Google’s cybersecurity divisions, including Mandiant and Google Threat Intelligence Group, have identified an active cyber campaign targeting Oracle PeopleSoft enterprise software, attributing the activity to the hacking group ShinyHunters. According to information shared by Google, the compromise and extortion operation remained active between May 27 and June 9, with attackers exploiting vulnerable systems before Oracle publicly issued a security advisory. The campaign has drawn attention due to its focus on organizations operating PeopleSoft environments, particularly within the education sector, where institutions appear to have been disproportionately affected. Researchers said the activity involved scanning for exposed systems and exploiting weaknesses that allowed unauthorized access to enterprise environments.
Oracle PeopleSoft is an enterprise resource planning suite widely used by organizations to manage important business operations, including finance, human resources, and supply chain management. Google reported that after detecting active exploitation attempts, it notified more than 100 organizations whose internet protocol addresses were linked to potentially vulnerable PeopleSoft endpoints. The majority of the affected organizations were located in the United States, with approximately 68 percent belonging to the higher education sector. Researchers believe universities and educational institutions may have become key targets because of their widespread use of enterprise software for administrative and operational functions. Google noted that the campaign appeared to involve targeted activity designed to exploit systems before organizations had an opportunity to apply protective measures or review exposures.
According to Google’s findings, attackers hosted customized MeshCentral agents disguised as legitimate cloud endpoints to support their operations. These tools reportedly enabled the execution of administrative command queries, allowing threat actors to gain deeper visibility into compromised environments and potentially maintain access for further activity. Researchers stated that because the exploitation took place before Oracle released its advisory on June 10, attackers effectively used the issue as a zero day vulnerability, meaning no patch or official security guidance was available to affected organizations at the time the attacks occurred. The timing of the activity highlights how cybercriminal groups can capitalize on previously undisclosed software weaknesses to target organizations before defensive actions are introduced.
ShinyHunters is a hacking group known for conducting extortion focused operations against organizations around the world and has previously been linked to multiple high profile cyber incidents. The group has gained attention for targeting companies with the objective of obtaining sensitive information and using it to pressure victims. Last month, ShinyHunters reportedly reached an agreement with Instructure, the parent company of educational technology platform Canvas, regarding stolen student and school related data. The latest campaign involving Oracle PeopleSoft has increased concerns among cybersecurity professionals about risks facing educational institutions and enterprise environments that rely on widely deployed software systems. Security teams are expected to continue monitoring for signs of exploitation and reviewing potentially exposed infrastructure linked to Oracle deployments.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
