Back to Intelligence

ShinyHunters Targeting Oracle ERP: Higher Ed Defense and Detection Guide

SA
Security Arsenal Team
June 14, 2026
5 min read

Introduction

The higher education sector is currently facing a concerted assault from the threat actor known as ShinyHunters. Recent intelligence confirms that this group is actively leveraging an unpatched vulnerability in Oracle's ERP software to compromise university networks. The objective is clear: the theft of sensitive intellectual property, research data, and Personally Identifiable Information (PII) of students and staff.

For SOC analysts and CISOs in the education vertical, this is not a theoretical risk. The campaign is active, and the gap between compromise and detection is narrowing. Defenders must assume that unpatched Oracle ERP instances—particularly those exposed to the internet—are already being probed or exploited. This post provides the technical context and detection artifacts necessary to identify and remediate this threat immediately.

Technical Analysis

Affected Products and Platforms

  • Product: Oracle ERP (specifically Oracle PeopleSoft/PeopleSoft Enterprise)
  • Platform: Web-based applications running on Oracle WebLogic or similar application servers, typically hosted on Linux or Windows.
  • Threat Actor: ShinyHunters (known for data extortion and marketplace sales).

Vulnerability and Exploitation Status

  • Vulnerability: An unpatched flaw in the Oracle ERP web interface. (Specific CVE identifiers are pending vendor disclosure; this post addresses the active exploitation of the underlying flaw).
  • CVSS Score: Critical (Estimated >9.0 based on the ease of remote code execution and impact).
  • Exploitation Status: Confirmed Active Exploitation. ShinyHunters is currently leveraging this bug to gain unauthorized access to student databases and research repositories.

Attack Chain (Defender's Perspective)

  1. Initial Access: The actor scans for internet-facing Oracle ERP instances. They exploit the unpatched vulnerability to bypass authentication or gain remote code execution (RCE) via the web interface.
  2. Persistence: A webshell is often dropped into the web directory to maintain access, even if the underlying vulnerability is patched later.
  3. Discovery: The actor enumerates the database schema, specifically targeting tables containing PII, grades, and financial aid data.
  4. Exfiltration: Large-scale data dumping is performed, often using native database export tools or custom scripts invoked via the webshell.

Detection & Response

Sigma Rules

The following Sigma rules detect the webshell activity and process anomalies associated with this campaign.

YAML
---
title: Potential Oracle ERP Webshell Activity - Linux
id: 8a2b4c1d-5e6f-4a3b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the Oracle WebLogic/PeopleSoft Java process spawning a shell, a common indicator of webshell or RCE exploitation.
references:
 - https://attack.mitre.org/techniques/T1505/003
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.persistence
 - attack.webshell
 - attack.t1505.003
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   ParentImage|contains:
     - 'java'
     - 'weblogic'
   Image|endswith:
     - '/sh'
     - '/bash'
     - '/zsh'
 condition: selection
falsepositives:
 - Legitimate administrative debugging by authorized staff
level: critical
---
title: Potential Oracle ERP Webshell Activity - Windows
id: 9c3d5e2f-6f7a-5b4c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the Oracle WebLogic/PeopleSoft process (java.exe or weblogic.cmd) spawning cmd.exe or PowerShell, indicative of RCE.
references:
 - https://attack.mitre.org/techniques/T1059
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.execution
 - attack.t1059.001
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   ParentImage|contains:
     - 'java.exe'
     - 'weblogic'
   Image|endswith:
     - '\cmd.exe'
     - '\powershell.exe'
 condition: selection
falsepositives:
 - Rare administrative maintenance
level: critical

KQL (Microsoft Sentinel / Defender)

This hunt query looks for suspicious HTTP POST requests to Oracle ERP endpoints that result in high bytes sent, indicative of data exfiltration.

KQL — Microsoft Sentinel / Defender
let DataExfilThreshold = 5000000; // 5MB
CommonSecurityLog
| where DeviceVendor in ("Oracle", "Imperva", "F5") or ApplicationProtocol =~ "HTTP"
| where RequestURL contains "/psp/" or RequestURL contains "/psc/" or RequestURL contains "PeopleSoft"
| where RequestMethod == "POST"
| where SentBytes > DataExfilThreshold
| project TimeGenerated, SourceIP, DestinationIP, RequestURL, SentBytes, DeviceAction
| order by TimeGenerated desc

Velociraptor VQL

This artifact hunts for suspicious files in the web directories commonly used by Oracle PeopleSoft, looking for recently modified scripts (JSP, JS, PHP) that could be webshells.

VQL — Velociraptor
-- Hunt for suspicious file modifications in Oracle web directories
SELECT FullPath, Mtime, Atime, Size, Mode
FROM glob(globs="/u01/app/**/*.[jJ][sS][pP]")
WHERE Mtime > now() - 7d  -- Files modified in the last 7 days
   AND Size < 5000        -- Webshells are often small

Remediation Script (Bash)

Use this script on Linux-based Oracle ERP servers to hunt for common webshell signatures and verify patch levels.

Bash / Shell
#!/bin/bash
# Hunt for potential webshells in Oracle PeopleSoft directories
# Requires root privileges

echo "[+] Checking for recently modified JSP/JS files in web directories..."

# Define common web paths (Adjust based on your specific deployment)
WEB_PATHS=("/u01/app" "/opt/Oracle" "/usr/local/bea")

for path in "${WEB_PATHS[@]}"; do
  if [ -d "$path" ]; then
    echo "Scanning $path..."
    # Find files modified in the last 48 hours ending in .jsp or .js
    find "$path" -type f -mtime -2 \( -name "*.jsp" -o -name "*.js" -o -name "*.php" \) -exec ls -lh {} \;
  fi
done

echo "[+] Checking for active shell processes parented by Java..."
ps aux | awk -v parent="java" '$3 ~ parent { print $0 }' | grep -E '(sh|bash|zsh|/bin/sh)' | grep -v grep

echo "[+] Review complete. Inspect the output above for anomalies."

Remediation

Given the active exploitation status, immediate remediation is required:

  1. Apply Patches Immediately: Review the Oracle Critical Patch Update (CPU) released in Q1 2026. Apply the specific patches for the Oracle ERP/PeopleSoft vulnerability identified in your environment.
  2. Network Segmentation: Ensure Oracle ERP administration panels and web interfaces are not directly accessible from the internet. Enforce strict Zero Trust access controls via VPN or IdP with MFA.
  3. Webshell Assessment: Assume compromise if systems were unpatched. Conduct a thorough scan of web directories using the provided VQL or Bash scripts to identify and remove malicious artifacts.
  4. Credential Rotation: If exploitation is confirmed, rotate all database credentials and API keys associated with the ERP system immediately.
  5. Vendor Advisory: Refer to the official Oracle Security Alert for the specific patch numbers and implementation guides.

Related Resources

Security Arsenal Healthcare Cybersecurity AlertMonitor Platform Book a SOC Assessment healthcare Intel Hub

healthcare-cybersecurityhipaa-compliancehealthcare-ransomwareehr-securitymedical-data-breachoracle-erpshinyhuntershigher-ed

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action