“While many organizations successfully blocked the activity or remedied the vulnerabilities, others experienced compromises that resulted in stolen data being published on the ShinyHunters DLS,” Mandiant said. (DLS is short for Data Leak Site.)
Analysis of bash scripts left in the staging environment shows that the attackers performed reconnaissance on the compromised organizations, including mapping the PeopleSoft configuration, viewing the Process Scheduler, and WebLogic Server XML configuration. Ultimately, the threat actors established an outbound SSH connection to 176.120.22.24, which is the IP address hosting ShinyHunters’ DLLs. The stolen data was first compressed using zstd tool. DLS claims to have recovered 48GB of data from one victim.
Partially modified section of the ShinyHunters dlls.
Credit: Mandiant
Partially modified section of the ShinyHunters dlls.
Credit: Mandiant
ShinyHunters has been active since at least 2019. Over the past several years, it has carried out several hacks against some of the world’s largest companies, affecting millions of people. A small sample of victims include Ticketmaster (through a breach of Snowflake, which hosted the data), Spain’s largest bank, Symantec, and Salesforce (and, through it, Google and, reportedly, several other companies). ShinyHunters uses a variety of techniques to gain initial access, including exploiting cloud misconfigurations and software vulnerabilities, stealing OAuth tokens, supply chain attacks, voice phishing, and other forms of social engineering.
Mandiant and Rapid7 are providing detailed indicators of the agreement. They are also advising PeopleSoft customers on the steps they should take immediately. Given ShinyHunters’ success rate, all PeopleSoft users would do well to heed the call.
<a href