Digital Dragon Watch: Weekly China Cyber Alert

PeopleSoft's Forgotten Back Door: How Chinese Hackers Are Raiding HR Data While IT Sleeps


Listen Later

This is your Digital Dragon Watch: Weekly China Cyber Alert podcast.
Hey listeners, I’m Ting, your slightly overcaffeinated Digital Dragon watcher, and the China cyber scene this week has been…busy.
Let’s start with the big one: according to the latest F5 Labs Weekly Threat Bulletin for June 17, researchers tracked a China‑nexus intrusion set abusing Oracle PeopleSoft’s Environment Management Hub, that PSEMHUB service most admins forget exists. Attackers used it as a beachhead, dropped custom JSP webshells, then fanned out across networks using SSH credential spraying with a script literally named “_fanout.sh” tied to hard‑coded IPs like 142.11.200.186 and the domain azurenetfiles dot net. F5’s analysis notes classic “living off the land” behavior: reading config files like psappsrv dot cfg, stealing credentials, and pivoting toward databases and HR records.
Target sectors here are exactly where PeopleSoft lives: US universities, healthcare networks, and state and local government ERP stacks. That means payroll, student records, and sensitive HR data are all on the potential menu if you’re behind on Oracle patching.
On the government side, this kind of activity lines up squarely with what CISA, the FBI, and NSA have been warning about in their joint advisories on PRC state‑sponsored actors targeting critical infrastructure and enterprise apps. Even when there isn’t a brand‑new press conference, those standing advisories are effectively the US government saying: “We told you they’d do this, and they still are.”
Now defenses, because I don’t like leaving you in doom mode. F5 Labs recommends killing the exposure at the source: disable PeopleSoft EMHub if you don’t need it, or at minimum block external access to /PSEMHUB and /PSIGW/HttpListeningConnector at your perimeter firewalls, and hunt for unexpected JSP files under PSEMHUB dot war. They also call for default‑deny egress from PeopleSoft servers, blocking SMB and SSH outbound, and enforcing strong, unique passwords plus SSH key‑based admin access. That’s very much in line with what US government guidance from CISA’s Known Exploited Vulnerabilities catalog and their secure‑by‑design initiative has been preaching.
Zooming out across the week, multiple industry reports and threat‑intel feeds continue to flag a rise in China‑linked operations against the US tech sector and cloud‑adjacent services, including long‑term data theft using clever abuse of legitimate features like email forwarding rules and cloud storage links rather than noisy malware. Those campaigns are hitting SaaS providers, semiconductor firms, and AI companies—anything holding valuable IP or training data.
So what should you, my loyal cyber dragons, do? Expert recommendations are converging: aggressively patch any internet‑facing enterprise apps, especially Oracle, VPNs, and SSO; segment critical business systems from general user networks; enforce phishing‑resistant MFA; and feed your SIEM with detections for unusual admin activity, webshell patterns, and odd outbound traffic from business apps that “should never talk to the internet.”
That’s your Digital Dragon Watch for this week. Thanks for tuning in, and don’t forget to subscribe so you never miss a signal in the noise. This has been a quiet please production, for more check out quiet please dot ai.
For more http://www.quietplease.ai
Get the best deals https://amzn.to/3ODvOta
...more
View all episodesView all episodes
Download on the App Store

Digital Dragon Watch: Weekly China Cyber AlertBy Inception Point AI