apply standard security updates.

This is not the first time ShinyHunters has targeted PeopleSoft environments. In a previous 2025 attack against a major employer, the group stole over 800,000 employee records, including Social Security numbers.

What to Do Now

If your organization runs PeopleSoft, take these steps immediately:

1. Check network logs for connections to the IOC IP addresses listed above
2. Audit your PeopleSoft instance configuration, especially web server and authentication settings
3. Review MeshCentral and similar remote management tools for unauthorized installations
4. Segment PeopleSoft systems from the broader network to limit lateral movement
5. Monitor for extortion communications and report them to law enforcement

Frequently Asked Questions

What is Oracle PeopleSoft?

PeopleSoft is an enterprise software suite used by large organizations to manage human resources, payroll, finance, supply chain, and student administration. Oracle acquired it in 2005.

Who is ShinyHunters?

ShinyHunters is an extortion gang that steals data from organizations and threatens to publish it unless paid. The group has been active for several years and has targeted companies across multiple sectors.

What is a gadget chain vulnerability?

A gadget chain combines multiple vulnerabilities in sequence to achieve unauthorized access. Attackers link smaller flaws together, using the output of one exploit as input for the next.

Is my organization at risk?

If you run Oracle PeopleSoft, either on-premises or in the cloud, you may be vulnerable. The attack success depends on instance configuration, so auditing your setup is critical.

Has Oracle released a patch for this vulnerability?

Oracle has not publicly disclosed information about these attacks or confirmed whether a zero-day is being exploited. No specific patch has been announced as of this report.

Source: BleepingComputer