Hackers linked to the **Clop ransomware gang** exploited zero-day vulnerabilities in **Oracle E-Business Suite**, a critical enterprise software used globally for managing customer databases, employee records, and HR files. The attackers compromised hundreds of email accounts, abused password-reset functions to gain unauthorized access to Oracle’s web portals, and exfiltrated sensitive corporate data. They then launched an extortion campaign, sending threatening emails to executives at numerous large organizations—demanding ransom payments (e.g., **$50 million in one case**) under the threat of leaking stolen data on Clop’s public leak site. While Google’s Mandiant team has not yet verified the full extent of the breach, the attack leveraged Oracle’s widely used business software, potentially exposing **tens of millions of individuals’ personal and financial records**. The incident highlights systemic risks in supply-chain attacks, where a single vulnerability in a major vendor like Oracle can cascade across thousands of dependent enterprises.
TPRM report: https://www.rankiteo.com/company/oracle
"id": "ora0193001100225",
"linkid": "oracle",
"type": "Ransomware",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'numerous large organizations '
'(exact number unspecified)',
'industry': 'technology',
'location': 'global',
'name': 'Oracle (via Oracle E-Business Suite)',
'size': 'large (thousands of organizations use Oracle '
'E-Business Suite)',
'type': 'software vendor'}],
'attack_vector': ['compromised email accounts',
'abuse of default password-reset function',
'zero-day vulnerabilities'],
'data_breach': {'data_exfiltration': 'claimed by threat actor',
'number_of_records_exposed': 'tens of millions (estimated)',
'personally_identifiable_information': 'yes',
'sensitivity_of_data': 'high (includes PII and corporate HR '
'data)',
'type_of_data_compromised': ['customer data',
'employee information',
'human resources files']},
'date_detected': '2023-09-29',
'date_publicly_disclosed': '2023-09-29',
'description': 'Hackers associated with the Clop ransomware group are sending '
'extortion emails to executives at large organizations, '
"claiming to have stolen sensitive data from Oracle's "
'E-Business Suite. The emails, sent from hundreds of '
'compromised accounts, include contact addresses listed on '
'Clop’s data leak site. The group is known for exploiting '
'zero-day vulnerabilities to breach multiple organizations '
'simultaneously. In one case, a $50 million ransom was '
'demanded. The hackers abused Oracle’s default password-reset '
'function to gain access to web-portals.',
'impact': {'brand_reputation_impact': 'potential reputational damage due to '
'extortion threats and data breach '
'claims',
'data_compromised': ['customer databases',
'employee information',
'human resources files'],
'identity_theft_risk': 'high (due to compromised PII in HR and '
'customer databases)',
'systems_affected': ['Oracle E-Business Suite web-portals']},
'initial_access_broker': {'entry_point': ['compromised email accounts',
'Oracle E-Business Suite '
'web-portals'],
'high_value_targets': ['executives at large '
'organizations']},
'investigation_status': 'ongoing (claims not yet substantiated by '
'Google/Mandiant)',
'motivation': 'financial gain',
'post_incident_analysis': {'root_causes': ['exploitation of zero-day '
'vulnerabilities in Oracle '
'E-Business Suite',
'abuse of default password-reset '
'functionality',
'compromised email accounts used '
'for phishing']},
'ransomware': {'data_exfiltration': 'claimed by threat actor',
'ransom_demanded': '$50 million (in at least one case)',
'ransomware_strain': 'Clop'},
'references': [{'source': 'TechCrunch', 'url': 'https://techcrunch.com'},
{'source': 'Bloomberg', 'url': 'https://bloomberg.com'}],
'response': {'communication_strategy': 'public disclosure via media '
'(TechCrunch, Bloomberg); anonymous '
'reporting channel for affected '
'executives',
'incident_response_plan_activated': 'yes (by affected '
'organizations and firms '
'like Halcyon and Mandiant)',
'third_party_assistance': ['Mandiant (Google’s incident response '
'unit)',
'Halcyon (counter-ransomware firm)']},
'stakeholder_advisories': 'executives at affected organizations advised to '
'report extortion attempts securely',
'threat_actor': 'Clop ransomware gang',
'title': 'Clop Ransomware Group Targets Executives with Extortion Emails '
'After Alleged Oracle E-Business Suite Data Theft',
'type': ['ransomware', 'data breach', 'extortion'],
'vulnerability_exploited': ['unknown zero-day vulnerabilities in Oracle '
'E-Business Suite',
'default password-reset function abuse']}