Nissan Confirms Data Breach Following Oracle PeopleSoft 0-Day Attacks
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Nissan Americas has officially confirmed a data breach affecting current and former employees across four countries after threat actors exploited a critical zero-day vulnerability in Oracle PeopleSoft software, a campaign attributed to the ShinyHunters extortion group.<\/p>\n
The attack stems from CVE-2026-35273<\/a>, a CVSS 9.8-rated unauthenticated Server-Side Request Forgery (SSRF)-to-Remote Code Execution (RCE) vulnerability residing in the Updates Environment Management (PSEMHUB) component of Oracle PeopleSoft PeopleTools versions 8.61 and 8.62.<\/p>\n The flaw requires no authentication, no user interaction, and is exploitable over plain HTTP, meaning any attacker with network reach to a vulnerable instance could achieve full remote code execution. Oracle issued an emergency out-of-band security patch on June 10, 2026, and the vulnerability was added to CISA\u2019s Known Exploited Vulnerabilities (KEV) catalog just two days later.<\/p>\n Mandiant and Google\u2019s Threat Intelligence Group (GTIG) attribute the campaign to UNC6240 (ShinyHunters)<\/a>, a financially motivated cybercrime collective also tracked as Bling Libra.<\/p>\n Exploitation was observed as early as\u00a0May 27, 2026,\u00a0more than two weeks before Oracle\u2019s advisory, with the group compromising over\u00a0300 PeopleSoft instances across 100+ organizations worldwide\u00a0using automated attack scripts.<\/p>\n According to breach notifications filed<\/a> with the California Attorney General\u2019s Office, Nissan Americas confirmed it was specifically singled out within the broader campaign. The breach window spans May 27 to June 9, 2026, and potentially exposed sensitive employee data including:<\/p>\n The incident is believed to impact current and former Nissan employees in the United States, Canada, Mexico, and Brazil.<\/p>\n Nissan activated its incident response protocols immediately upon notification, engaging external cybersecurity specialists and cooperating with law enforcement authorities.<\/p>\n As a containment measure, the company restricted payroll system access, including pay slip viewing and direct deposit changes, to corporate network computers or secure VPN connections, with additional identity authentication layers implemented before processing payroll requests. Nissan is also arranging free credit and dark web monitoring services for affected individuals where available.<\/p>\n Mandiant\u2019s analysis reveals that ShinyHunters deployed MeshCentral remote management agents on compromised hosts, disguising them as legitimate Microsoft Azure services (e.g., Post-exploitation activity included internal PeopleSoft configuration reconnaissance, lateral movement scripting, and data exfiltration using zstd compression. Compromised servers were marked with a ransom note file named Organizations running PeopleTools 8.61 or 8.62 should treat patching as an emergency priority. Beyond patching, Rapid7 and Mandiant recommend:<\/p>\n This marks the second CVSS 9.8 Oracle ERP zero-day exploited in under eight months, following Cl0p\u2019s abuse of CVE-2025-61882 in Oracle E-Business Suite beginning in August 2025 \u2014 a pattern that signals ERP platforms have become primary industrialized targets for organized extortion operations.<\/p>\n \u00a0Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations.\u00a0-> Integrate ANY.RUN With Your SOC <\/a>Now<\/a><\/strong>.<\/strong><\/p>\n The post Nissan Confirms Data Breach Following Oracle PeopleSoft 0-Day Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nNissan Confirms Data Breach<\/strong><\/h2>\n
\n
meshagent64-azure-ops.exe<\/code>) with C2 communications routed to wss:\/\/azurenetfiles[.]net:443\/agent.ashx<\/code>.<\/p>\nREADME-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT<\/code>.<\/p>\nKey Indicators of Compromise (IOCs)<\/strong><\/h2>\n
\n\n
\n \nType<\/th>\n Indicator<\/th>\n Description<\/th>\n<\/tr>\n<\/thead>\n \n IP<\/td>\n 142.11.200[.]186\u2013190<\/code><\/td>\nStaging\/C2 infrastructure<\/td>\n<\/tr>\n \n Domain<\/td>\n azurenetfiles[.]net<\/code><\/td>\nC2 masquerading as Azure<\/td>\n<\/tr>\n \n SHA-256<\/td>\n f02a924c9ff92a8780ce812511341182...<\/code><\/td>\nmeshagent64-azure-ops.exe<\/code><\/td>\n<\/tr>\n\n URL Path<\/td>\n \/PSEMHUB\/hub<\/code><\/td>\nExploitation endpoint<\/td>\n<\/tr>\n \n URL Path<\/td>\n \/PSIGW\/HttpListeningConnector<\/code><\/td>\nSSRF exploitation endpoint<\/td>\n<\/tr>\n \n File<\/td>\n README-IF-YOU-SEE-THIS-YOUVE-BEEN-HACKED.TXT<\/code><\/td>\nExtortion marker<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Mitigations<\/strong><\/h2>\n
\n
\/PSEMHUB\/*<\/code> and \/PSIGW\/HttpListeningConnector<\/code> at the network perimeter<\/li>\n