Data-Grabbing Attacks Appear to Compromise Organizations Without July Patch Update
Oracle is acknowledging that its customers are being targeted by data-stealing extortionists.
See Also: When Identity Protection Fails: Rethinking Resilience for a Modern Threat Landscape
The software giant and cybersecurity researchers say the criminals don’t appear to be exploiting a zero-day vulnerability.
“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” said Rob Duhart, CSO of Oracle Security, in a Thursday blog post (see: Extortionists Claim Mass Oracle E-Business Suite Data Theft).
“Oracle reaffirms its strong recommendation that customers apply the latest critical patch updates,” Duhart said.
Of the 309 new security patches issued in July, nine are updates for Oracle E-Business Suite, of which three can be remotely exploited without authentication. Oracle said EBS users must install multiple updates for Oracle Database and Oracle Fusion Middleware, since they can affect EBS products.
Multiple cybersecurity firms began reporting Wednesday that executives at organizations that use Oracle E-Business Suite have been receiving emailed ransom messages, demanding up to $50 million for a promise to not leak stolen data.
Evidence points to attackers gaining access to internet-facing Oracle EBS portals and accessing login pages for local accounts, allowing them to bypass enterprise single sign-on controls for accounts that lack multifactor authentication – as local accounts often do – said cybersecurity firm Halcyon in a Thursday security alert.
The firm said that a “lack of MFA on these accounts allows attackers to trigger password resets via compromised email accounts; attackers then gain valid user access.”
Extortionists began conducting a “high-volume email campaign,” sending messages from hundreds of compromised email accounts, said Google’s Mandiant incident response group. The attackers claim to be affiliated with Clop, a Russian-speaking ransomware group also known as Cl0p that specializes in rapidly executed supply chain attacks designed to steal data from numerous victims and hold it to ransom.
Mandiant said two of the email addresses being used in the campaign were previously used by Clop. Links in the emails also resolve to Clop’s data-leak site.
No security experts or victim organizations have confirmed the attackers stole data, or that the data might be of a sensitive nature.
The extortion notes are being emailed directly to senior executives at numerous organizations and include purported proof of the infiltration and data exfiltration. How attackers obtained executives’ contact details isn’t clear, although one explanation is that they stole it from the Oracle systems they hacked.
“Ransom demands have reached up to $50 million, with attackers providing proof of compromise including screenshots and file trees,” Halcyon said, adding that it’s “highly likely” Clop is actively involved in this campaign and that thousands of organizations may be at risk.
One notable aspect of the mass campaign has been the communications directly targeting senior executives, likely to try and maximize the fear and uncertainty tied to the attacks and provoke a sense of “urgency” to do something, Chris Pierson, CEO and founder of digital executive protection firm BlackCloak, told Information Security Media Group.
“The challenge for organizations is twofold: hardening the systems that store the most sensitive corporate data, and ensuring executives are prepared with the right playbook when extortion attempts land in their inbox,” he said. “Third-party vendor risks will continue to be a favorite target of cybercriminals and we’ve seen a marked increase in these systems being targeted because they yield information on not one company, but hundreds or thousands of companies.”