InfoSecBulletin Cybersecurity for mankind
Oracle PeopleSoft servers are under attack in ongoing data theft by the ShinyHunters gang, which claim to have stolen data from over 100 organizations.
BleepingComputer reported a big data theft attack hitting both cloud and on-site Oracle PeopleSoft customers. These customers got demands for money that were signed by the ShinyHunters gang.
ShinyHunters claim stolen data from 100+ org via oracle PeopleSoft servers
Security Update: RoguePlanet, BitLocker Bypass, Chromium Zero-Day, and More Critical Threats Uncovered
73 Microsoft Packages Compromised in Password Stealer Attack
New Windows Defender ‘RoguePlanet’ zero-day grants SYSTEM privileges
Microsoft June Patches 200 Vulnerabilities including 3 zero days
World’s first wind power underwater data center is now live
VMware Fixed Multiple Flaws Allow Attackers to Inject Malicious Scripts
CVE-2026-50751
Check Point VPN 0-day Flaw Exploited in the WildÂ
AI-designed First ‘universal vaccine’ tested in humans
China Unveils First Prefabricated Data Center Base, Reducing Construction Time by 70%
“The threat actor confirmed to BleepingComputer that they were behind the attacks, claiming to have stolen data from 300 instances across more than 100 organizations” it added.
ShinyHunters says they are using a “gadget chain” of old and new weaknesses to carry out the attacks. They also say that their attack isn’t working on every system and think the success of the attack may depend on how a system is set up.
They claim their initial goal was to breach an FBI portal running PeopleSoft to “publish a statement and set the record straight on some misinformation that has been spreading.” However, they said their attack was not successful, and they were unable to gain access to the instance.
Cybersecurity researcher “Michael R” found several exposed online directories containing tooling related to this attack.
“ShinyHunters, (or a group impersonating them) exposed several directories revealing ongoing targeting of PeopleSoft (Enterprise Resource Planning software) environments,” the researcher posted.
“Also visible were staging materials, including MeshCentral agents, and a defacement and credential spray script.”
The researcher shared the following IP addresses as IOCs related to these attacks:
142.11.200[.]186
142.11.200[.]187
142.11.200[.]188
142.11.200[.]189
142.11.200[.]190
108.174.202[.]99
176.120.22[.]24
Some of these IP addresses used a TLS certificate that has a common name of “azurenetfiles[.]net,” which is a domain previously linked to the ShinyHunters extortion gang.
                     Source: Michael R
If you use Oracle PeopleSoft, it is highly recommended that you check logs for any connections from the IP addresses listed above to see if you were attacked.
