{"id":8468,"date":"2026-06-12T09:05:14","date_gmt":"2026-06-12T09:05:14","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8468"},"modified":"2026-06-12T09:05:14","modified_gmt":"2026-06-12T09:05:14","slug":"oracle-peoplesoft-zero%e2%80%91day-fuels-shinyhunters-extortion-spree","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8468","title":{"rendered":"Oracle PeopleSoft zero\u2011day fuels ShinyHunters extortion spree"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A newly disclosed Oracle PeopleSoft zero-day became the weapon of choice in a recent ShinyHunters extortion campaign that primarily targeted universities and other educational institutes.<\/p>\n

Attackers exploited the critical remote code execution (RCE) flaw in PeopleSoft\u2019s Environment Management component that Oracle started warning customers about on June 10, 2026. In an advisory<\/a>, the company urged immediate patching with no indication that the flaw is being actively exploited.<\/p>\n

Google Cloud\u2019s threat intelligence team (GTIG) said the attack unfolded between May 27 and June 9, before Oracle publicly acknowledged the issue. Google said it notified more than 100 organizations whose internet facing systems appeared potentially exposed, with 68% of identified targets belonging to the higher education sector.<\/p>\n

\u201cWhile several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters DLS (Data Leak Site).\u201d GTIG said in a blog post<\/a>.<\/p>\n

Oracle did not immediately respond to CSO\u2019s request for comments.<\/p>\n

ShinyHunters, or groups trying to use their name, reportedly posted downloadable evidence of the attack on their DLS on June 9. The post claimed compromised data included \u201cover 40 GB of billing and payment records, credit card and payment details, student finance data, and campus portal exports.\u201d<\/p>\n

In a follow up post on June 11, the attackers threatened data leak if the victims contacted by them did not respond within \u201cthe deadline.\u201d<\/p>\n

James Davison, chief strategy officer at Pathlock, said the incident reflects an evolving threat landscape. \u201cThe Oracle PeopleSoft breach is an example of the new kind of attacks every ERP will face in today\u2019s new agentic world,\u201c he said, pointing to the ease of attacks in the AI era.\u00a0\u201cCompanies need to reassess their ERP security and controls and adapt, because they are exposed.\u201d<\/p>\n

<\/a>PeopleSoft flaw gave attackers a head start<\/h2>\n

The campaign relied on CVE-2026-35273<\/a>, a critical vulnerability in Oracle PeopleSoft\u2019s Environment Management component, carrying a CVSS score of 9.8 out of 10, that allows unauthenticated RCE on vulnerable internet facing systems.<\/p>\n

According to Oracle\u2019s advisory the vulnerability affects PeopleSoft Enterprise PeopleTools, versions 8.61 and 8.62, and mitigations are only available for supported versions. Earlier versions, which could be affected by the flaw, were advised to be upgraded to supported versions.<\/p>\n

After exploiting CVE-2026-35273 to gain initial access, the attacker moved to establish persistence and maintain remote control over compromised systems. Google researchers observed UNC6240, a cluster associated with ShinyHunters, deploying a customized version of the MeshCentral open-source remote monitoring and management (RMM) platform. They did so by disguising the platform as legitimate Microsoft Azure services.<\/p>\n

\u201c(MeshCentral) agent is software that runs on remote devices to allow for remote management across various operating systems, including Windows, Linux, macOS, and FreeBSD,\u201d the researchers said. \u201cStatic analysis indicates these agents were hardcoded to establish communication with the command and control (C2) server wss:\/\/azurenetfiles.net:443\/agent.ashx.\u201d<\/p>\n

Once installed, the tool allowed operators to execute commands remotely and continue interacting with infected environments.<\/p>\n

Attackers left the lights on<\/h2>\n

Part of Google\u2019s investigation was aided by operational mistakes made by the attackers themselves. The campaign first drew broader attention after a security researcher, known on X as @nahamike01, reported discovering internet-exposed infrastructure from the operation.<\/p>\n

\u201cShinyHunters exposed several directories revealing ongoing targeting of PeopleSoft environments,\u201d the researcher said in an X post<\/a>. \u201cAlso visible were staging materials, including MeshCentral agents, and a defacement and credential spray script.\u201d<\/p>\n

Google said exposed attacker directories highlighted by @nahamike01 helped its team analyse the contents including staging materials, customized agents, and attacker command histories. The directories were exposed across five sequential IP addresses (142.11.200[.]186-190), making them the primary indicators of compromise (IOCs).<\/p>\n

Google urged organizations to apply fixes<\/a> for CVE-2026-35273 and review PeopleSoft deployments for indicators associated with the campaign. The researchers further advised organizations to investigate privileged access, enable comprehensive logging, and strengthen monitoring around unauthorized MeshCentral installations.<\/p>\n

\u201cThis attack shows that traditional perimeter security and IdP-level authentication are necessary, but not sufficient,\u201d Davison said. \u201cModern ERP security requires a layered approach that combines preventive controls, continuous monitoring, and visibility into user activity. The visibility into user activity is key here, behavioral monitoring to spot exceptions isn\u2019t a \u2018nice to have\u2019 anymore.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A newly disclosed Oracle PeopleSoft zero-day became the weapon of choice in a recent ShinyHunters extortion campaign that primarily targeted universities and other educational institutes. Attackers exploited the critical remote code execution (RCE) flaw in PeopleSoft\u2019s Environment Management component that Oracle started warning customers about on June 10, 2026. In an advisory, the company urged […]<\/p>\n","protected":false},"author":0,"featured_media":8469,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8468","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8468"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8468"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8468\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8469"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8468"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8468"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8468"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}