Google's cybersecurity team, along with Mandiant, has reported a significant extortion campaign linked to the hacking group ShinyHunters, specifically targeting Oracle's PeopleSoft software. This campaign occurred between May 27 and June 9, 2023, and has raised alarms due to its implications for the education sector.
What is PeopleSoft?
PeopleSoft is an enterprise resource planning (ERP) suite utilized by organizations to streamline core business functions, including:
- Human resources
- Finance
- Supply chain operations
Details of the Attack
During the identified period, Google observed active scanning and exploitation of vulnerabilities within PeopleSoft. The hackers managed to exploit a zero-day vulnerability, which means that a security patch had not yet been released by Oracle at the time of the attacks.
Impact on Organizations
Google notified over 100 organizations that were potentially vulnerable, with a significant number located in the United States. Notably, 68% of these organizations were part of the higher education sector, highlighting the campaign's focus on educational institutions.
Attack Methodology
The attackers employed customized MeshCentral agents, which were disguised as legitimate cloud endpoints. These agents were used to execute administrative command queries, allowing the hackers to gain unauthorized access to sensitive information.
Background on ShinyHunters
ShinyHunters has a notorious reputation for targeting various global companies for extortion purposes. Recently, the group reached an agreement with Instructure, the parent company of the educational tool Canvas, to safeguard stolen student and school data.
What to Do Next
Organizations using PeopleSoft should take immediate steps to secure their systems, including:
- Reviewing security protocols
- Implementing updates as soon as they are available
- Monitoring for unusual activity
Staying informed about potential threats and vulnerabilities is crucial for maintaining cybersecurity.
