“While several organizations have successfully blocked the activity or patched the vulnerabilities, others have been compromised, resulting in the stolen data being published on the ShinyHunters DLS,” Mandiant said. (DLS is short for data leakage site.)
Analysis of the master script left in the staging environment shows that the attackers performed intelligence on the compromised entities, including mapping PeopleSoft configurations, viewing the process scheduler, and WebLogic server XML configurations. Finally, the threat actors established an SSH connection to 176.120.22.24, the IP address where ShinyHunters owns DLS. The stolen data was first compressed using the zstd tool. DLS claimed to have recovered 48 GB of data from one victim.
A partially edited section of ShinyHunters’ DLS.
Credit: Mandiant
A partially edited section of ShinyHunters’ DLS.
Credit: Mandiant
ShinyHunters has been around since at least 2019. Over the past few years, it has carried out numerous hacks against some of the world’s largest companies, affecting millions of people downstream. A small sample of victims included Ticketmaster (with the Snowflake data breach), Spain’s largest bank Santander and Salesforce (and through it Google and, reportedmany other companies). ShinyHunters uses a variety of methods to gain initial access, including exploiting cloud misconfigurations and software vulnerabilities, stealing OAuth tokens, supply chain attacks, voice phishing, and other forms of social engineering.
Mandiant and Fast 7 provide detailed indications of compromises. They also advise PeopleSoft customers on the steps they should take immediately. Given the success rate of ShinyHunters, all PeopleSoft users would do well to heed the calls.
