PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data

While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters DLS, Mandiant said. An analysis of a bash script left in the staging environment shows the attackers performed reconnaissance on compromised organizations, including mapping the PeopleSoft configurations and viewing process scheduler and WebLogic server XML configurations.

Eventually the threat actors established an outbound SSH connection to 176.120.22.24, the IP address hosting ShinyHunters’ DLS. The stolen data was first compressed using the zstd tool, and the DLS claimed to have recovered 48GB of data from a single victim. ShinyHunters has been active since at least 2019 and over the past several years has executed scores of hacks against some of the world’s largest companies, affecting millions of people downstream.

peoplesoft, 0-day, shinyhunters, mandiant, data theft, zstd, ssh, weblogic, staging environment, process scheduler