ShinyHunters: A Persistent Threat in the Digital Landscape
Cybersecurity firm Mandiant has recently shed light on the persistent threat posed by ShinyHunters, a notorious cybercriminal group active since 2019. Known for their sophisticated attack methods, ShinyHunters has targeted some of the world’s largest corporations, leading to significant data breaches and extensive downstream impacts on millions of individuals.
Understanding the Recent Breach
In a recent analysis, Mandiant discovered that while several organizations managed to block activities or patch vulnerabilities, others were not as fortunate. These organizations fell victim to compromise, with their stolen data subsequently appearing on the ShinyHunters data leak site (DLS).
An examination of a bash script left in the test environment revealed that the attackers conducted thorough reconnaissance on the compromised entities. This included mapping PeopleSoft configurations and reviewing the process scheduler and WebLogic server XML configurations. Eventually, the threat actors established an outbound SSH connection to an IP address (176.120.22.24) hosting the ShinyHunters DLS. Before being uploaded, the stolen data was compressed using the zstd tool, with the DLS claiming to have extracted 48 GB of data from a single target.
A partially redacted section of the ShinyHunters DLS.
Credit: Mandiant
Notable Victims and Attack Methods
ShinyHunters has a track record of executing high-profile hacks, including breaches of Ticketmaster, Santander, and Salesforce, with the latter reportedly impacting Google and numerous other companies. The group employs a mix of techniques to gain initial access, such as exploiting cloud misconfigurations and software vulnerabilities, OAuth token theft, supply chain attacks, voice phishing, and other forms of social engineering.
Recommendations for PeopleSoft Users
In response to these threats, both Mandiant and Rapid7 have provided detailed indicators of compromise and advised PeopleSoft customers on immediate actions to take. Given ShinyHunters’ success rate, it is imperative for all PeopleSoft users to heed these recommendations to safeguard their data and infrastructure.
For more information, please refer to the original article on Ars Technica.
“`
