“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, leading to stolen data being published on the ShinyHunters DLS,” Mandiant said. (DLS is brief for data leak site.)
An evaluation of a bash script left within the staging environment shows the attackers performed reconnaissance on compromised organizations, including mapping the PeopleSoft configurations, viewing process scheduler, and WebLogic server XML configurations. Eventually, the threat actors established an outbound SSH connection to 176.120.22.24, the IP address hosting ShinyHunters’ DLS. The stolen data was first compressed using the zstd tool. The DLS claimed to have recovered 48GB of information from a single victim.
A partially redacted section of the ShinyHunters’ DLS.
Credit:
Mandiant
ShinyHunters has been energetic since not less than 2019. Over the past several years, it has executed scores of hacks against a few of the world’s largest corporations, affecting hundreds of thousands of individuals downstream. A small sample of victims includes Ticketmaster (through the breach of Snowflake, which hosted the information), Spain’s biggest bank, Santander, and Salesforce (and, through it, Google and, reportedly, many other corporations). ShinyHunters uses various techniques to realize initial access, including exploiting cloud misconfigurations and software vulnerabilities, stealing OAuth tokens, supply chain attacks, voice phishing, and other types of social engineering.
Mandiant and Rapid7 are providing detailed indicators of compromise. Also they are advising PeopleSoft customers on the steps they need to take immediately. Given ShinyHunters’ success rate, all PeopleSoft users would do well to heed the calls.