The current information theft and extortion marketing campaign focusing on Oracle E-Enterprise Suite clients has been confirmed to be the work of the infamous Cl0p ransomware group, and Oracle has admitted that the hackers have exploited a zero-day vulnerability.
The assaults focusing on Oracle E-Enterprise Suite (EBS) clients got here to mild final week, when Google Menace Intelligence Group (GTIG) and Mandiant warned that executives at many organizations utilizing the enterprise useful resource planning product acquired extortion emails.
The emails, apparently coming from the Cl0p group, knowledgeable recipients that delicate information had been stolen from their Oracle EBS occasion and urged them to get in contact with the cybercriminals.
GTIG and Mandiant researchers, who discovered that the emails had been coming from compromised accounts beforehand related to the FIN11 cybercrime group, initially couldn’t affirm that Cl0p was behind the assaults. Nevertheless, the researchers have now confirmed that Cl0p is certainly accountable.
This isn’t shocking contemplating that Cl0p beforehand performed a number of different related campaigns, together with ones focusing on Cleo, MOVEit, and Fortra file switch merchandise by the exploitation of zero-day vulnerabilities.
Charles Carmakal, CTO of Mandiant, defined that the hackers stole information from EBS clients in August and began sending out extortion emails in late September.
Whereas Oracle initially mentioned the current EBS information theft marketing campaign concerned exploitation of unspecified vulnerabilities patched in July, on Saturday the software program large’s CSO, Rob Duhart, confirmed {that a} zero-day has additionally been leveraged by the attackers.
The zero-day flaw is tracked as CVE-2025-61882 and it may be exploited for distant code execution by an unauthenticated attacker.
The vulnerability, which impacts Oracle E-Enterprise Suite variations 12.2.3-12.2.14, has been assigned a ‘important’ severity ranking with a CVSS rating of 9.8. The security gap impacts the BI Publishing Integration part of Oracle Concurrent Processing.
Oracle has launched patches and shared indicators of compromise (IoCs) that clients can use to detect potential assaults.
Mandiant has confirmed that the Cl0p assaults exploited vulnerabilities patched in July alongside CVE-2025-61882.
Different menace actors at the moment are anticipated so as to add the vulnerabilities exploited on this marketing campaign to their arsenal.
“Given the broad mass 0-day exploitation that has already occurred (and the n-day exploitation that can doubtless proceed by different actors), no matter when the patch is utilized, organizations ought to look at whether or not they had been already compromised,” Carmakal warned.
The cybercrime teams Scattered Spider and ShinyHunters, which lately introduced their retirement however proceed to be energetic, may also be concerned within the Oracle assault. The hackers created a brand new Telegram channel and posted what look like the EBS exploits used within the assault.
