HomeEverythingEducation
Equities & FundsCrypto & Digital AssetsAI & TechnologyBusiness & CorporateUS Politics & PolicyGeopolitics & Global RiskMacro, Rates & FXCommodities & EnergyEuropean Politics & MarketsAsia-PacificReal Estate & Property
Story archiveAll categories
← All Stories

Google: ShinyHunters hackers exploited Oracle PeopleSoft zero-day

Created at 12 Jun · 2:50 AM1 source↑ Market-relevant
IN SHORT

Google's Mandiant and Threat Intelligence Group identified an extortion campaign by ShinyHunters targeting Oracle's PeopleSoft software between May 27 and June 9. The hackers exploited a zero-day vulnerability, affecting over 100 organizations, primarily in higher education.

✉Newsletter

PiQ Daily

Pick your topics. Get only what matters, on your cadence.

Key Numbers

100+organizations notified of potential compromise
68%affected organizations in higher education sector
May 27 - June 9campaign timeframe

Who's Involved

ShinyHunters
hacking group targeting companies for extortion
Google Threat Intelligence Group
identified the campaign and attributed it to ShinyHunters
Mandiant
Alphabet's cybersecurity unit that identified the compromise
Oracle
vendor of PeopleSoft enterprise software
Instructure
parent company of education tool Canvas, previously targeted by ShinyHunters

↳ Why This Matters

The exploitation of a zero-day vulnerability in widely used enterprise software like Oracle's PeopleSoft poses a significant risk to organizations, particularly educational institutions, potentially leading to data breaches and extortion.

Key facts

  • Google's Mandiant and Threat Intelligence Group identified an extortion campaign by ShinyHunters targeting Oracle's PeopleSoft enterprise software.
  • The campaign exploited a zero-day vulnerability between May 27 and June 9.
  • Over 100 organizations were notified, with 68% in the higher education sector.
  • Attackers used customized MeshCentral agents to run administrative command queries.
  • ShinyHunters has previously targeted companies for extortion, including Instructure, the parent of Canvas.

Google's cybersecurity units, Mandiant and Threat Intelligence Group, have identified an active extortion campaign carried out by the hacking group ShinyHunters targeting Oracle's PeopleSoft enterprise software. The campaign, which took place between May 27 and June 9, exploited a zero-day vulnerability, meaning no patch was available at the time of the attacks.

Following the discovery of active scanning and exploitation, Google notified more than 100 organizations whose IP addresses correlated with potentially vulnerable endpoints. A significant majority, 68%, of these organizations were in the higher education sector, primarily based in the U.S.

Researchers observed that the attackers utilized customized MeshCentral agents, disguised as legitimate cloud endpoints, to execute administrative command queries. ShinyHunters is known for targeting global companies for extortion; notably, the group recently reached a deal with Instructure, the parent company of the educational tool Canvas, to secure stolen student and school data.

Frequently asked questions

PeopleSoft is an enterprise resource planning (ERP) suite used by organizations to manage core business functions such as human resources, finance, and supply-chain operations.

A zero-day vulnerability is a flaw in software that is unknown to the vendor and for which no patch or fix is yet available, making it highly exploitable by attackers.

ShinyHunters is a known hacking group with a history of targeting global companies for extortion and data theft.

The higher education sector was most affected, accounting for 68% of the over 100 organizations notified by Google.

What Happens Next

01Organizations using Oracle PeopleSoft are advised to apply security patches once available.
02Further investigation into the extent of the compromise may be ongoing.

Get the newsletter.

Pick the topics you actually care about. We'll email when there's news worth your time, on the cadence you choose. Cancel any time from your account.

Cadence

How It Developed

Google identified an active compromise and extortion campaign targeting Oracle's PeopleSoft software.
The campaign was attributed to the hacking group ShinyHunters.
Activity occurred between May 27 and June 9.
Hackers exploited a zero-day vulnerability before Oracle issued a security advisory.
Google notified over 100 potentially vulnerable organizations, with 68% in higher education.
Attackers used customized MeshCentral agents disguised as legitimate cloud endpoints.
ShinyHunters has a history of targeting companies for extortion.

Sources

T1
Google says ShinyHunters hackers targeting education sector via Oracle exploitThe Economic Times

Related Stories

Hackers exploit AI hallucination to build botnets
8 Jul · 7:11 AM
Linux KVM vulnerability allows VM escape, root access
8 Jul · 7:05 PM
Meta to build C$13B Alberta data center, first in Canada
8 Jul · 10:16 AM
AssuranceAmerica Data Breach Exposes Millions of Driver's Licenses
8 Jul · 4:35 PM
Lawsuit: Grok user created 7K child sex images; xAI accused of obstructing probe
8 Jul · 8:05 PM