Google uncovers active ShinyHunters campaign targeting university systems

Google has warned of an active cyber extortion campaign targeting Oracle PeopleSoft environments, with universities emerging as the primary victims. Researchers from Google Threat Intelligence Group (GTIG) and Mandiant attributed the activity to ShinyHunters, a cybercriminal group already known for a string of high-profile data theft and extortion operations. The campaign exploited a critical vulnerability […]

Application Security | Learning & Education | Threat Intelligence

Posted: Friday, Jun 12

KBI.Media
$
Google uncovers active ShinyHunters campaign targeting university systems

Google uncovers active ShinyHunters campaign targeting university systems

Google has warned of an active cyber extortion campaign targeting Oracle PeopleSoft environments, with universities emerging as the primary victims.

Researchers from Google Threat Intelligence Group (GTIG) and Mandiant attributed the activity to ShinyHunters, a cybercriminal group already known for a string of high-profile data theft and extortion operations. The campaign exploited a critical vulnerability in Oracle PeopleSoft before a patch was available, allowing attackers to compromise enterprise systems used for finance, human resources and administration.

According to Google’s findings, 68 per cent of identified victims were higher education institutions. The company said it notified more than 100 organisations after detecting vulnerable systems exposed to the internet.

The attacks occurred between late May and early June and involved the deployment of customised remote management tools disguised as legitimate cloud infrastructure. Researchers believe the threat actors used the access to conduct reconnaissance, execute commands and support broader extortion activity.

The incident is the latest sign that the education sector remains a lucrative target for cybercriminals. Universities and colleges often manage vast amounts of personal information while operating complex technology environments that can be difficult to secure consistently.

The campaign also reflects an evolution in ShinyHunters’ tactics. Earlier this year, the group was linked to attacks against education technology provider Instructure and the Canvas learning management system, where attackers claimed to have stolen large quantities of student and institutional data.

For Australian universities, the findings provide a timely reminder of the importance of patch management and visibility across enterprise application environments. While many organisations focus heavily on endpoint and identity security, attackers continue to seek opportunities within business-critical applications that often contain some of the most valuable data in the organisation.

Google recommends organisations running PeopleSoft immediately apply Oracle’s latest security updates and investigate systems for indicators of compromise associated with the campaign.

The broader lesson is clear: as cybercriminal groups continue to diversify their techniques, institutions must be prepared to defend not only users and endpoints, but also the enterprise platforms that keep the organisation running.