Oracle Warns of Critical Vulnerability in PeopleSoft Software

Oracle warned its corporate customers of a critical-rated vulnerability in its PeopleSoft software, used by large companies to manage payroll and human resources. The warning came a day after the cybercrime group ShinyHunters claimed to have breached more than 100 organizations using PeopleSoft servers. The company published the security advisory on Thursday after ShinyHunters' claim.

Mandiant, the Google-owned security unit, warned in a blog post that the new Oracle flaw is the same bug being abused in ShinyHunters' hacking campaign targeting PeopleSoft customers. Oracle said the bug can be exploited over the internet without needing authentication, such as a password, and recommended that PeopleSoft software customers apply mitigations to prevent exploitation. A patch for the vulnerability had not been released at the time of writing.

On Wednesday, a ShinyHunters member told TechCrunch that the gang compromised companies by abusing an unpatched flaw in PeopleSoft servers, known as a zero-day. Mandiant confirmed notifying over “100 global organizations,” mostly in the United States, to restrict access to potentially vulnerable systems. About two-thirds of these organizations are in higher education, aligning with ShinyHunters' previous claim.

“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters [Data Leak Website],” Mandiant wrote. The ShinyHunters member told TechCrunch that some hacked organizations are universities and colleges. A message shared with TechCrunch allegedly sent to one victim school claimed that hackers stole “hundreds of thousands of student records containing full name, home address, phone, email, date of birth, gender, ethnicity, enrollment status, GPA, major, and student ID across all campuses,” among other data.

PeopleSoft and its customers are the latest victims in a series of hacking campaigns where ShinyHunters targeted organizations sharing the same vulnerable software. In the last year, the group targeted companies using Salesforce and Gainsight, software provided by education giant Instructure, among others. The hackers try to steal corporate or customer data and threaten to release it unless victims pay a ransom.

Earlier this year, education tech company Instructure said it paid the hackers after they breached the company’s systems twice. As part of the hacking campaign, ShinyHunters defaced the login pages of several schools using Instructure’s popular school information portal Canvas. Why this matters: The exploitation of this critical vulnerability in PeopleSoft software by ShinyHunters highlights the ongoing threat of targeted hacking campaigns against organizations using vulnerable software.