~/f4n6 $ grep -r "Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks" ./investigations/ --include="*.md"

Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks

Jeff Davies 10 Jun 2026 5 min read

1. Executive summary

The ShinyHunters extortion group claims to have compromised over 100 organizations by exploiting a "gadget chain" of legacy and zero-day vulnerabilities in Oracle PeopleSoft environments. The campaign targets both cloud and on-premises instances, with confirmed impacts in the education sector (e.g., Nottingham University) and potential exposure for financial services entities utilizing PeopleSoft for HR, payroll, or supply chain functions. While no specific CVE has been publicly disclosed by Oracle at this time, the attack vector involves unauthorized access to internal servers, lateral movement via SSH, and deployment of ransom notes. EMEA financial institutions must immediately audit PeopleSoft exposure and monitor for specific network indicators associated with the threat actor's infrastructure.

2. Regulatory framing

Regulation Article Practical Impact for EMEA Financial Services
DORA Art. 17 Incident Classification: Institutions must assess if unauthorized data access via PeopleSoft constitutes a "major" ICT-related incident based on data sensitivity (HR/Payroll/Finance) and number of users affected.
DORA Art. 19 Reporting: If classified as major, initial notification to the competent authority is required within 24 hours of determination. This advisory supports the "nature of the incident" and "potential impact" fields.
DORA Art. 28-30 Testing & Third-Party: Validates the need for advanced threat-led penetration testing (TLPT) on legacy ERP systems and rigorous oversight of Oracle cloud/on-prem configuration gaps.
NIS2 Art. 21(2)(d) Incident Handling: Mandates immediate measures to prevent further spread (containment) and eradicate the threat, specifically addressing the SSH lateral movement described.
NIS2 Art. 23 Supply Chain Security: Requires entities to assess risks introduced by third-party software (Oracle PeopleSoft) and ensure vendors (Oracle) are addressing the underlying vulnerabilities.

3. Technical analysis & attack chain

Attack Chain (Confirmed/Claimed Steps)

  1. Initial Access: The threat actor utilizes an undisclosed "gadget chain" combining old and zero-day vulnerabilities specific to Oracle PeopleSoft configurations. Success appears dependent on specific instance configurations.
  2. Reconnaissance: Post-compromise, attackers parse /etc/hosts on the breached Linux-based PeopleSoft server to identify internal systems associated with PeopleSoft services.
  3. Lateral Movement: Attackers attempt SSH connections to identified internal hosts using hardcoded administrative usernames: psoft, oracle, and linuxadm.
  4. Authentication: The attack script attempts password authentication first; upon failure, it falls back to SSH key-based authentication using keys present on the initially compromised host.
  5. Impact/Defacement: Upon successful lateral movement, a shell script drops a ransom note (README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT) into directories associated with PeopleSoft web and application servers.
  6. Exfiltration: The group claims data theft from over 300 instances, though technical details of the exfiltration mechanism (tooling/protocol) are not explicitly detailed in the available artifacts beyond the presence of staging materials.

Technical Specifics

  • Target Product: Oracle PeopleSoft (Enterprise Resource Planning suite).
  • Deployment: Cloud and On-premises instances.
  • Staging Materials: Researchers observed exposed directories containing MeshCentral agents (remote management tool often abused for persistence/C2) and credential spraying scripts.
  • File Paths/Artifacts:
    • Ransom Note Filename: README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT
    • Configuration File Parsed: /etc/hosts
    • Usernames targeted for SSH: psoft, oracle, linuxadm
  • Protocols: SSH (Port 22 implied) for lateral movement; TLS for C2/Staging (see IOCs).
  • Vulnerability Mechanism: Described by the actor as a "gadget chain." No specific CVE ID has been assigned or disclosed by Oracle or the researcher at the time of writing.

Uncertainty & Unconfirmed Attribution

  • Zero-Day Status: Oracle has not confirmed the existence of a zero-day vulnerability. The claim relies solely on ShinyHunters' statement to BleepingComputer.
  • Scope: The claim of "300 instances" is self-reported by the threat actor and unverified by independent forensic analysis.
  • Attribution: While the group claims responsibility, the exposed tooling directories could theoretically be planted by an impersonator, though the consistency with previous ShinyHunters TTPs (MeshCentral usage, TLS certificate CN) suggests high confidence in attribution.

4. Mitigation & containment

P1: Immediate (Within 24 Hours)

  • Network Isolation: Block inbound and outbound traffic to the identified C2/Staging IP addresses at the perimeter firewall.
    • 142.11.200.186
    • 142.11.200.187
    • 142.11.200.188
    • 142.11.200.189
    • 142.11.200.190
    • 108.174.202.99
    • 176.120.22.24
  • Log Analysis: Query firewall, SSH, and PeopleSoft web server logs for connections to/from the above IPs. Specifically search for SSH login attempts using usernames psoft, oracle, or linuxadm.
  • Host Inspection: On PeopleSoft application servers, check for the existence of README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT and inspect .bash_history files for unauthorized scripting activity.
  • Certificate Monitoring: Inspect TLS logs for connections to hosts presenting a certificate with Common Name (CN) azurenetfiles.net.

P2: Short-term (Within 72 Hours)

  • Credential Rotation: Force a password reset for all local and domain accounts named psoft, oracle, linuxadm, and any other administrative accounts used on PeopleSoft infrastructure. Revoke and regenerate SSH keys for these users.
  • MeshCentral Audit: Scan the environment for unauthorized installation of MeshCentral agents. Check for running services or processes related to MeshCentral and remove if not sanctioned.
  • Configuration Review: Audit PeopleSoft instance configurations against Oracle hardening guides, focusing on components that might be susceptible to "gadget chain" exploitation (e.g., deserialization endpoints, unpatched middleware).

P3: Medium-term (Within 7 Days)

  • Vendor Engagement: Monitor Oracle Security Alerts for patches addressing the reported "gadget chain." Apply patches immediately upon release.
  • Access Control Review: Implement strict network segmentation for PeopleSoft servers, ensuring they cannot initiate outbound SSH connections to internal subnets unless explicitly required and whitelisted.
  • Incident Response Drill: If IOCs are found, engage IR retainers to perform full forensic imaging and determine the extent of data exfiltration for DORA reporting purposes.

5. Indicators of compromise

Type Value Confidence Source
IPv4 142.11.200.186 High BleepingComputer / Researcher "Michael R"
IPv4 142.11.200.187 High BleepingComputer / Researcher "Michael R"
IPv4 142.11.200.188 High BleepingComputer / Researcher "Michael R"
IPv4 142.11.200.189 High BleepingComputer / Researcher "Michael R"
IPv4 142.11.200.190 High BleepingComputer / Researcher "Michael R"
IPv4 108.174.202.99 High BleepingComputer / Researcher "Michael R"
IPv4 176.120.22.24 High BleepingComputer / Researcher "Michael R"
Domain azurenetfiles.net Medium (TLS CN) BleepingComputer / Researcher "Michael R"
Filename README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT High BleepingComputer / Researcher "Michael R"
Username psoft Medium (Targeted) BleepingComputer / Researcher "Michael R"
Username oracle Medium (Targeted) BleepingComputer / Researcher "Michael R"
Username linuxadm Medium (Targeted) BleepingComputer / Researcher "Michael R" 
ipv4  142.11.200.186
ipv4  142.11.200.187
ipv4  142.11.200.188
ipv4  142.11.200.189
ipv4  142.11.200.190
ipv4  108.174.202.99
ipv4  176.120.22.24
domain  azurenetfiles.net
filename  README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT

6. Detection

YARA Rule

Note: This rule targets the specific ransom note filename and the distinctive user-agents/usernames referenced in the attack script logic.

rule ShinyHunters_PeopleSoft_Defacement {
    meta:
        author = "Adverse Trace"
        date = "2026-06-10"
        reference = "https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/"
        description = "Detects artifacts associated with ShinyHunters PeopleSoft attacks, including ransom note filenames and targeted administrative usernames."

    strings:
        $fname = "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT" ascii
        $user1 = "psoft" ascii
        $user2 = "linuxadm" ascii
        $cert_cn = "azurenetfiles.net" ascii

    condition:
        any of them
}

Sigma Rule

Note: Detects SSH brute-force/spray attempts using the specific usernames targeted by the threat actor's script.

title: ShinyHunters PeopleSoft SSH Credential Spray
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects SSH connection attempts using usernames commonly targeted by ShinyHunters in PeopleSoft attacks (psoft, oracle, linuxadm).
author: Adverse Trace
date: 2026/06/10
references:

    - https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/
logsource:
    category: ssh
    service: auth
detection:
    selection:
        user|contains:

            - 'psoft'
            - 'oracle'
            - 'linuxadm'
        action: 'Failed password'  # Or generic failure depending on log source
    filter_src_ips:
        src_ip|startswith:

            - '142.11.200.'
            - '108.174.202.'
            - '176.120.22.'
    condition: selection and not filter_src_ips # Alert on these users regardless of IP, but prioritize listed IPs
level: high
tags:

    - attack.initial_access
    - attack.credential_access
    - attack.t1110

7. Sources

  • BleepingComputer, "Oracle PeopleSoft servers hacked in ShinyHunters data theft attacks", https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/, 2026-06-10.

8. Adverse Trace position

We assess the severity of this campaign as High for organizations running Oracle PeopleSoft, particularly those with internet-facing instances or weak internal segmentation. The combination of claimed zero-day exploitation and the use of standard administrative credentials for lateral movement presents a significant risk of data exfiltration and operational disruption. While the specific vulnerability remains unpatched due to lack of vendor disclosure, the reliance on predictable username spraying (psoft, oracle) offers an immediate detection and containment opportunity. We recommend immediate network blocking of the provided IOCs and a comprehensive audit of SSH access controls within PeopleSoft environments. We will update this advisory upon Oracle's official response or the release of specific CVE details.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies