Oracle has warned its enterprise customers of a critical rating vulnerability in its PeopleSoft software, which is used by large companies to manage payroll and human resources, a day after a cybercrime group took credit for exploiting the flaw as part of a mass hacking campaign.
The company published the security advisory on Thursday after the ShinyHunters hacker group claimed to have breached more than 100 organizations that use PeopleSoft servers.
Mandiant, the Google-owned security unit that investigates cyberattacks, he warned in a blog post that the new Oracle flaw is the same bug exploited by the ShinyHunters group in its hacking campaign targeting PeopleSoft customers.
Oracle, which has not released a patch for the vulnerability at the time of writing, said in the advisory that the flaw can be exploited over the Internet without requiring authentication such as a password.
The tech giant advised customers using its PeopleSoft software to implement its mitigations to prevent the exploit.
On Wednesday, a ShinyHunters member told TechCrunch that the gang breached the companies by exploiting an unpatched flaw in PeopleSoft servers. The bug is known as zero-day because the affected company, in this case Oracle, did not have time to fix it before it was discovered and exploited.
Mandiant confirmed it has also notified more than “100 global organizations,” most of them in the United States, in an effort to limit access to their potentially vulnerable systems. The cybersecurity group said about two-thirds of these organizations are in higher education, which aligns with what ShinyHunters previously claimed.
“While several organizations have successfully blocked the activity or remediated the vulnerabilities, others have experienced compromises, resulting in stolen data being published on ShinyHunters [Data Leak Website],” Mandiant wrote.
Oracle did not respond to TechCrunch’s request for comment.
Contact us
Do you have more information about this hacking campaign? Or other data breaches? We would love to hear from you. From a broken device and network, Lorenzo Franceschi-Bicchierai can be reached securely on Signal at +1 917 257 1382 or via Telegram and Keybase @lorenzofb or via email.
ShinyHunters member told TechCrunch this week that some of the hacked organizations are universities and colleges.
The hacker shared a message they said was sent to one of the victims’ schools, in which the hackers claimed to have stolen “hundreds of thousands of student records containing full name, home address, phone, email, date of birth, gender, nationality, enrollment status, GPA, major and student ID across all campuses,” among other things.
PeopleSoft and its customers are the latest victims of a long series of hacking campaigns where the ShinyHunters gang targeted organizations that all share the same vulnerable software.
Over the past year, the group has targeted several companies that use Salesforce and Gainsight, as well as software provided by education giant Instructure, among others.
Once hackers identify vulnerable software and companies using it, they attempt to steal corporate or customer data and then threaten to release it unless victims pay a ransom.
Earlier this year, education technology company Instructure said it paid the hackers after they breached the company’s systems twice. As part of the hacking campaign, ShinyHunters defaced the login pages of several schools that use Instructure’s popular Canvas school information portal.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
