Oracle recently issued a security alert to its enterprise customers, saying that there is a serious security vulnerability in the company's PeopleSoft software used for payroll and human resources management. A cybercriminal group called ShinyHunters has claimed to be using this vulnerability to launch a large-scale hacking operation and invade more than 100 organizations using the software. The alert was issued on Thursday local time, a day after ShinyHunters claimed that they had breached the systems of more than 100 organizations running PeopleSoft servers.

Mandiant, a cybersecurity company affiliated with Google, confirmed in a blog post that the vulnerability being exploited by ShinyHunters is the same issue as the new flaw disclosed by Oracle, and the target is concentrated on Oracle's PeopleSoft customer group. Currently, Oracle has not released a fix patch, but it warned in a security advisory that the vulnerability can be exploited remotely through the Internet, and attacks can be launched without any authentication or password, and it urged customers still using affected PeopleSoft systems to immediately configure according to the official mitigation measures to reduce the risk of being attacked.

Members of ShinyHunters said that the group invaded the systems of multiple organizations by attacking unpatched PeopleSoft servers. Before Oracle released a patch, the vulnerability was a typical "zero-day" vulnerability, that is, the software manufacturer did not have time to develop a fix when the vulnerability was discovered and exploited. Mandiant said that they have sent notices to more than 100 organizations around the world to alert them to potential risks in their systems, most of which are located in the United States, with universities and higher education institutions accounting for about two-thirds. This is basically consistent with the composition of attack targets previously disclosed by ShinyHunters.

Mandiant pointed out in the advisory that some organizations successfully blocked hacker activities during the attack or completed vulnerability repairs in a timely manner, but other organizations were actually compromised, resulting in sensitive data being stolen and published on a data leak website operated by ShinyHunters. Oracle has yet to respond to this large-scale intrusion.

Members of ShinyHunters showed the media a notification message they claimed to have sent to a victim university, which showed that hackers had stolen "hundreds of thousands of student records" from the school's system, including student names, home addresses, phone numbers, email addresses, dates of birth, gender, ethnicity, enrollment status, grade point average (GPA), majors, and student ID numbers. As the scope of the attack expands, PeopleSoft and its customers become the latest victims in a series of intrusions conducted by ShinyHunters targeting the same type of vulnerable software.

Over the past year, ShinyHunters has repeatedly targeted businesses and institutions using the same software platform for attacks. The gang has previously carried out intrusions against many companies using Salesforce and Gainsight, as well as software services provided by education technology giant Instructure. Once it is confirmed that a certain type of software has exploitable vulnerabilities, it will focus on scanning and intruding into a large number of organizations using the software, stealing corporate or customer data, and then threatening to disclose the data and demanding ransom from the victims.

Earlier this year, Instructure publicly admitted that it had reached a settlement with and paid hackers after two intrusions; in related attacks, ShinyHunters even tampered with the login pages of multiple schools and maliciously "defaced" the Canvas campus information portal owned by Instructure they used to show the results of the attack. Currently, as PeopleSoft vulnerabilities are exposed and exploited on a large scale, security experts warn that if enterprises and universities that rely on this system to handle core business do not take official mitigation measures in a timely manner and deploy patches as soon as possible, they are very likely to become victims of the next round of data leaks and ransomware attacks.