The current knowledge theft and extortion marketing campaign focusing on Oracle E-Enterprise Suite prospects has been confirmed to be the work of the infamous Cl0p ransomware group, and Oracle has admitted that the hackers have exploited a zero-day vulnerability.
The assaults focusing on Oracle E-Enterprise Suite (EBS) prospects got here to gentle final week, when Google Risk Intelligence Group (GTIG) and Mandiant warned that executives at many organizations utilizing the enterprise useful resource planning product obtained extortion emails.
The emails, apparently coming from the Cl0p group, knowledgeable recipients that delicate knowledge had been stolen from their Oracle EBS occasion and urged them to get in contact with the cybercriminals.
GTIG and Mandiant researchers, who discovered that the emails had been coming from compromised accounts beforehand related to the FIN11 cybercrime group, initially couldn’t affirm that Cl0p was behind the assaults. Nonetheless, the researchers have now confirmed that Cl0p is certainly accountable.
This isn’t shocking contemplating that Cl0p beforehand carried out a number of different comparable campaigns, together with ones focusing on Cleo, MOVEit, and Fortra file switch merchandise via the exploitation of zero-day vulnerabilities.
Charles Carmakal, CTO of Mandiant, defined that the hackers stole knowledge from EBS prospects in August and began sending out extortion emails in late September.
Whereas Oracle initially mentioned the current EBS knowledge theft marketing campaign concerned exploitation of unspecified vulnerabilities patched in July, on Saturday the software program large’s CSO, Rob Duhart, confirmed {that a} zero-day has additionally been leveraged by the attackers.
The zero-day flaw is tracked as CVE-2025-61882 and it may be exploited for distant code execution by an unauthenticated attacker.Commercial. Scroll to proceed studying.
The vulnerability, which impacts Oracle E-Enterprise Suite variations 12.2.3-12.2.14, has been assigned a ‘crucial’ severity score with a CVSS rating of 9.8. The safety gap impacts the BI Publishing Integration part of Oracle Concurrent Processing.
Oracle has launched patches and shared indicators of compromise (IoCs) that prospects can use to detect potential assaults.
Mandiant has confirmed that the Cl0p assaults exploited vulnerabilities patched in July alongside CVE-2025-61882.
Different menace actors are actually anticipated so as to add the vulnerabilities exploited on this marketing campaign to their arsenal.
“Given the broad mass 0-day exploitation that has already occurred (and the n-day exploitation that can seemingly proceed by different actors), regardless of when the patch is utilized, organizations ought to study whether or not they had been already compromised,” Carmakal warned.
The cybercrime teams Scattered Spider and ShinyHunters, which not too long ago introduced their retirement however proceed to be lively, may additionally be concerned within the Oracle assault. The hackers created a brand new Telegram channel and posted what look like the EBS exploits used within the assault.
Associated: Pink Hat Confirms GitLab Occasion Hack, Information Theft
Associated: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability
