Oracle E-Business Suite users targeted in extortion campaign

Oracle E-Business Suite users beware: Hackers may (or may not) have stolen your sensitive data.

Researchers at Halcyon, Google, and Mandiant have confirmed that they are tracking the activity of a threat actor, “highly likely” to be affiliated with the notorious and successful Cl0p gang, who is sending emails to various executives claiming they have stolen sensitive data from their Oracle E-Business Suite ERP systems.

The activity started “on or before” September 29, 2025, according to Cynthia Kaiser, SVP of Halcyon’s ransomware research center, and threat actors have been making seven and eight figure ransom demands as high as $50 million. They have been backing up their claims with proofs of compromise including screenshots and file trees.

“This is a developing situation,” Kaiser told CSO Online. “Several extortion attempts have been observed across multiple companies, including direct outreach to IT leaders and C-Suite executives, indicating the campaign is targeting more than a single victim.”

Oracle did not provide additional details, but CSO Rob Duhart said in a blog post on Thursday that Oracle is “aware” of the extortion emails and is performing an “ongoing investigation.” He said that attackers are potentially using previously-identified vulnerabilities addressed in the company’s July critical patch update, and that Oracle “reaffirms its strong recommendation” that customers apply these updates.

Could it be Cl0p? It’s hard to know

The Oracle E-Business Suite (EBS) is an enterprise resource planning (ERP) system that the tech giant says is used by thousands of organizations around the world.

Halcyon reports that the ransomware operators are “actively extorting” victims via the local login pages (AppsLocalLogin.jsp) of internet-exposed EBS portals. After compromising user email, attackers abuse the default password-reset function to gain valid credentials; the local accounts bypass enterprise single sign on (SSO) controls, and often lack multi-factor authentication (MFA), leaving “thousands” of organizations exposed.

Targeted organizations have received samples, including screenshots of EBS portals and file tree listings from compromised environments, that seem to validate the extortion claims, Kaiser said. The tactics and extortion approach align with prior Cl0p campaigns, she noted, and data leak aggregators have “reinforced the claims.” She emphasized that the group appears to be abusing configurations, not exploiting vulnerabilities.

Malicious emails sent by the group contain contact information for the hackers, and two specific addresses are publicly listed on the Cl0p data leak site. At least one of the listed accounts has been associated with financially-motivated threat group FIN11, known for its ransomware and extortion tactics.

Initially, researchers were dubious about whether the group was actually who it claimed to be; Mandiant CTO Charles Carmakal noted that attribution in cybercrime is “often complex,” with threat actors mimicking more notorious actors to increase leverage and pressure.

Ultimately, “this spear-phishing attack campaign is dangerous, not just because of the potential and threat of data theft, but because it hits at the very mission-critical systems that run the business,” said Erik Avakian, a technical counselor at Info-Tech Research Group. “High-value data like payroll, vendor invoices, contracts, and sensitive HR information provides a prime target to a threat actor.”

Execs: Don’t ‘engage rashly’

There are no common vulnerabilities and exposures (CVEs) for this attack; the issue “stems from configuration and default business logic abuse rather than a specific vulnerability,” according to Halcyon.

The firm advises organizations to check if EBS portals are publicly accessible (via https:///OA_HTML/AppsLocalLogin.jsp#) and if so, immediately restrict exposure. It is also critical to enforce MFA for all accounts; remove or “tightly control” internet access to EBS via hardened reverse proxies that bounce traffic; disable or secure password reset abilities and require secondary verification; monitor for anomalous logins and reset attempts; and deploy anti-ransomware tools.

As a standard practice, organizations should train users, especially executive staff, on threat actor tactics, so they are naturally wary of emails, texts, or voice calls that “play on fear, urgency, or claim knowledge of systems by name,” Info-Tech’s Avakian advised. Executives in particular should not “engage rashly” when receiving a threatening message.

In addition, security teams should investigate, validate, and look for any evidence of successful exfiltration. This can include examining logs and looking for unusual queries or large amounts of data being exported.

“This type of attack provides an opportunity for organizations to tighten monitoring and employ zero-trust principles across the protected surface, such as mission-critical applications, particularly around the Oracle EBS,” he advised.

Threat actors changing tactics

Cl0p emerged in February 2019, according to Halcyon, quickly establishing itself as a prolific, financially successful ransomware operation. The group has generated more than $500 million in extorted payments and compromised more than 11,000 organizations worldwide.

The group’s modus operandi is to infiltrate corporate networks, steal data, and deploy ransomware to encrypt it. One of its most notable acts was its exploitation of the MOVEit zero-day vulnerability in 2023.

This latest attack sheds light on a possible shift to extortion without ransomware, said Avakian, while also pointing out that hackers “can and often do” change their tactics at any time.

This campaign also reveals a key pattern in which hackers are directly targeting leadership, as well as very specific products or applications, to create maximum pressure. “Even if the attackers don’t have the data they are claiming to have, they’re still exploiting fear and urgency to pressure leadership,” said Avakian.

Oracle missteps may have led to this

This case is “fascinating” from a PR angle, according to David Shipley of Beauceron Security; many concerns were raised earlier this year when news broke of data breaches on Oracle Health. The company was accused in a lawsuit of covering up the attack, prompting it to inform customers of potential compromise of usernames, passkeys, and encrypted passwords.

This poor communication has created a “massive amount of uncertainty, fear, and doubt” that has led to a “toxic hangover,” said Shipley.

“They’ve clouded the waters so badly with their communications that people don’t know what to believe,” he said. That provides a “huge opportunity” for threat actors, because so much distrust may prompt organizations to assume a breach is real and give in to extortion demands.

Ultimately, this should serve as a case study illustrating how important it is for companies to have a clear communications plan and share information as quickly and accurately as possible when breached, Shipley noted. “This is more about PR and crisis communications and a little bit about criminal branding and reputation all mixed together,” he said.