Cybercrime
,
Fraud Management & Cybercrime
Signs Point to Multiple Exploit Chains, One Including a Zero-Day, Being Employed
Attacks targeting Oracle E-Business Suite customers appear to have started months before finally being detected.
See Also: Why Cyberattackers Love ‘Living Off the Land’
The attacks first came to light on Sept. 29, when attackers claiming to be affiliated with the Russian-speaking Clop – aka Cl0p – ransomware group began emailing victims, threatening to leak stolen data unless they paid cryptocurrency ransoms worth up to $50 million (see: Extortionists Claim Mass Oracle E-Business Suite Data Theft).
Evidence now suggests the attack campaign may have begun as early as July 10 and that “in some cases, the threat actor successfully exfiltrated a significant amount of data from impacted organizations,” reported threat researchers at Google Cloud on Thursday.
Investigators found suspicious activity dating back nearly three months ago but no active exploitation until approximately Aug. 9, suggesting attackers needed time to refine the exploit.
“We’re still assessing the scope of this incident, but we believe it affected dozens of organizations,” said John Hultquist, chief analyst at the Google Threat Intelligence Group. “Some historic Cl0p data extortion campaigns have had hundreds of victims. Unfortunately, large scale zero-day campaigns like this are becoming a regular feature of cybercrime.”
The campaign launch date is notable in part because Oracle first stated on Oct. 2 that it believed attackers were only exploiting EBS installations for which customers hadn’t installed security updates it released on July 15.
Oracle revised its take two days later, acknowledging Saturday that a zero-day vulnerability tracked as CVE-2025-61882 was also part of an attack chain. The technology giant released an emergency security update and advised customers to install it as quickly as possible (see: Oracle Zero-Day and More Being Exploited by Ransomware Group).
Clop began as a ransomware group but has specialized in supply-chain attacks, concentrating on secure managed file-transfer software to steal data from a large number of users at once: Accellion FTA from late 2020 to early 2021, GoAnywhere Managed File Transfer software in early 2023, Progress Software’s MOVEit and Cleo Communications’ Harmony in mid-2023, VLTrader and LexiCom MFT software in late 2024.
Clop’s repeated use of zero-day vulnerabilities suggests it devotes significant resources to funding internal research and development, or paying top dollar to purchase exploitable vulnerabilities found by others.
Since 2020 the group has also regularly listed non-paying victims and threatens to leak stolen data on its dedicated data-leak site. No victims of this EBS-targeting campaign have yet appeared on Clop’s data-leak site, although an interval before the victim shaming starts isn’t unusual. After previous attacks, the group has spent weeks or months pressuring victims to pay.
In this campaign, the emailed extortion threats that began Sept. 29 originated from “hundreds, if not thousands, of compromised third-party accounts” for which credentials “were likely sourced from infostealer malware logs sold on underground forums,” the Google researchers said (see: On the Rise: Ransomware Victims, Breaches, Infostealers).
Multiple Exploit Chains
The researchers said evidence suggests that the attackers have been wielding multiple exploit chains to compromise victims.
While Oracle patched the zero-day, CVE-2025-61882, on Saturday, “Mandiant has observed multiple different exploit chains involving Oracle EBS and it is likely that a different chain was the basis for the Oct. 2 advisory that originally suggested a known vulnerability was being exploited,” researchers said.
Google-owned Mandiant referenced threat-intelligence firm watchTowr’s analysis of a leaked exploit chain for CVE-2025-61882, published Monday, which found that it involves “five distinct bugs orchestrated together to achieve pre-authenticated remote code execution.”
Google investigators have yet to identify every exploit chain attackers used, but say they believe that by installing the Saturday update to mitigate CVE-2025-61882, EBS installations will no longer be vulnerable to any of the exploit chains Clop has wielded.
Successful exploits have been using “at least two different chains of Java payloads” that get installed in the EBS database, including a downloader tracked as Goldvein.java, for which an earlier version written in PowerShell was first seen being used in Cleo attacks in December 2024, they said. The attacks have also been using multiple Java payloads tracked as Sage: a Sagegift payload, built to load an in-memory dropper called Sageleaf, which installs a malicious Java servlet filter called Sagewave, allows the actor to “deploy an AES-encrypted ZIP archive with Java classes in it,” researchers said, allows attackers to execute various commands in the compromised EBS environment.
The researchers released indicators of compromise associated with the attacks so potential victims can hunt for signs of compromise, as well as additional mitigation recommendations. Above all, they advise prioritizing the installation of emergency patches released Saturday, designed to stop exploitation of the zero-day vulnerability. “Given the active, in-the-wild exploitation, this is the most critical step to prevent initial access,” they said.
Google said that while multiple signs point to Clop being involved in these attacks, it has yet to formally attribute them to the group. Confusingly, the Telegram group “Scattered Lapsus$ Hunters,” run by the ransomware collective mashup of the same name, on Oct. 3 leaked exploit code for EBS flaws.
No evidence so far gathered points to that exploit being used for in-the-wild attacks before then, Google said, leading it to currently not “assess that actors associated with UNC6240 – aka ‘Shiny Hunters’ – were involved in this exploitation activity” for which a Clop affiliate has claimed credit.