ShinyHunters Exploits Oracle PeopleSoft Zero-Day, Targets 100+ Schools

Key Takeaways

• ShinyHunters exploited an Oracle PeopleSoft zero-day between May 27 and June 9, before any patch existed
• 68% of the 100+ targeted organizations were U.S. higher education institutions
• Attackers used disguised MeshCentral agents to run administrative commands on compromised systems

Google's cybersecurity arm Mandiant and the Google Threat Intelligence Group have identified ShinyHunters, a known extortion-focused hacking group, as the force behind a recent campaign targeting Oracle's PeopleSoft enterprise software. The attacks ran from May 27 to June 9. They hit more than 100 organizations, most of them American universities.

The timing made this especially dangerous. Oracle did not issue a security advisory until June 10, meaning the attackers exploited the vulnerability as a zero-day. There was no patch. No fix. Just open access to enterprise systems managing payroll, HR records, and student data.

What Is PeopleSoft and Why Does It Matter?

PeopleSoft is an enterprise resource planning (ERP) suite that organizations use to manage core business functions. Human resources, finance, supply chain operations. For universities, that means student records, payroll systems, financial aid data, and more. A breach here is not just an IT problem. It's a data catastrophe.

Google said it notified more than 100 organizations whose IP addresses correlated with potentially vulnerable endpoints. The majority were based in the U.S., and the higher education sector bore the brunt.

How the Attack Worked

The attackers targeted the PeopleSoft Environment Management Hub (PSEMHUB), a management component that, when misconfigured, can be exposed to the public internet. Researchers found the hackers hosted customized MeshCentral agents disguised as legitimate cloud endpoints. These agents allowed them to run administrative command queries on victim systems.

The vulnerability allowed unauthenticated remote code execution. In plain terms: attackers could run commands on your system without logging in. They didn't need credentials. They just needed to find an exposed endpoint.

“The campaign underscores a persistent trend: threat actors are aggressively weaponizing misconfigured enterprise software management components to gain high-privilege access.”

— Senior Security Analyst, Google Threat Intelligence Group

ShinyHunters: A Growing Threat

ShinyHunters is not a new name in cybersecurity circles. The group has a history of targeting global companies for extortion, stealing data and demanding payment to prevent its release. Their playbook is simple: find a vulnerability, exfiltrate sensitive data, then contact the victim with demands.

Last month, the group struck a deal with Instructure, the parent company of the popular education tool Canvas, to secure stolen student and school data. The education sector, with its troves of personal information and often limited security budgets, has become a prime target.

The Security Community Responds

Discussion on r/netsec and Hacker News has focused on Oracle's role in this breach. Many IT administrators have criticized the company for shipping powerful management tools with default configurations that are easily exposed to the public internet. The PSEMHUB component, they argue, should never have been so easy to misconfigure.

Concerns are also high about the sensitivity of the stolen data. University student records contain Social Security numbers, financial aid information, grades, and personal contact details. In the wrong hands, this data can fuel identity theft for years.

What Organizations Should Do Now

If your organization runs PeopleSoft, apply Oracle's June 10 patch immediately. Check whether your PSEMHUB endpoints are exposed to the internet. They shouldn't be. Review access logs for unusual administrative queries between late May and mid-June.

• Apply Oracle's latest security patches without delay
• Audit network configurations to ensure management endpoints are not publicly accessible
• Review access logs for the May 27 to June 9 window
• Implement network segmentation to limit lateral movement
• Consider endpoint detection tools that flag disguised agents like MeshCentral

Frequently Asked Questions

What is the Oracle PeopleSoft vulnerability being exploited?

The vulnerability exists in the PeopleSoft Environment Management Hub (PSEMHUB) and allows unauthenticated remote code execution. Attackers can run commands on affected systems without any login credentials.

Who is ShinyHunters?

ShinyHunters is a hacking group known for data theft and extortion. They target organizations globally, steal sensitive data, and demand payment to prevent its public release. They recently targeted Instructure, the parent company of Canvas.

Why are universities being targeted?

Universities store large volumes of sensitive personal data, including Social Security numbers and financial information. Many have limited cybersecurity budgets compared to corporations, making them attractive targets for extortion.

Has Oracle released a patch for this vulnerability?

Yes. Oracle issued a security advisory and patch on June 10, 2024. Organizations running PeopleSoft should apply it immediately.

How can organizations check if they were affected?

Review access logs for administrative queries between May 27 and June 9. Check for unusual MeshCentral agent activity or connections to unfamiliar cloud endpoints. Contact Google's Mandiant team if you suspect compromise.

Source: Tech-Economic Times / ET