Key facts
- Google's Mandiant and Threat Intelligence Group identified an extortion campaign by ShinyHunters targeting Oracle's PeopleSoft enterprise software.
- The campaign exploited a zero-day vulnerability between May 27 and June 9.
- Over 100 organizations were notified, with 68% in the higher education sector.
- Attackers used customized MeshCentral agents to run administrative command queries.
- ShinyHunters has previously targeted companies for extortion, including Instructure, the parent of Canvas.
Google's cybersecurity units, Mandiant and Threat Intelligence Group, have identified an active extortion campaign carried out by the hacking group ShinyHunters targeting Oracle's PeopleSoft enterprise software. The campaign, which took place between May 27 and June 9, exploited a zero-day vulnerability, meaning no patch was available at the time of the attacks.
Following the discovery of active scanning and exploitation, Google notified more than 100 organizations whose IP addresses correlated with potentially vulnerable endpoints. A significant majority, 68%, of these organizations were in the higher education sector, primarily based in the U.S.
Researchers observed that the attackers utilized customized MeshCentral agents, disguised as legitimate cloud endpoints, to execute administrative command queries. ShinyHunters is known for targeting global companies for extortion; notably, the group recently reached a deal with Instructure, the parent company of the educational tool Canvas, to secure stolen student and school data.