Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks

Key Points:

• Ongoing data theft attacks by the ShinyHunters extortion gang are targeting Oracle PeopleSoft servers, claiming to have compromised over 300 instances across 100 organizations.
• The attacks primarily affect the education sector, with Nottingham University confirmed as a victim. The threat actor uses a combination of old and zero-day vulnerabilities, and has published stolen data online.
• Organizations using Oracle PeopleSoft should analyze logs for connections from specific IP addresses linked to these attacks, initiate incident response if targeted, and consider temporarily removing affected servers from internet access.

Technical Details: The ShinyHunters gang exploits vulnerabilities in Oracle PeopleSoft software, utilizing a shell script that creates ransom notes on compromised servers. Specific IP addresses related to these attacks include those using the domain "azurenetfiles[.]net."

MITRE ATT&CK Techniques:

• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell (Execution)
• T1046 - Network Service Scanning (Discovery)

IOCs Mentioned:

• IP addresses associated with the domain "azurenetfiles[.]net"