PeopleSoft 0-day affecting hundreds of organizations steals gigabytes of data

“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters DLS,” Mandiant said. (DLS is short for data leak site.)

An analysis of a bash script left in the staging environment shows the attackers performed reconnaissance on compromised organizations, including mapping the PeopleSoft configurations, viewing process scheduler, and WebLogic server XML configurations. Eventually, the threat actors established an outbound SSH connection to 176.120.22.24, the IP address hosting ShinyHunters’ DLS. The stolen data was first compressed using the zstd tool. The DLS claimed to have recovered 48GB of data from a single victim.

ShinyHunters has been active since at least 2019. Over the past several years, it has executed scores of hacks against some of the world’s largest companies, affecting millions of people downstream. A small sample of victims includes Ticketmaster (through the breach of Snowflake, which hosted...

Copyright of this story solely belongs to arstechnica.com. To see the full text click HERE