Oracle Alerts Customers After Security Flaw Used in Attacks on More Than 100 Organisations

Oracle has alerted its enterprise customers to a critical vulnerability affecting its PeopleSoft software, widely used by large organisations for payroll and human resources management. The warning came a day after the cybercriminal group ShinyHunters claimed responsibility for exploiting the flaw in a widespread hacking campaign.

The company issued the security advisory on Thursday following claims by ShinyHunters that it had successfully compromised more than 100 organisations operating PeopleSoft servers.

Mandiant, the cybersecurity firm owned by Google that specialises in investigating cyberattacks, said in a blog post that the newly disclosed Oracle vulnerability is the same flaw that ShinyHunters is currently exploiting in attacks targeting PeopleSoft users.

At the time of publication, Oracle had not released a security patch for the vulnerability. In its advisory, the company noted that the flaw can be exploited remotely over the internet without requiring authentication credentials such as a username or password.

Oracle urged organisations using PeopleSoft to implement the recommended mitigations outlined in its advisory to reduce the risk of exploitation.

Earlier this week, a member of the ShinyHunters group claimed that the attackers gained access to affected organisations by exploiting an unpatched vulnerability in PeopleSoft servers. The flaw is classified as a zero-day vulnerability because Oracle had no opportunity to address or patch the issue before it was discovered and actively exploited.

Mandiant also confirmed that it had notified more than 100 organisations worldwide, the majority of them in the United States, to help secure systems that may be exposed to the vulnerability. According to the cybersecurity firm, roughly two-thirds of those organisations operate within the higher education sector, matching previous claims made by ShinyHunters.

“While several organisations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters [Data Leak Website],” Mandiant said in its report.

The ShinyHunters member further stated this week that several of the compromised institutions include colleges and universities.

The hacker also shared what they claimed was a message sent to one of the affected educational institutions. In that message, the attackers alleged they had stolen hundreds of thousands of student records containing information such as full names, home addresses, phone numbers, email addresses, dates of birth, gender, ethnicity, enrollment status, GPA details, majors, and student identification numbers across multiple campuses, among other sensitive data.

PeopleSoft and the organisations that rely on it represent the latest targets in a growing series of cyber campaigns carried out by ShinyHunters against companies that share a common software platform or service.

Over the past year, the group has targeted organisations that use Salesforce and Gainsight, as well as software from education technology company Instructure, among other platforms.

After identifying vulnerable software and the organisations that depend on it, the attackers typically attempt to steal corporate or customer information and then pressure victims by threatening to publish the stolen data unless a ransom is paid.

Earlier this year, Instructure disclosed that it paid the hackers after its systems were compromised on two separate occasions. During that campaign, ShinyHunters also defaced the login pages of several schools that use Canvas, the company’s widely used educational information and learning platform.