Full Report
The ShinyHunters extortion crew exploited an unpatched flaw in Oracle PeopleSoft to break into enterprise systems, steal data, and demand payment to keep it private. The campaign hit universities hardest. Google's Mandiant attributes it to the group it tracks as UNC6240, and dates the activity between May 27 and June 9. Oracle did not publish its advisory until June 10, so the bug was a
Analysis Summary
# Incident Report: ShinyHunters Exploitation of Oracle PeopleSoft Zero-Day
## Executive Summary
The ShinyHunters extortion crew (tracked by Mandiant as UNC6240) exploited a zero-day remote code execution (RCE) vulnerability in Oracle PeopleSoft to breach enterprise systems, primarily focusing on the higher education sector. The group exfiltrated sensitive personal data from over 100 organizations and demanded payment to prevent public disclosure. The incident resulted in significant data breaches, most notably at the University of Nottingham, involving nearly half a million records.
## Incident Details
- **Discovery Date:** Early June 2026 (publicly flagged by researchers)
- **Incident Date:** May 27, 2026 – June 9, 2026
- **Affected Organization:** 100+ organizations, including University of Nottingham
- **Sector:** Higher Education (68%), Enterprise
- **Geography:** Global (predominantly United States)
## Timeline of Events
### Initial Access
- **Date/Time:** May 27, 2026
- **Vector:** Zero-day exploitation (CVE-2026-35273)
- **Details:** Attackers targeted the "Updates Environment Management" component within PeopleSoft Enterprise PeopleTools. The flaw allowed unauthenticated RCE via network access over HTTP to the Environment Management Hub (PSEMHUB).
### Lateral Movement
- **Mechanism:** Attackers used a custom Bash script (`[victim]_fanout.sh`) to spread via SSH.
- **Details:** The script utilized a hardcoded list of credentials against internal hosts identified from `/etc/hosts`.
### Data Exfiltration/Impact
- **Activity:** Data was compressed using `zstd` and exfiltrated via outbound SSH to a public mirror of the ShinyHunters leak site.
- **Impact:** Sensitive data including names, passport numbers, and disability details were stolen. A marker file (`README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT`) was left in PeopleSoft directories.
### Detection & Response
- **Discovery:** Researcher @nahamike01 discovered open directories on the attackers’ infrastructure; Mandiant triaged five IP addresses running Python HTTP servers.
- **Response:** Mandiant notified over 100 affected organizations. Oracle released an advisory and patch on June 10, 2026.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2026-35273 (9.8 CVSS).
- **Persistence:** Abuse of `XMLDecoder` in changed `.xml` files to execute code upon service restart.
- **Defense Evasion:** Disguising remote management agents (MeshCentral) as legitimate "Microsoft Azure" binaries; using C2 domain `azurenetfiles[.]net`.
- **Credential Access:** Capturing machine-account NetNTLM hashes via outbound SMB (Port 445); SSH credential spraying.
- **Discovery:** Internal reconnaissance via `/etc/hosts` and exposed PSEMHUB endpoints.
- **Lateral Movement:** SSH "fanout" scripts.
- **Collection:** Compression of data using `zstd`.
- **Exfiltration:** Outbound SSH to leak site infrastructure.
- **Impact:** Extortion and public data leakage.
## Impact Assessment
- **Financial:** Extensive costs related to incident response, potential extortion payments, and regulatory fines.
- **Data Breach:** Compromise of ~455,000 unique email addresses, passport numbers, ethnicity, and disability data (University of Nottingham).
- **Operational:** Disruption to PeopleSoft services during mitigation/patching.
- **Reputational:** High public impact due to the sensitive nature of student and alumni data.
## Indicators of Compromise
- **Network Indicators:**
- `azurenetfiles[.]net` (C2)
- Outbound SSH to known ShinyHunters mirrors
- Outbound SMB (Port 445) from PeopleSoft servers
- **File Indicators:**
- `README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT`
- `[victim]_fanout.sh`
- Unexpected `.jsp` files in `PSEMHUB.war` directory
- **Behavioral Indicators:**
- POST requests to `/PSEMHUB/hub` or `/PSIGW/HttpListeningConnector` in WebLogic logs.
- Python `SimpleHTTP` servers running on Port 8888 on staging hosts.
## Response Actions
- **Containment:** Disabling Environment Management Hub service or blocking external access to PSEMHUB endpoints.
- **Eradication:** Identification and removal of unauthorized `.jsp` files and malicious `.xml` persistence markers.
- **Recovery:** Applying Oracle PeopleTools patches (post-June 10) via My Oracle Support.
## Lessons Learned
- **Zero-Day Exposure:** Security posture relied on a vendor who was unaware of active exploitation for two weeks.
- **Asset Visibility:** Many organizations had the Environment Management Hub reachable from the internet unnecessarily.
- **Detection Gaps:** Traditional WAF body-inspection was insufficient to block the exploit.
## Recommendations
1. **Network Hardening:** Immediately restrict access to `/PSEMHUB/*` and `/PSIGW/*` endpoints to internal management VPCs only.
2. **Egress Filtering:** Block outbound Port 445 (SMB) and Port 22 (SSH) from application servers to the internet.
3. **Patch Management:** Prioritize PeopleTools updates and monitor Oracle Security Alerts for critical infrastructure.
4. **Log Monitoring:** Implement alerting for unusual POST requests to management endpoints and unexpected file writes within web application directories.