Cybercrime,
Fraud Management & Cybercrime
Mandiant Reports: 68% of Targets Were Higher Education Institutions Utilizing PeopleSoft
A recent report from researchers at Mandiant and Google’s Threat Intelligence Group reveals a chilling cybersecurity breach orchestrated by the hacking group ShinyHunters. This group leveraged a zero-day vulnerability in Oracle PeopleSoft as part of an aggressive extortion campaign that affected over 100 organizations worldwide.
This campaign has raised significant alarms in the cybersecurity community, especially given the high percentage of higher education institutions among the victims. The Mandiant research team indicated that 68% of the targeted organizations belong to the academic realm, which is alarming due to the sensitive data these institutions often manage, including student records and financial information.
The timeline of the incidents spanned from May 27 to June 9, during which researchers monitored the group’s activities closely. As a precaution, Mandiant took the initiative to notify more than 100 institutions whose IP addresses were associated with endpoints potentially vulnerable to this attack.
Key findings from the report highlighted that several academic institutions were able to successfully thwart the attempted attacks. They either blocked the malicious activity or remediated the vulnerability before it could lead to any significant data breaches. However, some organizations were not as fortunate, and their sensitive data was reportedly posted on the ShinyHunters data leak site on June 9, after the attacks had commenced.
The underlying vulnerability exploited, identified as CVE-2026-35273, resides in the environment management component of Oracle PeopleSoft. This flaw has been characterized by a high CVSS score of 9.8, indicating a critical level of risk. It allowed the attackers to execute remote code without requiring any authentication, thereby providing them a direct route into the application infrastructure of the affected organizations.
ShinyHunters has a notorious reputation for engaging in large-scale data theft and extortion campaigns targeting various sectors. Their operations have historically centered on organizations that hold vast repositories of potentially exploitable personal data, including educational institutions. The group has previously been linked to data breaches involving prominent universities like Harvard and the University of Pennsylvania.
According to Mandiant’s findings, ShinyHunters employed sophisticated tactics, including the use of customized MeshCentral remote management agents disguised as legitimate Microsoft Azure services. This strategy likely aimed to help them blend into the existing enterprise environments of their targets. Researchers gained insight into the full scope of these operations when a security analyst discovered open directories on five sequential staging server IP addresses, revealing the attackers’ command history which indicated the use of the MeshCentral tool for administrative queries and network exploitation.
In response to this escalating threat, Mandiant has recommended that organizations currently utilizing Oracle PeopleSoft take immediate steps to block external access to vulnerable endpoints. They also suggested conducting audits of WebLogic access logs to identify any suspicious requests from external IP sources. Furthermore, researchers advised institutions to scan the PSEMHUB web application directory for unauthorized JSP files and review filesystem paths for any signs of illicit activity.
The implications of this breach extend beyond immediate data loss; they threaten the privacy and security of countless students and staff within the affected institutions. As cyber threats continue to evolve, the need for robust defense mechanisms and rapid incident response strategies has become paramount. Ensuring cybersecurity in education is not merely an option but an essential safeguard for maintaining trust and integrity in the academic environment.