PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data

PeopleSoft 0-day 漏洞影响数百家机构，导致数 GB 数据被窃

One of the world’s most active ransomware groups exploited a critical vulnerability in Oracle’s PeopleSoft software suite and used it to target about 100 customers and extort at least one of them to pay up in exchange for not leaking stolen data, researchers said. 研究人员表示，全球最活跃的勒索软件组织之一利用了甲骨文（Oracle）PeopleSoft 软件套件中的一个关键漏洞，攻击了约 100 家客户，并勒索其中至少一家机构支付赎金，以换取不泄露被盗数据。

The group, tracked as ShinyHunters, had been exploiting the PeopleSoft vulnerability for more than two weeks before Oracle flagged it. CVE-2026-35273, as the vulnerability is tracked, carries a severity rating of 9.8 out of 10, making the former zero-day one of the year’s most critical vulnerabilities to be exploited. 该组织被追踪为“ShinyHunters”，在甲骨文发出预警前，他们已经利用该 PeopleSoft 漏洞超过两周。该漏洞被编号为 CVE-2026-35273，严重程度评分为 9.8 分（满分 10 分），这使得该漏洞在成为 0-day 期间成为今年被利用的最关键漏洞之一。

Google’s Mandiant security team said it’s an SSRF (server-side request forgery), a vulnerability that allows attackers to send requests from a susceptible server to systems used by the targeted organization. Oracle said the SSRF is remotely exploitable, and the company has issued a stopgap mitigation but has yet to fully patch the flaw. Google has confirmed that victims are receiving extortion demands. 谷歌旗下的 Mandiant 安全团队表示，这是一个 SSRF（服务器端请求伪造）漏洞，允许攻击者从易受攻击的服务器向目标组织使用的系统发送请求。甲骨文表示该 SSRF 漏洞可被远程利用，目前公司已发布临时缓解措施，但尚未完全修复该缺陷。谷歌已证实，受害者正在收到勒索要求。

The University of Nottingham confirmed on Wednesday that it was the victim of a hack that put a “significant” amount of student data in the hands of a threat actor. The confirmation came after ShinyHunters claimed the university was one of its recent victims and published gigabytes of data it claimed to have stolen in the hack. 诺丁汉大学周三证实，该校遭到黑客攻击，导致“大量”学生数据落入威胁行为者手中。此前，ShinyHunters 声称该大学是其近期受害者之一，并发布了其声称在攻击中窃取的数 GB 数据。

Mandiant said ShinyHunters has been exploiting the vulnerability since May 27. As of Wednesday, the group had targeted roughly 300 endpoints belonging to 100 user organizations. About 68 percent of the organizations operated within the higher education sector. Mandiant 表示，ShinyHunters 自 5 月 27 日起就开始利用该漏洞。截至周三，该组织已针对 100 家用户机构的约 300 个端点进行了攻击。其中约 68% 的受害机构属于高等教育领域。

A researcher said on Tuesday that the group responsible had “exposed several directories revealing ongoing targeting of PeopleSoft.” The attackers also left available a staging server containing tools used in the attack. 一位研究人员周二表示，负责此事的组织“暴露了几个目录，揭示了其对 PeopleSoft 的持续攻击”。攻击者还留下了一台包含攻击所用工具的暂存服务器。

“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters DLS,” Mandiant said. (DLS is short for data leak site.) Mandiant 表示：“虽然一些组织成功阻止了攻击活动或修复了漏洞，但其他组织仍遭到入侵，导致被盗数据被发布在 ShinyHunters 的 DLS 上。”（DLS 是数据泄露网站的缩写。）

An analysis of a bash script left in the staging environment shows the attackers performed reconnaissance on compromised organizations, including mapping the PeopleSoft configurations, viewing process scheduler, and WebLogic server XML configurations. Eventually, the threat actors established an outbound SSH connection to 176.120.22.24, the IP address hosting ShinyHunters’ DLS. The stolen data was first compressed using the zstd tool. The DLS claimed to have recovered 48GB of data from a single victim. 对留在暂存环境中的 bash 脚本分析显示，攻击者对受损组织进行了侦察，包括映射 PeopleSoft 配置、查看进程调度程序以及 WebLogic 服务器 XML 配置。最终，威胁行为者建立了通往 176.120.22.24（托管 ShinyHunters DLS 的 IP 地址）的出站 SSH 连接。被盗数据首先使用 zstd 工具进行了压缩。该 DLS 声称从单一受害者处获取了 48GB 的数据。

ShinyHunters has been active since at least 2019. Over the past several years, it has executed scores of hacks against some of the world’s largest companies, affecting millions of people downstream. A small sample of victims includes Ticketmaster (through the breach of Snowflake, which hosted the data), Spain’s biggest bank, Santander, and Salesforce (and, through it, Google and, reportedly, many other companies). ShinyHunters 至少自 2019 年以来一直活跃。在过去几年中，该组织对全球一些最大的公司实施了多次黑客攻击，影响了下游数百万用户。受害者包括 Ticketmaster（通过入侵托管数据的 Snowflake）、西班牙最大的银行桑坦德银行（Santander），以及 Salesforce（并通过它影响了谷歌及据报道的其他许多公司）。

ShinyHunters uses various techniques to gain initial access, including exploiting cloud misconfigurations and software vulnerabilities, stealing OAuth tokens, supply chain attacks, voice phishing, and other forms of social engineering. ShinyHunters 使用多种技术获取初始访问权限，包括利用云配置错误和软件漏洞、窃取 OAuth 令牌、供应链攻击、语音钓鱼以及其他形式的社会工程学手段。

Mandiant and Rapid7 are providing detailed indicators of compromise. They are also advising PeopleSoft customers on the steps they should take immediately. Given ShinyHunters’ success rate, all PeopleSoft users would do well to heed the calls. Mandiant 和 Rapid7 正在提供详细的入侵指标（IOC）。他们还建议 PeopleSoft 客户立即采取相应措施。鉴于 ShinyHunters 的攻击成功率，所有 PeopleSoft 用户最好听从这些建议。