Ethical Hacking News
The ShinyHunters group has used a critical Oracle PeopleSoft zero-day to breach over 100 organizations across the globe, mostly universities. This exploit leverages CVE-2026-35273, a remote code execution vulnerability in Oracle PeopleSoft's Environment Management component. Organizations using Oracle PeopleSoft are advised to take immediate action to prevent further attacks.
The ShinyHunters group launched a campaign exploiting CVE-2026-35273 in Oracle PeopleSoft's Environment Management component. The attack affected over 100 US universities and colleges between May 27 and June 9, 2026. 68% of targeted entities were discovered without prior warning or authentication requirements. The attackers used pre-configured Windows MeshCentral agent binaries to establish communication with their command-and-control server. They employed lateral movement through a script to parse internal PeopleSoft node hostnames and exfiltrate stolen data via compressed files and outbound SSH connections. The attack resulted in approximately 455,000 unique email addresses being indexed by Have I Been Pwned. Oracle recommends disabling the Environment Management Hub service or restricting external network access to specific endpoints.
In a recent exposé, researchers from Mandiant and Google's Threat Intelligence Group revealed an ongoing campaign by the ShinyHunters group, a notorious threat actor known for its sophisticated tactics. The attack leveraged a critical zero-day vulnerability, CVE-2026-35273, in Oracle PeopleSoft's Environment Management component, allowing attackers to execute remote code execution.
The malicious operation unfolded between May 27 and June 9, 2026, affecting over 100 organizations primarily consisting of universities and colleges in the United States. Sixty-eight percent of these targeted entities were discovered by Mandiant without any prior warning or authentication requirements needed for exploitation.
ShinyHunters' strategy involved using pre-configured Windows MeshCentral agent binaries disguised as Microsoft Azure services to establish communication with their command-and-control server. They then used MeshCentral's CLI tool, meshctrl.js, to map Oracle PeopleSoft configurations and examine internal host tables to identify potential targets within each compromised network.
The attackers employed lateral movement through a script named [victim_abbreviation]_fanout.sh, which executed remotely via MeshCentral to parse /etc/hosts for internal PeopleSoft node hostnames. Following successful login, they would copy the 'README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT' file into WebLogic and Process Scheduler directories as an extortion marker.
Exfiltration of stolen data occurred through compressed files with zstd, followed by outbound SSH connections to the IP hosting ShinyHunters' public mirror for data leaks. Notably, this attack resulted in approximately 455,000 unique email addresses from victims being indexed by Have I Been Pwned, covering current students and alumni.
Given this complex zero-day campaign, the immediate priority for organizations running Oracle PeopleSoft is isolation, following Oracle's recommended steps of disabling the Environment Management Hub service on multi-server setups or removing it on single-server setups. Alternatively, restricting external network access to specific PSEMHUB endpoints at the perimeter level is recommended. Users can also scan WebLogic access logs, look for unexpected JSP files under PSEMHUB.war directory, monitor outbound SMB traffic, and check for directories named logs, persistentstorage, or scratchpad.
Related Information:
https://www.ethicalhackingnews.com/articles/The-ShinyHunters-Campaign-A-Masterclass-in-Zero-Day-Exploitation-ehn.shtml
https://securityaffairs.com/193543/cyber-crime/oracle-peoplesoft-rce-flaw-used-as-zero-day-in-ongoing-shinyhunters-campaign.html
Published: Fri Jun 12 07:08:32 2026 by llama3.2 3B Q4_K_M
