**Oracle PeopleSoft**, an enterprise business software suite critical for managing operations like HR, payroll, and finance, is currently under siege by the **ShinyHunters** extortion group. The gang asserts it has exfiltrated data from more than 100 organizations, impacting hundreds of **PeopleSoft** instances. ### Extortion Demands and Attack Claims Reports indicate that **Oracle PeopleSoft** customers, both those utilizing cloud and on-premises deployments, have received extortion demands attributed to **ShinyHunters**. The threat actors have confirmed their involvement, claiming to have breached approximately 300 instances across over 100 organizations. ### Exploitation of Vulnerabilities **ShinyHunters** states their attacks exploit a 'gadget chain' combining both previously known and zero-day vulnerabilities. However, they note that the success of their exploitation varies, suggesting it may be dependent on specific system configurations. **Oracle** has yet to publicly comment on the exploitation of any potential zero-day vulnerabilities. ### Focus on the Education Sector The majority of organizations impacted by these attacks appear to be within the education sector. **ShinyHunters** also claimed an initial, unsuccessful attempt to breach an **FBI** portal running **PeopleSoft** to disseminate a statement. **Nottingham University** has been identified as a victim, with its data reportedly published on the **ShinyHunters** data leak site. The university has acknowledged suffering a cybersecurity incident. ### Indicators of Compromise (IOCs) Emerge Cybersecurity researcher "Michael R" has uncovered several exposed online directories containing tooling linked to these attacks. These directories reveal staging materials, including **MeshCentral** agents, and scripts for system defacement and credential spraying. **Michael R** shared the following IP addresses as **IOCs** related to the ongoing attacks: Some of these IP addresses are associated with a TLS certificate for "azurenetfiles[.]net," a domain previously linked to the **ShinyHunters** gang. ### Attack Methodology Revealed Analysis of `.bash_history` files found on five of the compromised servers provides insight into the attack methodology. A shell script was discovered that is designed to deploy a ransom note, "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT," on internal **PeopleSoft** servers post-breach.  The script identifies **PeopleSoft**-related systems by parsing `/etc/hosts` and attempts to establish SSH connections using common administrative accounts like 'psoft', 'oracle', and 'linuxadm'. If password authentication fails, it attempts SSH key-based authentication. Upon successful connection, the ransom note is placed in directories associated with **PeopleSoft** web and application servers. ### Urgent Recommendations for **PeopleSoft** Users Organizations operating **Oracle PeopleSoft** instances are strongly advised to immediately review their logs for any connections originating from the aforementioned **IOCs**. If these indicators are found, prompt incident response measures should be initiated, including a thorough investigation into potential compromises and consideration of temporarily isolating affected servers from internet access until the environment can be secured and reviewed.