While some organizations managed to block the activity or patch the vulnerabilities, others were compromised, leading to the publication of stolen data on the ShinyHunters data leak site (DLS), Mandiant noted.
Analysis of a bash script discovered in a staging environment revealed that the attackers conducted reconnaissance on the compromised networks, mapping PeopleSoft configurations, inspecting the process scheduler, and reviewing WebLogic server XML files. They then opened an outbound SSH connection to 176.120.22.24, the server hosting the ShinyHunters DLS. The exfiltrated data was first compressed with zstd, and the DLS claimed to have harvested 48 GB from a single victim.
A partially redacted section of the ShinyHunters’ DLS.
Credit: Mandiant
A partially redacted section of the ShinyHunters’ DLS.
Credit: Mandiant
ShinyHunters has been active since at least 2019, carrying out numerous attacks against some of the world’s largest corporations and affecting millions of individuals downstream. Notable victims include Ticketmaster (via the Snowflake breach that hosted the data), Spain’s largest bank Santander, and Salesforce—through which Google and many other firms were potentially exposed. The group employs a range of tactics to gain initial footholds, such as exploiting cloud misconfigurations and software vulnerabilities, stealing OAuth tokens, launching supply‑chain attacks, conducting voice phishing, and using other social‑engineering techniques.
Mandiant and Rapid7 have released detailed indicators of compromise and are advising PeopleSoft customers on immediate remedial steps. Given the group’s track record, all PeopleSoft users should heed these recommendations.