Oracle warns of safety bug that hackers abused to breach 100+ firms

Oracle warned its corporate customers that there is a critical-rated vulnerability in its PeopleSoft software, which is used by large companies to manage payroll and human resources, a day after a cybercrime group took credit for abusing the flaw as part of a mass-hacking campaign.

The company published the security advisory on Thursday after the hacking group ShinyHunters claimed to have breached more than 100 organizations that use PeopleSoft servers.

Mandiant, the Google-owned security unit that investigates cyberattacks, warned in a blog post that the new Oracle flaw is the same bug that the ShinyHunters group is abusing in its hacking campaign targeting PeopleSoft customers. 

Oracle, which has not released a patch for the vulnerability at the time of writing, said in the advisory that the bug can be exploited over the internet without needing any authentication, such as a password. 

The tech giant recommended that customers who use PeopleSoft software apply its mitigations to prevent exploitation.

On Wednesday, a ShinyHunters member told TechCrunch that the gang compromised the companies by abusing an unpatched flaw in PeopleSoft servers. The bug is known as a zero-day because the company affected, in this case Oracle, had no time to fix it before it was discovered and exploited.

Mandiant confirmed that it has also notified more than “100 global organizations,” most of them in the United States, in an effort to restrict access to their potentially vulnerable systems. The cybersecurity group said that about two-thirds of these organizations are in higher education, which aligns with what ShinyHunters previously claimed.

“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters [Data Leak Website],” Mandiant wrote. 

Oracle did not respond to TechCrunch’s request for comment. 

The ShinyHunters member told TechCrunch this week that some of the hacked organizations are universities and colleges.

The hacker shared a message they said was sent to one of the victim schools, in which the hackers claimed to have stolen “hundreds of thousands of student records containing full name, home address, phone, email, date of birth, gender, ethnicity, enrollment status, GPA, major, and student ID across all campuses,” among other data. 

PeopleSoft, and its customers, are the latest victims in a long series of hacking campaigns where the ShinyHunters gang targeted organizations that all share the same vulnerable software. 

In the last year, the group targeted several companies that use Salesforce and Gainsight, as well as software provided by education giant Instructure, and among others. 

Once the hackers identify vulnerable software and companies that use it, they try to steal corporate or customer data and then threaten to release it unless the victims pay a ransom. 

Earlier this year, education tech company Instructure said it paid the hackers after they breached the company’s systems twice. As part of the hacking campaign, ShinyHunters defaced the login pages of several schools that use Instructure’s popular school information portal Canvas.