SyncWave Blog
Cybersecurity 2 min read 85

ShinyHunters exploits Oracle PeopleSoft vulnerability: The new hack

The ShinyHunters group is leveraging a zero-day in Oracle PeopleSoft to target universities and demand ransoms through extortion tactics.

The new hack shaking educational institutions

Security in enterprise management systems has once again been called into question following the revelation of a malicious campaign executed by the extortion group ShinyHunters. This time, the primary targets were universities, whose systems were compromised by exploiting a zero-day vulnerability in Oracle PeopleSoft software.

The incident, identified under code CVE-2026-35273, allowed attackers to access sensitive information, steal data, and subsequently demand payment to prevent its public release. These types of ransomware and extortion attacks remain a critical threat, similar to what we have seen recently with other groups in the sector, as analyzed in our report on "The Gentlemen: El ascenso del nuevo gigante del ransomware".

Attack analysis: Chronology of a critical flaw

According to investigations by Mandiant (Google), the group responsible for these intrusions is tracked under the designation UNC6240. The malicious activity was concentrated in a critical period between May 27 and June 9.

The attacker's window of opportunity

The most concerning aspect of this incident is the time lag between the active exploitation and the manufacturer's response:

  • Attack start: May 27.
  • Patch release: Oracle issued its official advisory on June 10.
  • Consequence: For nearly two weeks, the attackers operated unopposed, as the vulnerability had no available fix, leaving institutions completely exposed.

"The use of zero-day flaws by groups like ShinyHunters demonstrates increasing sophistication in the attack supply chain, prioritizing sectors with large volumes of personal data," analysts point out.

Lessons learned in cybersecurity

This event underscores the need to maintain constant vigilance over critical infrastructure updates. As with recent alerts where the "CISA warns of new vulnerabilities in Cisco and Chrome under attack", the speed of patch application is the only effective defense against groups that exploit flaws before they become public knowledge.

The attackers' strategy is no longer limited to file encryption; it has evolved toward data exfiltration, a psychological and financial pressure tactic that forces organizations to rethink their incident response protocols. In this context, prevention must involve proactive network log monitoring and strict segmentation of management databases.

Share:

Comments

Loading comments...

Contact

Want to get in touch?

Questions, suggestions or proposals — write to us and we will respond.