Software giant Oracle confirmed reports that dozens of its customers have received extortion emails from cybercriminals demanding payment in exchange for not releasing troves of stolen information. In a statement published last week, Oracle chief security officer Rob Duhart said they are investigating claims made by the Clop ransomware gang that there was a breach of some Oracle E-Business Suite customers. “Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update,” Duhart said. “Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates.”
Oracle did not explain which vulnerabilities in the July update were exploited and whether exploitation occurred after the update.[1]
Incident responders at Mandiant and Google Threat Intelligence Group (GTIG) released a warning about the incident on 1 October, explaining that they were tracking a campaign launched by a threat actor potentially linked to Clop, a gang that previously made a name for itself with high-profile data thefts involving file transfer tools.
The latest campaign, according to the incident responders, involves data the hackers said was stolen through the Oracle E-Business Suite, a widely used business platform containing several applications that manage finance, human resources and supply chain functions.
Genevieve Stark, a senior cybercrime investigator at GTIG, said the team believes the campaign started on 29 September but is still in the early stages of multiple investigations. Extortion emails threaten to either publish victim company data or sell it on the dark web.
Cynthia Kaiser, former Deputy Director of the FBI’s Cyber Division who now works for incident response firm Halcyon, said the first observed email contact from Clop began in late September. “We have seen seven and eight figure demands thus far,” Kaiser said of Clop’s ransom demands.
Kaiser explained that the threat actors shared screenshots and filetree listings to prove they had accessed data, noting that the tactics used aligned with previous Clop campaigns. After emerging in 2019, Clop targeted vulnerabilities in internet-facing file sharing software from Cleo, MOVEit, GoAnywhere and Accellion.
The Clop hacking group, also known as Cl0p, is a well-known cybercriminal organization that specializes in ransomware and data extortion attacks. Clop emerged in 2019 and has since orchestrated numerous high-profile campaigns targeting organizations worldwide. The group is notorious for exploiting vulnerabilities in widely used enterprise software to gain unauthorized access to sensitive data, which they leverage to demand substantial ransom payments. Their tactics often include not only encrypting data but also stealing it, followed by threatening to publish or sell the information unless their demands are met. Clop has previously targeted vulnerabilities in internet-facing file sharing solutions such as Cleo, MOVEit, GoAnywhere, and Accellion, establishing a pattern of exploiting trusted business platforms to maximize their impact.
Clop's operations are characterized by sophisticated intrusion techniques and highly organized extortion attempts, often sending emails to victim companies with proof of data access, such as screenshots and filetree listings. The group’s activities have drawn the attention of cybersecurity experts and law enforcement agencies globally, highlighting the importance of timely software patching and robust incident response strategies to defend against such threats.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://therecord.media/oracle-links-extortion-campaign-to-patched-vulnerabilities/
Comments