Oracle PeopleSoft servers are being targeted in ongoing data theft attacks by the ShinyHunters extortion gang, which claims to have stolen data from over 100 organizations.
PeopleSoft is an enterprise business software suite used by large organizations to manage business operations such as human resources, payroll, finance, supply chain management, procurement, and student administration.
Yesterday, BleepingComputer learned of widespread data theft attacks targeting both cloud and on-premises Oracle PeopleSoft customer instances.These customers were receiving extortion demands that were signed by the ShinyHunters extortion gang.
Today, the threat actor confirmed to BleepingComputer that they were behind the attacks, claiming to have stolen data from 300 instances across more than 100 organizations.
ShinyHunters says they are using a "gadget chain" of old and zero-day vulnerabilities to conduct the attacks. However, they state that their attack is not working on all systems and believe that exploitation success may depend on how an instance is configured.
BleepingComputer contacted Oracle this morning to ask whether it is aware of an Oracle PeopleSoft zero-day being exploited in data theft attacks, but had not received a reply at this time.
According to the threat actor, most of the organizations impacted by these attacks are in the education sector, with many previously extorted by the threat actor.
They claim their initial goal was to breach an FBI portal running PeopleSoft to "publish a statement and set the record straight on some misinsformation that has been spreading." However, they said their attack was not successful, and they were unable to gain access to the instance.
The threat actor told BleepingComputer that Nottingham University is a victim of these attacks, and that its data has already been published on the ShinyHunters data leak site. The University also released a statement today, acknowledging that it suffered a cybersecurity incident.
While Oracle has not publicly disclosed any information about these attacks, cybersecurity researcher "Michael R" found several exposed online directories containing tooling related to this attack.
"ShinyHunters, (or a group impersonating them) exposed several directories revealing ongoing targeting of PeopleSoft (Enterprise Resource Planning software) environments," the researcher posted.
"Also visible were staging materials, including MeshCentral agents, and a defacement and credential spray script."
The researcher shared the following IP addresses as IOCs related to these attacks:
Some of these IP addresses used a TLS certificate that has a common name of "azurenetfiles[.]net," which is a domain previously linked to the ShinyHunters extortion gang.
Five of the servers exposed a .bash_history file that gave some insight into the attacks, including a shell script designed to create a ransom note named "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT" on an internal PeopleSoft server after it is breached.
ShinyHunters script Source: Michael R
The script parses the /etc/hosts to identify PeopleSoft-related systems and attempts to connect to them over SSH using common PeopleSoft and Oracle administrative accounts such as 'psoft', 'oracle', and 'linuxadm'.
If password authentication fails, the script attempts to use SSH key-based authentication as a fallback.
Once connected, the script drops the ransom note into directories associated with PeopleSoft web and application servers.
If you are running Oracle PeopleSoft, it is strongly advised that you analyze logs for any connections from the above IP addresses to determine whether you were targeted in these attacks.
If these IOCs are found, organizations should immediately begin incident response, investigate whether their PeopleSoft instance was compromised, and consider temporarily removing affected servers from internet access until the environment can be secured and reviewed.
Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now
<small>Source: Bleeping Computer</small>
