PeopleSoft zero-day exploit leads to data theft affecting hundreds of organizations

Analysis of a bash script found in a staging environment revealed that the attackers conducted reconnaissance on affected organizations. This included mapping PeopleSoft configurations and examining process scheduler and WebLogic server XML configurations. The threat actors then established an outbound SSH connection to an IP address hosting ShinyHunters’ DLS, where the stolen data, compressed using the zstd tool, was uploaded. The DLS claimed to have recovered 48GB of data from a single victim.

ShinyHunters has been active since at least 2019, carrying out numerous hacks against large companies. Their methods include exploiting cloud misconfigurations, software vulnerabilities, stealing OAuth tokens, supply chain attacks, and social engineering tactics. Mandiant and Rapid7 are providing detailed indicators of compromise and advising PeopleSoft customers on immediate protective measures.