Originally published on satyamrastogi.com

Attackers exploited Oracle PeopleSoft vulnerabilities to breach 100+ organizations including Nissan. Analysis of attack infrastructure, credential theft TTPs, and supply chain persistence mechanisms.

---

Oracle PeopleSoft Supply Chain Compromise: Nissan & 99 Targets

Executive Summary

Oracle PeopleSoft deployments across at least 100 organizations have been compromised in a coordinated supply chain attack. Nissan's employee data exposure confirms the campaign's scope extends into automotive manufacturing and global supply chains. From an offensive perspective, this represents a masterclass in targeting centralized identity management systems that serve as the crown jewel for lateral movement, credential harvesting, and persistent access.

PeopleSoft instances are high-value targets because they contain the complete employee directory, compensation data, benefits enrollment details, and typically integrate with single sign-on (SSO) infrastructure. Attackers who achieve code execution on PeopleSoft app servers gain access to the authentication tokens, session management, and identity federation systems that control enterprise network access.

Attack Vector Analysis

PeopleSoft compromises typically follow one of three exploitation chains:

1. Pre-Authentication RCE via Unsafe Deserialization

Oracle PeopleSoft has a documented history of unsafe Java object deserialization vulnerabilities in its HTTP request handlers. The attack surface includes:

• PSServer communication protocols that deserialize untrusted serialized Java objects
• HTTP listener endpoints that accept serialized payloads without proper validation
• Integration broker message queues that process deserialized objects from external systems

This aligns with MITRE ATT&CK T1190 (Exploit Public-Facing Application) and T1048 (Exfiltration Over Alternative Protocol).

2. Credential Harvesting via LDAP/SSO Integration

Once RCE is achieved on the app server, attackers have direct access to:

• In-memory user sessions and authentication tokens
• LDAP/Active Directory service account credentials stored in configuration files
• OAuth/OpenID Connect client secrets used for federated identity
• Password hashes in the PeopleSoft user table (typically salted, but subject to offline cracking)

This maps to MITRE ATT&CK T1555 (Credentials from Password Managers) and T1110 (Brute Force).

3. Lateral Movement via Identity Federation

Compromised service accounts in PeopleSoft often hold elevated permissions in downstream systems:

• HR data export to Workday, SuccessFactors, or ADP
• Payroll system integrations with banking infrastructure
• Benefits enrollment connections to insurance carriers
• Employee directory synchronization to Microsoft Entra ID (Azure AD)

This represents MITRE ATT&CK T1078 (Valid Accounts) and T1550 (Use Alternate Authentication Material).

Technical Deep Dive

PeopleSoft Session Hijacking

Once network access to PeopleSoft is achieved (either via external RCE or internal pivoting), attackers can harvest session cookies:

GET /psc/csprod/EMPLOYEE/HRMS/c/NUI_FRAMEWORK.CNT_CREF:PORTAL_ROOT_OBJECT.TabularSectionLevelOne HTTP/1.1
Host: peoplesoft.nissan.internal
Connection: keep-alive
Cookie: PS_TOKENEXPIRE=1234567890; PS_TOKEN=ABCD1234...; PSESSIONID=XYZ789

# Response headers reveal backend infrastructure:
Set-Cookie: PS_LOGINLIST=...; Path=/psc/
Server: PeopleSoft
X-PS-VERSION: 8.62.3

Session cookies in PeopleSoft 8.x versions often lack sufficient entropy and can be brute-forced or cracked offline if the session management algorithm is known.

LDAP Service Account Extraction

In web.xml and domain configuration files, LDAP credentials are often stored in plaintext or ROT13 encoding:

<!-- $PS_HOME/webserv/[domain]/web.xml -->
<init-param>
 <param-name>ldapUserPassword</param-name>
 <param-value>ENC(rO1sK3xL9mQ...)</param-value>
</init-param>

Oracle uses its own encryption scheme for PeopleSoft configuration; the encryption keys are typically stored in the same config files or hardcoded in the application JAR files. Once the encryption algorithm is reverse-engineered (which occurred in 2018), decryption becomes trivial.

Credential Exfiltration via SQL

If direct database access is obtained, attackers can dump the PSOPRDEFN (user profile) table:

SELECT OPRID, PASSWORD, PSWD_ENCRYPT_KEY, EMAIL_ADDR, EMPLID 
FROM PSOPRDEFN 
WHERE OPRID NOT LIKE '%GUEST%' 
AND PASSWORD IS NOT NULL;

The PASSWORD field contains salted hashes. With modern GPU cracking, 8-character PeopleSoft passwords are typically cracked within hours.

Detection Strategies

Log Analysis

Web Server Access Logs:

• Monitor for POST requests to /psc/[domain]/ with suspicious Content-Type headers (application/x-java-serialized-object)
• Watch for rapid sequential requests to framework endpoints from single IPs
• Alert on UserAgent variations attempting to bypass WAF signatures

PeopleSoft Audit Log Queries:

SELECT LOGDTTM, USERID, OPRID, TEXT1, TEXT2 
FROM PSAUDIT_BIN 
WHERE EVENTID IN ('000000', '000002')
AND LOGDTTM > trunc(sysdate) - 7
ORDER BY LOGDTTM DESC;

Look for:

• Bulk data exports by service accounts
• User creation events from non-administrative IPs
• Password reset events without corresponding user requests
• Failed login attempts followed by successful authentication from different IP

Network Detection

• IDS/IPS: Monitor for Java serialization magic bytes (0xaced0005) in HTTP POST bodies
• Egress filtering: PeopleSoft should not initiate outbound connections to arbitrary external IPs
• SSL/TLS inspection: Capture and inspect encrypted PeopleSoft API calls for anomalous data volumes

Behavioral Indicators

• Spike in LDAP bind attempts from application servers
• High-volume SQL queries from PeopleSoft service accounts outside normal business hours
• Credential access attempts (SAM, LSASS dumps) from PeopleSoft process context

Mitigation & Hardening

Immediate Actions

1. Patch Oracle PeopleSoft to latest patch level - Check NIST NVD for PeopleSoft CVEs and apply all security updates. Oracle typically bundles deserialization fixes in quarterly patches.

2. Isolate PeopleSoft network segment - Implement network segmentation so PeopleSoft app servers cannot directly reach database infrastructure, file servers, or identity systems. Use a bastion host model for legitimate integrations.

3. Rotate LDAP/database service account credentials - Assume all embedded credentials are compromised. Update password complexity to 32+ characters with full character set. Use service account management (SCAM) solutions to enforce credential rotation every 90 days.

4. Invalidate all active sessions - Force logout of all users and regenerate session tokens. Update session cookie encryption keys.

Long-term Hardening

• Application-level data encryption: Encrypt sensitive fields (SSN, salary, benefits data) at rest using transparent data encryption (TDE).
• Disable unnecessary integration connectors: Audit all enabled connectors to HR systems, payroll, and SSO. Disable any not actively used.
• Implement mutual TLS between PeopleSoft and backend systems. Prevent unauthenticated service-to-service communication.
• Deploy WAF rules specific to PeopleSoft attack vectors. See OWASP guidelines for Java deserialization attacks.
• Enable HTTP-only and Secure flags on session cookies. Implement SameSite=Strict to prevent CSRF and cross-origin cookie theft.
• Monitor CISA alerts for PeopleSoft-specific advisories and subscribe to Oracle Critical Patch Advisories.

Identity & Access Controls

• Enforce MFA on all PeopleSoft administrative accounts
• Implement just-in-time (JIT) access for system administrators
• Use role-based access control (RBAC) to restrict data access by job function
• Monitor and alert on privilege escalation attempts (e.g., user elevated to HR Administrator role)

Key Takeaways

• HR/payroll systems are strategic targets: PeopleSoft compromises yield employee datasets, compensation information, and high-value credentials for lateral movement across enterprise infrastructure.

• Supply chain persistence requires identity access: Once attackers compromise a centralized identity system, they gain the ability to impersonate legitimate users across connected downstream systems (Workday, Salesforce, ServiceNow, etc.). This is why the Nissan breach likely extends beyond HR data.

• In-memory credential harvesting is difficult to detect: Attack tools can extract session tokens and service account credentials from running Java processes without touching disk. Behavioral monitoring and YARA rules on memory dumps are required.

• Configuration files are the weakest link: Embedded LDAP/database credentials in web.xml, psadmin.properties, and Tomcat catalina.properties files are often overlooked in security assessments. Treat all configuration files as sensitive as private keys.

• 100+ compromised organizations suggests persistent implant deployment: The large victim count indicates attackers likely established backdoor persistence mechanisms (web shells, modified JAR files, scheduled tasks) to maintain access across multiple breach windows. Assume command-and-control (C2) infrastructure remains active.

Related Articles

For additional context on supply chain attacks and SaaS compromise, review:

• Klue-Salesforce Breach: SaaS Cascade Compromise & Attacker Infrastructure Exposure
• Polymarket $3M Breach: Frontend Script Injection via Vendor Compromise
• Mustang Panda Weaponizes Zoho WorkDrive: SaaS as C2 Infrastructure