Hackers linked to the Russian ransomware gang **Clop (FIN11)** are exploiting vulnerabilities in **Oracle E-Business Suite**, a critical enterprise platform managing finance, HR, and supply chain data. The threat actors claim to have stolen sensitive corporate information and are conducting a **high-volume extortion campaign**, targeting executives across multiple organizations via compromised email accounts. While the exact scope of the breach remains unconfirmed, the group has historically leveraged stolen data for ransom demands rather than system disruption. Oracle previously disclosed a **January 2024 incident** where hackers accessed legacy systems and stole client credentials, raising concerns about credential reuse and exposure. The current campaign, launched on **September 29, 2024**, mirrors Clop’s past tactics—such as the **MOVEit attacks**—which impacted **2,773 organizations** and exposed **96 million records**. The group has demanded ransoms under the threat of leaking stolen data, using email addresses tied to Clop’s official leak site. Mandiant and Google Threat Intelligence Group (GTIG) are investigating but have not yet verified the full extent of the breach or the legitimacy of the stolen data claims.
Source: https://therecord.media/possible-clop-campaign-extortion-executives-stolen-data
TPRM report: https://www.rankiteo.com/company/oracle
"id": "ora1092210100225",
"linkid": "oracle",
"type": "Ransomware",
"date": "1/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'customers_affected': 'Numerous Organizations (Exact '
'Number Undisclosed)',
'industry': 'Technology/Enterprise Software',
'location': 'Global (HQ: Redwood Shores, California, '
'USA)',
'name': 'Oracle (Primary Target)',
'size': 'Large (Fortune 100)',
'type': 'Corporation'}],
'attack_vector': ['Phishing/Spoofed Emails',
'Exploitation of Vulnerabilities in Oracle E-Business Suite',
'Compromised Accounts'],
'data_breach': {'data_exfiltration': 'Claimed by Threat Actor (Unverified)',
'personally_identifiable_information': 'Potential (If HR Data '
'Compromised)',
'sensitivity_of_data': 'High (Enterprise-Critical and '
'Potentially PII)',
'type_of_data_compromised': ['Potentially Finance, HR, Supply '
'Chain Data',
'Client Credentials (from '
'January Incident)']},
'date_detected': '2023-09-29',
'date_publicly_disclosed': '2023-10-04',
'description': 'Hackers possibly connected to the Russian ransomware gang '
'Clop (FIN11) are attempting to extort corporate executives by '
'threatening to leak sensitive information allegedly stolen '
"through Oracle's E-Business Suite. The campaign, tracked by "
'Mandiant and Google Threat Intelligence Group (GTIG), '
'involves extortion emails sent from compromised accounts, '
'with claims of data theft from Oracle’s widely used business '
'platform. The group has historically exploited '
'vulnerabilities in file transfer tools (e.g., MOVEit, '
'GoAnywhere) to steal and sell data for ransom. Investigations '
'are ongoing, and the veracity of the claims remains '
'unconfirmed.',
'impact': {'brand_reputation_impact': 'High (Potential Reputation Damage Due '
'to Extortion Threats)',
'data_compromised': ['Potentially Finance, HR, and Supply Chain '
'Data (Oracle E-Business Suite)'],
'identity_theft_risk': 'Potential (If PII Stolen)',
'systems_affected': ['Oracle E-Business Suite']},
'initial_access_broker': {'data_sold_on_dark_web': 'Potential (Historical '
'Clop TTPs)',
'entry_point': ['Compromised Email Accounts',
'Potential Exploitation of Oracle '
'E-Business Suite Vulnerabilities'],
'high_value_targets': ['Corporate Executives',
'Finance/HR/Supply Chain '
'Data']},
'investigation_status': 'Ongoing (Early Stages)',
'motivation': 'Financial Gain (Extortion/Ransom)',
'ransomware': {'data_exfiltration': 'Claimed (Unverified)',
'ransomware_strain': 'Clop (Claimed Affiliation)'},
'references': [{'date_accessed': '2023-10-04',
'source': 'Recorded Future News'},
{'date_accessed': '2023-10-04',
'source': 'Mandiant/GTIG Warning'},
{'source': 'CISA Advisory (January 2023 Oracle Incident)',
'url': 'https://www.cisa.gov/'},
{'source': 'Emsisoft (MOVEit Impact Report)'}],
'regulatory_compliance': {'regulatory_notifications': ['CISA Warning (January '
'Incident, Potentially '
'Linked)']},
'response': {'communication_strategy': ['Public Warning via Cybersecurity '
'Firms (Mandiant, GTIG)',
'Media Outreach (Recorded Future '
'News)'],
'incident_response_plan_activated': True,
'third_party_assistance': ['Mandiant (Google Cloud)',
'Google Threat Intelligence Group '
'(GTIG)']},
'stakeholder_advisories': ['Mandiant/GTIG Warning to Corporate Executives'],
'threat_actor': ['Clop (FIN11)', 'Potentially Impersonating Clop'],
'title': 'Clop Ransomware Gang Targets Oracle E-Business Suite in Extortion '
'Campaign',
'type': ['Data Breach', 'Extortion', 'Potential Ransomware']}