Oracle warned its corporate customers on Thursday that a critical vulnerability in its PeopleSoft software, used by large organizations to manage payroll and human resources, is being actively exploited in a mass hacking campaign. The warning came one day after the cybercrime group ShinyHunters claimed to have breached more than 100 organizations by abusing the unpatched flaw.
Mandiant, the Google-owned cybersecurity firm investigating the attacks, confirmed in a blog post that the Oracle flaw is the same zero-day bug ShinyHunters is using. A zero-day is a vulnerability the affected company has not had time to patch before it is discovered and exploited. Oracle has not yet released a fix, but said in its advisory that the bug can be exploited over the internet without requiring any authentication, such as a password.
Also read: Andrew Yang on AI, UBI, and why he is building instead of waiting for Washington
ShinyHunters targeting higher education
Mandiant said it notified more than 100 global organizations, most of them in the United States, about the vulnerability. About two-thirds of those are in higher education, which aligns with ShinyHunters’ earlier claims. The group’s member told TechCrunch on Wednesday that some victims are universities and colleges, and shared a message sent to one school claiming the hackers stole “hundreds of thousands of student records containing full name, home address, phone, email, date of birth, gender, ethnicity, enrollment status, GPA, major, and student ID across all campuses.”
Mandiant wrote that while several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters data leak website.
Also read: Hey Siri, here’s what I actually want from AI
Pattern of software supply chain attacks
PeopleSoft and its customers are the latest targets in a series of ShinyHunters campaigns that exploit shared software across multiple organizations. Over the past year, the group has targeted companies using Salesforce, Gainsight, and education technology firm Instructure. In each case, the hackers identify vulnerable software, attempt to steal corporate or customer data, and then threaten to release it unless victims pay a ransom.
Earlier this year, Instructure confirmed it paid the hackers after they breached the company’s systems twice. As part of that campaign, ShinyHunters defaced the login pages of several schools using Instructure’s popular Canvas portal.
Oracle did not respond to a request for comment. The company recommended that PeopleSoft customers apply its mitigations to prevent exploitation while a patch is developed.
