Over 100 Organizations Affected in Oracle Hacking Campaign by CL0P Ransomware
Published
- Extensive impact: A hacking campaign targeting Oracle's E-Business Suite has possibly affected one hundred organizations.
- CL0P implicated: Google's cybersecurity team attributes the operation to the CL0P group.
- Significant theft: The campaign has resulted in the theft of "mass amounts of customer data" and involves an extortion element aimed at Oracle's clients.
A widespread and ambitious Oracle hacking campaign has compromised dozens of organizations, according to a recent Google cybersecurity analysis. However, reports say the impacted organizations could exceed one hundred.
The operation, which may have commenced as early as three months ago, targets Oracle's E-Business Suite (EBS)—a set of applications used by enterprises to manage critical business processes such as logistics, manufacturing, and customer relations.
Over 100 Victims
Google's analysis indicates that the threat actors exfiltrated "mass amounts of customer data," suggesting significant data breach risks for the affected companies. Google analyst Austin Larsen told Reuters that the tech giant is aware of dozens of victims for now. “Based on the scale of previous CL0P campaigns, it is likely there are over a hundred."
Actively Exploited Oracle Vulnerability
Initially, Oracle acknowledged that some corporate executives received extortion emails linked to previously identified vulnerabilities patched in July. Soon after, Oracle chief security officer Rob Duhart said the tech giant released a new patch to fix a newly identified zero-day vulnerability in its EBS, versions 12.2.3-12.2.14.
The security advisory said the flaw, tracked as CVE-2025-61882, is remotely exploitable without authentication, and its exploit could lead to remote code execution.
CVE-2025-61882 is a vulnerability in the BI Publisher Integration component of Oracle Concurrent Processing within Oracle EBS that allows an unauthenticated attacker to send specially crafted HTTP requests to the affected component, resulting in full system compromise.
CL0P Group Linked to Intrusions
Google has attributed the sophisticated intrusions to CL0P, a well-known cybercriminal group that was linked to the MOVEit and Cleo incidents. This assessment is based on the operational tactics and the scale of the attack, which align with previous CL0P cyberattacks.
The group is known for exploiting vulnerabilities in third-party software and service providers to execute wide-ranging compromises. According to Google analysts, the level of investment in pre-attack research suggests the threat actor dedicated significant resources to planning the operation.
Oracle previously confirmed that there was extortion activity directed at its customers, a hallmark of CL0P's methodology. “Clop has been sending extortion emails to several victims since last Monday,” said Charles Carmakal, Chief Technology Officer at Mandiant.
Implications for Enterprise Security
The campaign highlights the substantial risk posed by vulnerabilities within critical enterprise software suites. By targeting Oracle's EBS, the attackers gained access to the core operational data of numerous businesses.
The U.K. National Cyber Security Centre (NCSC) issued the following recommendations:
- Perform a compromise assessment
- Contact Oracle PSIRT in case you are affected.
- Install the October 2023 Critical Patch Update and then the latest EBS update
- Perform continuous network monitoring and threat hunting
- Have minimal software directly accessible from the public internet
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular