PeopleSoft Data Breach: ShinyHunters Claims 3.1TB Stolen

Cyber attackers claim to have stolen 3.1 terabytes of data, which is a very large amount, from Oracle PeopleSoft systems. This is part of a bigger attack on over 100 companies.

A cybersecurity group known as ShinyHunters is implicated in a widespread attack targeting Oracle PeopleSoft applications, with a zero-day vulnerability serving as the entry point. The National Association of Insurance Commissioners (NAIC) states that only publicly available data was compromised in their instance, a claim disputed by ShinyHunters, who assert possession of a significant volume of sensitive information, including 3.1 terabytes across 105,000 files. This breach is part of a larger campaign affecting over 100 organizations, predominantly in the education sector.

The extent of the data breach remains a point of contention. ShinyHunters, also referred to as UNC6240, alleges it obtained sensitive regulatory data and credentials, potentially impacting core platforms like SERFF, OPTins, and SBS. However, the NAIC insists that the accessed systems contained only public financial reports, outdated logs, and configuration files, and has since remediated the affected systems.

Read More: Gaming writers play Hades 2 amid Switch 2 release rumors

Technical Underpinnings and Broader Implications

Google Cloud's analysis reveals that attackers leveraged MeshCentral CLI utility for internal reconnaissance on compromised endpoints and employed a script, [victim_abbreviation]_fanout.sh, for lateral movement and payload propagation. Indicators associated with the staging infrastructure include azurenetfiles.net. Recommendations for defense involve network isolation, Web Application Firewall (WAF) rules, and endpoint access restrictions, particularly for sensitive endpoints like /PSEMHUB/hub and /PSIGW/HttpListeningConnector.

The exploit targets an unspecified zero-day flaw within Oracle PeopleSoft. Attackers have demonstrated techniques including attempts to execute administrative commands and propagate malware. The compromised systems may include internal nodes accessible via SSH. Pathlock's assessment highlights the importance of immediate credential rotation for default PeopleSoft administrative accounts such as psoft, oracle, and linuxadm, and recommends auditing newly created user accounts.

In parallel, Ford has reportedly initiated a recall of experienced, or "gray beard," employees. The specifics and rationale behind this move are not elaborated upon in the provided summaries, but it suggests a potential shift in talent strategy within the automotive giant.

Read More: AI Models Have Hidden Dangers: Small Attacks Can Break Them

Meanwhile, the cybersecurity landscape is seeing increased attention on the vetting of Large Language Models (LLMs) by government entities, indicating a growing awareness of the security implications surrounding AI technologies. The ability of malicious actors to trick AI coding agents into executing malware, as noted with a compromised GitHub repository, underscores these concerns.

Companies like Silent Push are marketing preemptive cyber defense platforms, aiming to identify adversary infrastructure and changes during the attack preparation phase, translating these into "Indicators of Future Attack®" an average of 140 days before campaigns materialize. This highlights a push towards proactive security measures in response to increasingly sophisticated threats.

Frequently Asked Questions

Q: What happened in the Oracle PeopleSoft data breach?
A group called ShinyHunters attacked Oracle PeopleSoft systems using a zero-day flaw. They claim to have stolen 3.1 terabytes of data from over 100 organizations.
Q: What data did ShinyHunters claim to steal?
ShinyHunters says they have 3.1 terabytes of data in 105,000 files, including sensitive information and credentials. They claim this data affects systems like SERFF, OPTins, and SBS.
Q: What does the NAIC say about the data breach?
The National Association of Insurance Commissioners (NAIC) says that only public data was taken. They state that affected systems only had public financial reports and old files, and they have fixed the problem.
Q: How did the attackers get into the systems?
Attackers used a zero-day flaw in Oracle PeopleSoft. They also used tools like MeshCentral CLI and a script called `[victim_abbreviation]_fanout.sh` to move around inside the systems and spread malware.