Oracle PeopleSoft servers are under attack from the ShinyHunters extortion gang, which claims to have stolen data from more than 100 organizations in a widespread campaign targeting the popular enterprise software suite.
The attacks highlight growing security concerns around enterprise resource planning software that manages critical business operations for large organizations. PeopleSoft handles sensitive data including human resources, payroll, finance, and student administration systems for major institutions worldwide.
BleepingComputer reported that both cloud and on-premises Oracle PeopleSoft customer instances are being targeted in ongoing data theft attacks. The ShinyHunters gang confirmed their involvement and claims to have compromised data from 300 instances across more than 100 organizations.
The threat actors say they’re using a “gadget chain” combining old and zero-day vulnerabilities to conduct the attacks. However, they noted their methods don’t work on all systems, suggesting exploitation success depends on specific instance configurations. Oracle has not yet responded to requests for comment about whether a PeopleSoft zero-day vulnerability is being exploited.
Educational institutions appear to be the primary targets. The gang claims most affected organizations are in the education sector, with many having been previously extorted by the same group. Nottingham University has been confirmed as a victim, with its data already published on ShinyHunters’ data leak site. The university has acknowledged suffering a cybersecurity incident.
The campaign’s scope suggests this could be one of the largest coordinated attacks on enterprise software infrastructure this year. With educational institutions holding vast amounts of personal data on students, staff, and financial information, the potential impact on affected organizations is substantial.
Cybersecurity researcher “Michael R” discovered several exposed online directories containing tools related to the attacks. The findings revealed staging materials including MeshCentral agents and scripts designed for defacement and credential spraying attacks.
Key indicators of compromise include these IP addresses:
- 142.11.200[.]186-190
- 108.174.202[.]99
- 176.120.22[.]24
Some of these servers used TLS certificates with the common name “azurenetfiles[.]net” – a domain previously linked to the ShinyHunters gang. Analysis of exposed .bash_history files revealed attack scripts designed to create ransom notes named “README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT” on breached PeopleSoft servers.
The attack scripts show sophisticated targeting methods. They parse /etc/hosts files to identify PeopleSoft-related systems and attempt SSH connections using common administrative accounts like ‘psoft’, ‘oracle’, and ‘linuxadm’. If password authentication fails, the scripts fall back to SSH key-based authentication before dropping ransom notes into PeopleSoft web and application server directories.
Organizations running Oracle PeopleSoft should immediately check their logs for connections from the identified IP addresses. If any indicators are found, security teams should begin incident response procedures, investigate potential compromises, and consider temporarily removing affected servers from internet access until systems can be secured and reviewed.
This attack campaign represents a significant escalation in threats against enterprise software infrastructure. As organizations increasingly rely on cloud-based and hybrid enterprise solutions, the security of these platforms becomes critical to protecting sensitive business and personal data. The education sector’s heavy reliance on PeopleSoft for student administration makes these attacks particularly concerning for institutions managing large student populations.