Son Dakika
INTLSuper Typhoon Bavi Hits Guam and Northern Marianas with Catastrophic WindsKR오사카 나오미, 윔블던 첫 8강 진출…사발렌카 꺾고 4강행 경쟁 합류ARبوليسيتش يؤكد ثقة أمريكا قبل مواجهة بلجيكا في كأس العالم.. وأوساكا تتأهل لويمبلدونTRRudi Garcia'dan FIFA'nın Balogun Kararına Tepki: "Bu Bir 1 Nisan Şakası"CN巴威颱風預計週五影響台灣 北部、山區留意局部大雨或豪雨ARالبرازيل تخسر أمام النرويج في كأس العالم 2026 ونيمار يبكيESHaaland aniquila a Brasil y lleva a Noruega a la finalAUFarmers Turn to Sunn Hemp to Combat Soaring Fertiliser CostsARهالاند يقود النرويج للفوز على البرازيل وأوساكا تتأهل لويمبلدونKR국립박물관 상품 '뮷즈', 상반기 매출 200억 돌파…역대 최고 실적 전망INTLSuper Typhoon Bavi Hits Guam and Northern Marianas with Catastrophic WindsKR오사카 나오미, 윔블던 첫 8강 진출…사발렌카 꺾고 4강행 경쟁 합류ARبوليسيتش يؤكد ثقة أمريكا قبل مواجهة بلجيكا في كأس العالم.. وأوساكا تتأهل لويمبلدونTRRudi Garcia'dan FIFA'nın Balogun Kararına Tepki: "Bu Bir 1 Nisan Şakası"CN巴威颱風預計週五影響台灣 北部、山區留意局部大雨或豪雨ARالبرازيل تخسر أمام النرويج في كأس العالم 2026 ونيمار يبكيESHaaland aniquila a Brasil y lleva a Noruega a la finalAUFarmers Turn to Sunn Hemp to Combat Soaring Fertiliser CostsARهالاند يقود النرويج للفوز على البرازيل وأوساكا تتأهل لويمبلدونKR국립박물관 상품 '뮷즈', 상반기 매출 200억 돌파…역대 최고 실적 전망
Newsgather
GeriShinyHunters Ransomware Group Exploits Oracle PeopleSoft Vulnerability
ShinyHunters Ransomware Group Exploits Oracle PeopleSoft Vulnerability
Acil
Ars Technica12.06.2026Teknoloji3 dk okumaUnited States

ShinyHunters Ransomware Group Exploits Oracle PeopleSoft Vulnerability

Hızlı Bakış

  • Ransomware group ShinyHunters exploited a critical Oracle PeopleSoft vulnerability (CVE-2026-35273) to target ~100 customers, extorting at least one.
  • The vulnerability, rated 9.8/10, allowed server-side request forgery.

Yapay zekâ özeti

Neden Önemli?

The ransomware group ShinyHunters has exploited a critical vulnerability (CVE-2026-35273) in Oracle's PeopleSoft software, a vulnerability rated 9.8 out of 10. This SSRF vulnerability allows attackers to send requests from a susceptible server to systems within the targeted organization.

Yazı boyutu

One of the world’s most active ransomware groups exploited a critical vulnerability in Oracle’s PeopleSoft software suite and used it to target about 100 customers and extort at least one of them to pay up in exchange for not leaking stolen data, researchers said.

The group, tracked as ShinyHunters, had been exploiting the PeopleSoft vulnerability for more than two weeks before Oracle flagged it. CVE-2026-35273, as the vulnerability is tracked, carries a severity rating of 9.8 out of 10, making the former zero-day one of the year’s most critical vulnerabilities to be exploited.

Google’s Mandiant security team said it’s an SSRF (server-side request forgery), a vulnerability that allows attackers to send requests from a susceptible server to systems used by the targeted organization. Oracle said the SSRF is remotely exploitable, and the company has issued a stopgap mitigation but has yet to fully patch the flaw. Google has confirmed that victims are receiving extortion demands.

9.8 0-day exploited for 2 weeks

The University of Nottingham confirmed on Wednesday that it was the victim of a hack that put a “significant” amount of student data in the hands of a threat actor. The confirmation came after ShinyHunters claimed the university was one of its recent victims and published gigabytes of data it claimed to have stolen in the hack.

Mandiant said ShinyHunters has been exploiting the vulnerability since May 27. As of Wednesday, the group had targeted roughly 300 endpoints belonging to 100 user organizations. About 68 percent of the organizations operated within the higher education sector. A researcher said on Tuesday that the group responsible had “exposed several directories revealing ongoing targeting of PeopleSoft.” The attackers also left available a staging server containing tools used in the attack.

“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters DLS,” Mandiant said. (DLS is short for data leak site.)

An analysis of a bash script left in the staging environment shows the attackers performed reconnaissance on compromised organizations, including mapping the PeopleSoft configurations, viewing process scheduler, and WebLogic server XML configurations. Eventually, the threat actors established an outbound SSH connection to 176.120.22.24, the IP address hosting ShinyHunters’ DLS. The stolen data was first compressed using the zstd tool. The DLS claimed to have recovered 48GB of data from a single victim.

ShinyHunters has been active since at least 2019. Over the past several years, it has executed scores of hacks against some of the world’s largest companies, affecting millions of people downstream. A small sample of victims includes Ticketmaster (through the breach of Snowflake, which hosted the data), Spain’s biggest bank, Santander, and Salesforce (and, through it, Google and, reportedly, many other companies). ShinyHunters uses various techniques to gain initial access, including exploiting cloud misconfigurations and software vulnerabilities, stealing OAuth tokens, supply chain attacks, voice phishing, and other forms of social engineering.

Mandiant and Rapid7 are providing detailed indicators of compromise. They are also advising PeopleSoft customers on the steps they should take immediately. Given ShinyHunters’ success rate, all PeopleSoft users would do well to heed the calls.

Bundan Sonra Ne Olabilir?

Yapay zekâ öngörüsü — kesinlik taşımaz

  • Further exploitation of the PeopleSoft vulnerability by ShinyHunters or other groups.

    Muhtemel · Haftalar içinde

  • Increased pressure on Oracle to release a comprehensive patch and provide support to affected customers.

    Çok muhtemel · Haftalar içinde

  • Other organizations using PeopleSoft will implement immediate security measures and audits.

    Çok muhtemel · Günler içinde

Açık Sorular

  • What is the full extent of the data stolen from the University of Nottingham?
  • How many other organizations have paid the ransom?
  • What is Oracle's timeline for a full patch?
  • Will there be further repercussions for Oracle or affected organizations?

İlgili Konular

Bu haber ilk olarak şurada yayınlandı: Ars Technica.

İlgili Haberler

Bu konuda daha fazlaransomware