Key Takeaways:
- ShinyHunters exploited a critical Oracle PeopleSoft security flaw for extortion.
- The campaign primarily targeted higher education institutions globally for sensitive data.
- Administrators must immediately apply Oracle’s emergency patches to secure systems.
Threat actor ShinyHunters exploited a critical, unauthenticated remote code execution vulnerability in Oracle PeopleSoft software to compromise global organizations and exfiltrate sensitive data between May 27 and June 9.
The vulnerability, tracked as CVE-2026-35273, carries a maximum severity score of 9.8. This Oracle PeopleSoft security flaw allowed attackers to execute malicious code on the Environment Management Hub component of PeopleTools versions 8.61 and 8.62 before Oracle issued a patch on June 10.
Google Threat Intelligence Group identified the campaign, which heavily targeted the higher education sector. Roughly 68 percent of the more than 100 notified global organizations were colleges and universities. The University of Nottingham confirmed unauthorized system activity, with reports suggesting attackers stole roughly 40 gigabytes of data, including financial and health records.
Attackers Utilize Sophisticated Staging
The threat actors established staging environments using Python servers to distribute malicious tools disguised as legitimate Microsoft Azure services. These pre-configured MeshCentral remote management agents allowed the attackers to map internal application servers by inspecting configuration files.
Lateral movement occurred via custom propagation scripts that performed automated credential spraying against internal hosts. Once inside, the group dropped extortion notes and compressed exfiltrated data before uploading it to a known ShinyHunters data leak site.
“The attackers maintained a persistent presence by masquerading as trusted infrastructure services,” according to security researchers tracking the incident. “They utilized these footholds to map internal networks and automate data exfiltration effectively.”
Urgent Security Patching Required
Oracle released an emergency advisory to address the Oracle PeopleSoft security flaw, and security experts urge all administrators to apply the updates immediately. Organizations remaining on older, unsupported versions of PeopleSoft face heightened risks of continued exploitation.
“System administrators must prioritize patching and verify that all Critical Patch Updates are fully applied,” a spokesperson for Google Threat Intelligence said. “Immediate action is necessary to prevent further unauthorized access and data theft.”
Security teams should also review network logs for indicators of compromise, including traffic to the fraudulent domain azurenetfiles.net. Blocking identified malicious IP addresses and scanning for the extortion file remains essential for remediation of incidents linked to the Oracle PeopleSoft security flaw.
Visit more of our news! CyberPro Magazine
