Ethical Hacking News
ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit: A High-Priority Threat to Higher Education Institutions - Google Cloud Blog
Google Cloud Blog reported an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure. The campaign exploited CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8), in the Environment Management component. Most affected organizations were based in the US and operated within the higher education sector. The attackers staged environments hosted customized MeshCentral agents to deploy lateral movement and defacement scripts, resulting in data leaks on the ShinyHunters Data Leak Site. To defend against this campaign, organizations should implement network isolation, WAF rules, endpoint access restrictions, non-breaking actions, log & endpoint monitoring, network telemetry, host-level auditing, and file system checks.
Google Cloud Blog recently reported on an active compromise and extortion campaign attributed to UNC6240 (ShinyHunters) targeting Oracle PeopleSoft application infrastructure. The activity was observed between May 27, 2026, and June 9, 2026, and is consistent with the exploitation of CVE-2026-35273, a critical remote code execution vulnerability (CVSS 9.8) in the Environment Management component.
The exploitation of this vulnerability directly aligns with the observed targeting of Environment Management Hub (PSEMHUB) endpoints. Because this activity predates Oracle's June 10, 2026 advisory, the vulnerability was exploited as a zero-day. Upon becoming aware of active scanning and exploitation, Mandiant and Google Threat Intelligence Group (GTIG) initiated notifications to over 100 global organizations whose IP addresses correlated with potentially vulnerable endpoints.
Most of these organizations were based in the United States, and 68 percent operated within the higher education sector. Subsequently, public reports by @nahamike01 on X highlighted open attacker directories on the staging servers, allowing GTIG to perform a detailed triage of the threat actor's operations.
The attacker staging environments hosted customized MeshCentral agents masquerading as legitimate cloud endpoints, which they used to run administrative command queries and deploy a custom lateral movement and defacement script. This campaign directly correlates with subsequent data leaks of stolen organization data published on the ShinyHunters Data Leak Site (DLS) on June 9, 2026.
ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit | Google Cloud Blog
To defend against this campaign, we recommend that organizations running Oracle PeopleSoft immediately implement the following security measures:
Network Isolation & WAF Rules
Endpoint Access Restrictions:
If you cannot disable the EMHub Service, immediately block external network access to the sensitive endpoints /PSEMHUB/* (specifically /PSEMHUB/hub) and /PSIGW/HttpListeningConnector at the network perimeter or firewall level. Relying solely on Web Application Firewall (WAF) body-inspection rules is insufficient, as these controls can be bypassed.
Non-Breaking Action:
Restricting these endpoints is considered non-breaking for standard end-user operations. The Environment Management Hub (EMHub) and the Integration Broker Listening Connector are administrative or system-to-system components and are not required for the core user-facing PeopleSoft Internet Architecture (PIA) browser sessions.
Log & Endpoint Monitoring
Access Log Analysis:
Audit the PIA WebLogic access logs for HTTP POST requests directed at /PSEMHUB/hub and /PSIGW/HttpListeningConnector originating from external or untrusted source IP addresses.
SSRF Detection:
Analyze requests to /PSIGW/HttpListeningConnector for loopback IP addresses (such as 127.0.0.1, localhost, or ::1) or internal IP ranges passed within request headers or parameters. This is a common method for attackers to perform Server-Side Request Forgery (SSRF) to bypass access controls.
Network Telemetry
Outbound Port 445 Monitoring:
Monitor outbound firewall logs and NetFlow data for outbound SMB traffic (TCP port 445) originating from PeopleSoft hosts to untrusted, external internet destinations. The exploit chain may coerce the system into making outbound connections in an attempt to capture Windows machine-account NetNTLM hashes.
Host-Level Auditing & Filesystem Checks
Conduct a thorough forensic audit of the web-tier filesystem on PeopleSoft hosts for indicators of compromise:
Webshell Detection:
Scan the WebLogic web application directory /webserv//applications/peoplesoft/PSEMHUB.war/ for any unexpected *.jsp files that are not part of the shipped product.
Unauthorized Staging:
Inspect the staging directory .../PSEMHUB.war/envmetadata/transactions/ for unauthorized folders, files, or binary drops.
Unexpected Directories:
Look for unexpected directories named logs, persistentstorage, or scratchpad under the PSEMHUB directories.
XMLDecoder Persistence:
Check /envmetadata/data/environment/ for recently created or modified .xml files, which may be leveraged by threat actors to execute remote code via XMLDecoder upon application restart.
Indicators of Compromise (IOCs)
To assist the wider community in hunting and identifying activity outlined in this blog post, we have included indicators of compromise (IOCs) in a GTI collection for registered users. The IOCs include staging & C2 network indicators, staging payloads & attacker files, and technical analysis & command history.
The exposed .bash_history file, which was identical across all five staging hosts, outlines the server configuration and administrative actions. The command history shows the threat actors performing targeted reconnaissance within compromised internal networks. They mapped Oracle PeopleSoft configurations by inspecting mount points, checking the process scheduler configuration file psappsrv.cfg, and reading WebLogic server XML configurations (config.xml).
The attackers interacted with compromised systems using the MeshCentral command-line interface utility meshctrl.js. The propagation script [victim_abbreviation]_fanout.sh was written via a heredoc to /tmp on the staging host. Triggered execution of the propagation script on compromised hosts using the MeshCentral command execution feature.
Threat actors concluded operations by establishing an outbound SSH connection from their staging system to 176.120.22.24, which hosts the public clearnet mirror of the ShinyHunters Data Leak Site.
Remediation and Hardening Quick Guide
Disable the Environment Management Hub (EMHub) Service in Multi-Server configurations or completely remove the PSEMHUB application in Single-Server configurations, as advised by Oracle's security alert guidance.
If you cannot disable the EMHub Service, block external network access to /PSEMHUB/* and /PSIGW/HttpListeningConnector at the network perimeter or firewall level. Relying solely on Web Application Firewall (WAF) body-inspection rules is insufficient, as these controls can be bypassed.
Related Information:
https://www.ethicalhackingnews.com/articles/ShinyHunters-Oracle-PeopleSoft-Exploit-A-High-Priority-Threat-to-Higher-Education-Institutions-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit/
https://nvd.nist.gov/vuln/detail/CVE-2026-35273
https://www.cvedetails.com/cve/CVE-2026-35273/
Published: Thu Jun 11 15:47:30 2026 by llama3.2 3B Q4_K_M
