A major variety of organizations have acquired extortion emails from hackers who declare to have stolen delicate data from their Oracle E-Enterprise Suite cases, Google’s Risk Intelligence Group and Mandiant unit warn.
Oracle E-Enterprise Suite (EBS) is a collection of built-in enterprise functions utilized by massive organizations to automate and handle enterprise processes. Oracle says 1000’s of organizations all over the world use this enterprise useful resource planning (ERP) system.
Based on Google Risk Intelligence Group (GTIG) and Mandiant, the malicious exercise allegedly concentrating on Oracle EBS seems to have began on or round September 29. The attackers have despatched extortion emails to executives at “quite a few” firms, claiming to be affiliated with the infamous Cl0p cybercrime group.
GTIG and Mandiant researchers have described the assaults as a high-volume e mail marketing campaign leveraging lots of of compromised accounts, together with ones beforehand linked to a profit-driven menace group named FIN11. This long-running cybercrime gang is understood to interact in ransomware deployment and extortion.
The researchers additionally discovered some proof indicating a connection to Cl0p. Particularly, the contact data offered by the attackers within the emails despatched to focused organizations matches contact addresses listed on the Cl0p leak web site.
Mandiant and GTIG mentioned they’re within the early phases of their investigations and couldn’t affirm whether or not the hackers’ claims are substantiated.
“It’s essential to notice that whereas the ways align with an extortion motive and the actor is explicitly claiming this connection, GTIG doesn’t presently have enough proof to definitively assess the veracity of those claims,” mentioned Charles Carmakal, CTO of Mandiant.
Carmakal added, “Attribution within the financially motivated cybercrime area is usually advanced, and actors incessantly mimic established teams like Clop to extend leverage and strain on victims.”Commercial. Scroll to proceed studying.
If Cl0p or FIN11 hackers are confirmed to be behind the assaults, it will not come as a shock. Each teams are recognized to launch campaigns that concentrate on many organizations by susceptible software program, typically through the exploitation of zero-day flaws.
Cl0p final yr claimed to have stolen knowledge from dozens of organizations after exploiting a zero-day vulnerability in Cleo file switch instruments. The group beforehand managed to steal the data of tens of hundreds of thousands of customers from 1000’s of organizations by the exploitation of a zero-day in MOVEit Switch file switch software program.
As well as, Cl0p was blamed for a 2023 assault that concerned a Fortra GoAnywhere managed file switch product zero-day and which hit dozens of organizations.
A couple of years in the past, the FIN11 group was behind an identical marketing campaign that concerned the theft of delicate knowledge from dozens of organizations that had been utilizing an Accellion file switch service. That marketing campaign additionally concerned the exploitation of a zero-day vulnerability.
In some campaigns analyzed up to now, researchers had discovered hyperlinks between Cl0p and FIN11.
SecurityWeek has reached out to Oracle for remark and can replace this text if the corporate responds.
Associated: Infostealers: The Silent Smash-and-Seize Driving Trendy Cybercrime
Associated: Latest Fortra GoAnywhere MFT Vulnerability Exploited as Zero-Day
