American Airways subsidiary Envoy Air has confirmed being impacted by the current cybercrime marketing campaign concentrating on organizations that use Oracle’s E-Enterprise Suite (EBS) enterprise administration resolution.
American Airways was listed late final week on the Tor-based leak web site of the Cl0p ransomware group. The Oracle EBS marketing campaign has been claimed within the identify of Cl0p and it has been linked to a cybercrime group generally known as FIN11.
On the time of writing, the cybercriminals have made public the allegedly stolen American Airways information, which totals greater than 26 GB of archive recordsdata.
Whereas the hackers named American Airways on their leak web site, it seems that in actuality they focused an Oracle EBS occasion utilized by Envoy Air.
Texas-based Envoy Air describes itself as the most important regional service for American Airways, with over 800 every day flights to greater than 160 locations beneath the American Eagle model.
In a press release to the media, Envoy confirmed being impacted by the Oracle EBS marketing campaign, however the firm stated its investigation has proven that buyer or different delicate information was not compromised.
Envoy admitted that “a restricted quantity of enterprise info and industrial contact particulars could have been compromised”.
Harvard College was the primary confirmed sufferer of the Oracle EBS hack. Different organizations have since been listed on the Cl0p leak web site, together with South Africa’s College of the Witwatersrand, Johannesburg.Commercial. Scroll to proceed studying.
The South African college confirmed in a press release posted on its web site that it has been focused, and stated it’s engaged on figuring out what information was compromised because of the assault. The hackers have already made public the recordsdata allegedly stolen from the College of the Witwatersrand.
The Cl0p web site additionally lists industrial large Emerson, however no information has been leaked on the time of writing. SecurityWeek has reached out to Emerson for remark.
Dozens of victims of the Oracle EBS marketing campaign have acquired extortion emails from the attackers. The organizations that at the moment are being listed on the Cl0p web site are probably people who have refused to pay a ransom.
Whereas the Oracle marketing campaign has been linked to Cl0p and FIN11, it’s value mentioning that Google’s Mandiant tracks a number of menace clusters beneath the FIN11 umbrella, and it’s unclear precisely which cluster is behind the assault.
It’s additionally unclear which Oracle EBS vulnerabilities have been exploited within the assault. Oracle initially stated identified flaws patched in July have been concerned, and later introduced patches for a zero-day (CVE-2025-61882) apparently exploited within the marketing campaign. The software program large has additionally mounted CVE-2025-61884, one other EBS flaw exposing delicate information, however has not clarified whether or not it has additionally been exploited.
Associated: F5 Hack: Assault Linked to China, BIG-IP Flaws Patched, Governments Challenge Alerts
Associated: Microsoft Revokes Over 200 Certificates to Disrupt Ransomware Marketing campaign
Associated: Hackers Steal Delicate Information From Public sale Home Sotheby’s
