The cybercrime group ShinyHunters has claimed responsibility for a wave of data theft attacks targeting Oracle PeopleSoft servers at more than 100 organisations, the majority of them universities. The group told BleepingComputer that it compromised approximately 300 PeopleSoft instances using a combination of old and zero-day vulnerabilities, though it noted that exploitation success appears to depend on how individual systems are configured.
PeopleSoft is Oracle’s enterprise software suite used by large organisations to manage human resources, payroll, finance, student administration and other operations. According to extortion messages sent to victims and reviewed by BleepingComputer, the stolen data includes student and applicant records containing home addresses, phone numbers, email addresses and dates of birth, along with financial aid, immigration, health and administrative data.
Nottingham University in the UK is among the confirmed victims. The university issued a statement acknowledging a cybersecurity incident and ShinyHunters published its data on the group’s leak site. Multiple other universities have reportedly received extortion demands signed by the group.
The group’s original objective was to breach an FBI portal running PeopleSoft in order to post a public statement denying ShinyHunters’ involvement in a wave of fake emergency call attempts flagged by the FBI last month, but that attempt failed.
Cybersecurity researcher Michael R found several exposed online directories containing links to the attacks, including staging materials, a credential spray script and MeshCentral agents. A shell script found in ‘exposed .bash_history’ files was designed to drop a ransom note titled ‘README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT’ on compromised PeopleSoft servers after breach, using common Oracle administrative accounts such as ‘psoft’, ‘oracle’ and ‘linuxadm’ to connect via SSH.
Organisations running Oracle PeopleSoft should immediately check their logs for connections from the following IP addresses, which researchers have identified as indicators of compromise linked to these attacks:
142.11.200.186, 142.11.200.187, 142.11.200.188, 142.11.200.189, 142.11.200.190, 108.174.202.99, 176.120.22.24
If any of these addresses appear in logs, incident should be reported immediately and the affected servers should be temporarily removed from internet access while the environment is investigated and secured.
Also Read: AI may bring cyberattacks and job losses if left unchecked, warns Anthropic CEO Dario Amodei