"stolen data from 300 instances across more than 100 organizations," the extortion group told BleepingComputer — a blunt claim that, if true, marks a broad and active campaign against Oracle PeopleSoft environments.
Scope of the campaign and immediate claims
BleepingComputer reported yesterday that both cloud and on‑premises Oracle PeopleSoft customer instances were receiving extortion demands signed by the ShinyHunters extortion gang. Today the threat actor confirmed to BleepingComputer that they were behind the attacks and said they had stolen data from 300 instances across more than 100 organizations. The actor also told the publication that most of the organizations impacted are in the education sector and that many had been targeted by the group previously.
Targets named: PeopleSoft, education sector, and Nottingham University
PeopleSoft is identified in the reporting as an enterprise business software suite used for human resources, payroll, finance, supply chain management, procurement, and student administration. The threat actor said their campaign has focused largely on education-sector deployments. They specifically told BleepingComputer that Nottingham University is a victim and that data from that institution has already been published on the ShinyHunters data leak site. The university issued a statement acknowledging it suffered a cybersecurity incident.
Methods and tooling described by the actor and a researcher
The threat actor told BleepingComputer they are using a "gadget chain" of old and zero‑day vulnerabilities to carry out the intrusions, and they added that the attack does not work on all systems — saying exploitation success may depend on how an instance is configured. They also reported an unsuccessful attempt to breach an FBI portal running PeopleSoft, saying their goal had been to "publish a statement and set the record straight on some misinsformation that has been spreading," but that the attempt failed.
Independent of the actor's claims, cybersecurity researcher "Michael R" located several exposed online directories containing tooling tied to the campaign. The researcher reported that visible materials included staging artifacts, MeshCentral agents, and a defacement and credential spray script — items the researcher linked to ongoing targeting of PeopleSoft environments.
Concrete forensic details: scripts, .bash_history, and account probes
Five exposed servers reportedly contained a .bash_history file that revealed a shell script designed to create a ransom note titled "README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT" on an internal PeopleSoft server after compromise. According to the recovered script, the tool parses /etc/hosts to locate PeopleSoft-related systems and attempts to connect over SSH using common administrative accounts such as 'psoft', 'oracle', and 'linuxadm'. If password authentication fails, the script attempts SSH key‑based authentication as a fallback, then drops the ransom note into directories tied to PeopleSoft web and application servers.
Indicators of compromise and recommended immediate actions
The researcher shared the following IP addresses as indicators of compromise related to the attacks: 142.11.200[.]186, 142.11.200[.]187, 142.11.200[.]188, 142.11.200[.]189, 142.11.200[.]190, 108.174.202[.]99, and 176.120.22[.]24. Some of these IPs used a TLS certificate whose common name is "azurenetfiles[.]net," a domain the reporting links to the ShinyHunters extortion gang.
BleepingComputer advised that organizations running Oracle PeopleSoft analyze logs for any connections from those IP addresses to determine whether they were targeted. If the IOCs are present, organizations were urged to begin incident response, investigate whether their PeopleSoft instance was compromised, and consider temporarily removing affected servers from internet access until the environment can be secured and reviewed. The publication also contacted Oracle to ask whether a PeopleSoft zero‑day is being exploited, but had not received a reply at the time of reporting.
What this means for PeopleSoft administrators, security teams, and affected universities
- PeopleSoft administrators: Review /etc/hosts, SSH logs, and web/app server directories for the scripted ransom note and for brute‑force or credential spray activity against accounts like 'psoft', 'oracle', and 'linuxadm'.
- Security teams and incident responders: Hunt for the listed IPs and the "azurenetfiles[.]net" certificate name in logs, and examine exposed staging directories and MeshCentral agents identified by the researcher. If IOCs are found, isolate affected servers and begin full IR processes.
- Affected universities and education organizations: Prepare for public disclosure and extortion follow‑up; Nottingham University has already acknowledged an incident and, per the actor, had data published.
The public record here is concrete yet incomplete: a named extortion gang has claimed large scale theft, researcher "Michael R" has documented exposed tooling and scripts, and a university named in the claims has confirmed an incident. Oracle had not provided a public response at the time of reporting. The claim that both old and zero‑day vulnerabilities are in play, coupled with exposed automation that searches and propagates into PeopleSoft instances, suggests defenders should assume active targeting until their telemetry proves otherwise.
Original reporting: https://www.bleepingcomputer.com/news/security/oracle-peoplesoft-servers-hacked-in-shinyhunters-data-theft-attacks/
