“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters DLS,” Mandiant said. (DLS is short for data leak site.)

An analysis of a bash script left in the staging environment shows the attackers performed reconnaissance on compromised organizations, including mapping the PeopleSoft configurations, viewing process scheduler, and WebLogic server XML configurations. Eventually, the threat actors established an outbound SSH connection to 176.120.22.24, the IP address hosting ShinyHunters’ DLS. The stolen data was first compressed using the zstd tool. The DLS claimed to have recovered 48GB of data from a single victim.

ShinyHunters has been active since at least 2019. Over the past several years, it has executed scores of hacks against some of the world’s largest companies, affecting millions of people downstream. A small sample of victims includes Ticketmaster (through the breach of Snowflake, which hosted the data), Spain’s biggest bank, Santander, and Salesforce (and, through it, Google and, reportedly, many other companies). ShinyHunters uses various techniques to gain initial access, including exploiting cloud misconfigurations and software vulnerabilities, stealing OAuth tokens, supply chain attacks, voice phishing, and other forms of social engineering.

Mandiant and Rapid7 are providing detailed indicators of compromise. They are also advising PeopleSoft customers on the steps they should take immediately. Given ShinyHunters’ success rate, all PeopleSoft users would do well to heed the calls.