The ShinyHunters extortion group is conducting widespread data theft attacks against Oracle PeopleSoft servers, targeting both cloud and on-premises instances. They claim to have compromised 300 instances across more than 100 organizations, mainly in education. The attacks leverage a 'gadget chain' of old and zero-day vulnerabilities, though success depends on system configuration. The attackers use credential spraying against common PeopleSoft and Oracle admin accounts and attempt SSH access, falling back to key-based authentication if passwords fail. They deploy ransom notes on compromised servers and have publicly leaked some stolen data. Oracle has not confirmed any zero-day exploitation. Security researchers have identified related tooling and infrastructure, including IP addresses and scripts used in the attacks.

Data theft from Oracle PeopleSoft servers has occurred, with sensitive business and administrative information potentially exposed. Victims face extortion demands and public data leaks. The attacks affect both cloud and on-premises deployments, potentially disrupting business operations and compromising confidential data. The threat actor's ability to exploit both known and unknown vulnerabilities increases risk, especially for improperly configured or unpatched systems.

Oracle has not issued a public advisory or patch related to these attacks; patch status is not yet confirmed — check Oracle's advisory for current remediation guidance. Organizations should analyze logs for connections from the identified malicious IP addresses and investigate any signs of compromise. If indicators of compromise are found, initiate incident response and consider temporarily isolating affected PeopleSoft servers from internet access until secured. Review and strengthen administrative account credentials and access controls to prevent credential spraying and unauthorized SSH access. Monitor for any updates from Oracle regarding patches or mitigations.