{"id":5192,"date":"2025-10-03T00:55:52","date_gmt":"2025-10-03T00:55:52","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5192"},"modified":"2025-10-03T00:55:52","modified_gmt":"2025-10-03T00:55:52","slug":"oracle-e-business-suite-users-targeted-in-extortion-campaign","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5192","title":{"rendered":"Oracle E-Business Suite users targeted in extortion campaign"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Oracle E-Business Suite users beware: Hackers may (or may not) have stolen your sensitive data.<\/p>\n

Researchers at Halcyon, Google, and Mandiant have confirmed that they are tracking the activity of a threat actor, \u201chighly likely\u201d to be affiliated with the notorious and successful Cl0p gang<\/a>, who is sending emails to various executives claiming they have stolen sensitive data from their Oracle E-Business Suite ERP systems.<\/p>\n

The activity started \u201con or before\u201d September 29, 2025, according to Cynthia Kaiser<\/a>, SVP of Halcyon\u2019s ransomware research center, and threat actors have been making seven and eight figure ransom demands as high as $50 million. They have been backing up their claims with proofs of compromise including screenshots and file trees.<\/p>\n

\u201cThis is a developing situation,\u201d Kaiser told CSO Online. \u201cSeveral extortion attempts have been observed across multiple companies, including direct outreach to IT leaders and C-Suite executives, indicating the campaign is targeting more than a single victim.\u201d<\/p>\n

Oracle did not provide additional details, but CSO Rob Duhart said in a blog post<\/a> on Thursday that Oracle is \u201caware\u201d of the extortion emails and is performing an \u201congoing investigation.\u201d He said that attackers are potentially using previously-identified vulnerabilities addressed in the company\u2019s July critical patch update, and that Oracle \u201creaffirms its strong recommendation\u201d that customers apply these updates.<\/p>\n

Could it be Cl0p? It\u2019s hard to know<\/h2>\n

The Oracle E-Business Suite (EBS) is an enterprise resource planning (ERP) system that the tech giant says is used by thousands of organizations around the world.<\/p>\n

Halcyon reports that the ransomware operators are \u201cactively extorting\u201d victims via the local login pages (AppsLocalLogin.jsp) of internet-exposed EBS portals. After compromising user email, attackers abuse the default password-reset function to gain valid credentials; the local accounts bypass enterprise single sign on (SSO) controls, and often lack multi-factor authentication (MFA), leaving \u201cthousands\u201d of organizations exposed.<\/p>\n

Targeted organizations have received samples, including screenshots of EBS portals and file tree listings from compromised environments, that seem to validate the extortion claims, Kaiser said. The tactics and extortion approach align with prior Cl0p campaigns, she noted, and data leak aggregators have \u201creinforced the claims.\u201d She emphasized that the group appears to be abusing configurations, not exploiting vulnerabilities.<\/p>\n

Malicious emails sent by the group contain contact information for the hackers, and two specific addresses are publicly listed on the Cl0p data leak site. At least one of the listed accounts has been associated with financially-motivated threat group FIN11, known for its ransomware and extortion tactics.<\/p>\n

\u201cFIN11 has successfully impacted a wide range of organizations, including many prominent companies with strong security postures. While we have no evidence that zero-day exploits were used in this case, and we have not yet attributed the activity, the potential involvement of FIN11 suggests that we should take this activity seriously,\u201d Google Threat Intelligence Group\u2019s head of cybercrime intelligence analysis Genevieve Stark said via email. <\/p>\n

Initially, researchers were dubious about whether the group was actually who it claimed to be; Mandiant CTO Charles Carmakal<\/a> noted that attribution in cybercrime is \u201coften complex,\u201d with threat actors mimicking more notorious actors to increase leverage and pressure.<\/p>\n

Ultimately, \u201cthis spear-phishing attack campaign is dangerous, not just because of the potential and threat of data theft, but because it hits at the very mission-critical systems that run the business,\u201d said Erik Avakian<\/a>, a technical counselor at Info-Tech Research Group<\/a>. \u201cHigh-value data like payroll, vendor invoices, contracts, and sensitive HR information provides a prime target to a threat actor.\u201d<\/p>\n

Execs: Don\u2019t \u2018engage rashly\u2019<\/h2>\n

There are no common vulnerabilities and exposures (CVEs) for this attack; the issue \u201cstems from configuration and default business logic abuse rather than a specific vulnerability,\u201d according to Halcyon.<\/p>\n

The firm advises organizations to check if EBS portals are publicly accessible (via https:\/\/\/OA_HTML\/AppsLocalLogin.jsp#) and if so, immediately restrict exposure. It is also critical to enforce MFA for all accounts; remove or \u201ctightly control\u201d internet access to EBS via hardened reverse proxies that bounce traffic; disable or secure password reset abilities and require secondary verification; monitor for anomalous logins and reset attempts; and deploy anti-ransomware tools.<\/p>\n

As a standard practice, organizations should train users, especially executive staff, on threat actor tactics, so they are naturally wary of emails, texts, or voice calls that \u201cplay on fear, urgency, or claim knowledge of systems by name,\u201d Info-Tech\u2019s Avakian advised. Executives in particular should not \u201cengage rashly\u201d when receiving a threatening message.<\/p>\n

In addition, security teams should investigate, validate, and look for any evidence of successful exfiltration. This can include examining logs and looking for unusual queries or large amounts of data being exported.<\/p>\n

\u201cThis type of attack provides an opportunity for organizations to tighten monitoring and employ zero-trust principles across the protected surface, such as mission-critical applications, particularly around the Oracle EBS,\u201d he advised.<\/p>\n

Threat actors changing tactics<\/h2>\n

Cl0p emerged in February 2019, according to Halcyon, quickly establishing itself as a prolific, financially successful ransomware operation. The group has generated more than $500 million in extorted payments and compromised more than 11,000 organizations worldwide.<\/p>\n

The group\u2019s modus operandi is to infiltrate corporate networks, steal data, and deploy ransomware to encrypt it. One of its most notable acts was its exploitation of the MOVEit zero-day vulnerability<\/a> in 2023.<\/p>\n

This latest attack sheds light on a possible shift to extortion without ransomware, said Avakian, while also pointing out that hackers \u201ccan and often do\u201d change their tactics at any time.<\/p>\n

This campaign also reveals a key pattern in which hackers are directly targeting leadership, as well as very specific products or applications, to create maximum pressure. \u201cEven if the attackers don\u2019t have the data they are claiming to have, they\u2019re still exploiting fear and urgency to pressure leadership,\u201d said Avakian.<\/p>\n

Oracle missteps may have led to this<\/h2>\n

This case is \u201cfascinating\u201d from a PR angle, according to David Shipley<\/a> of Beauceron Security<\/a>; many concerns were raised earlier this year when news broke of data breaches<\/a> on Oracle Health. The company was accused in a lawsuit of covering up the attack<\/a>, prompting it to inform customers of potential compromise of usernames, passkeys, and encrypted passwords.<\/p>\n

This poor communication has created a \u201cmassive amount of uncertainty, fear, and doubt\u201d that has led to a \u201ctoxic hangover,\u201d said Shipley.<\/p>\n

\u201cThey\u2019ve clouded the waters so badly with their communications that people don\u2019t know what to believe,\u201d he said. That provides a \u201chuge opportunity\u201d for threat actors, because so much distrust may prompt organizations to assume a breach is real and give in to extortion demands.<\/p>\n

Ultimately, this should serve as a case study illustrating how important it is for companies to have a clear communications plan and share information as quickly and accurately as possible when breached, Shipley noted. \u201cThis is more about PR and crisis communications and a little bit about criminal branding and reputation all mixed together,\u201d he said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Oracle E-Business Suite users beware: Hackers may (or may not) have stolen your sensitive data. Researchers at Halcyon, Google, and Mandiant have confirmed that they are tracking the activity of a threat actor, \u201chighly likely\u201d to be affiliated with the notorious and successful Cl0p gang, who is sending emails to various executives claiming they have […]<\/p>\n","protected":false},"author":0,"featured_media":5191,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5192","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5192"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5192"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5192\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5191"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5192"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5192"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5192"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}