A new extortion campaign targeted executives across multiple companies using **Oracle E-Business Suite**, with threat actors (potentially the **Clop ransomware gang/FIN11**) sending emails claiming theft of sensitive data. The campaign, active since at least **September 29, 2025**, leveraged **hundreds of compromised email accounts**, some linked to prior FIN11 activity. While the emails included contact details tied to Clop’s data leak site, **Mandiant and Google Cloud have not yet confirmed actual data theft**. The attack exploits potential vulnerabilities in Oracle’s platform, though no zero-day confirmation exists. Organizations were urged to investigate unusual access in their Oracle environments. Clop, known for **ransomware deployment and data extortion**, has historically exploited file transfer flaws (e.g., **Cleo zero-days in 2024**) to steal corporate data. The U.S. State Department offers a **$10M reward** for ties between Clop and foreign governments. The incident remains under investigation, with risks including **financial extortion, reputational damage, and potential data leaks** if claims are substantiated.
TPRM report: https://www.rankiteo.com/company/oracle
"id": "ora4062140100225",
"linkid": "oracle",
"type": "Ransomware",
"date": "6/2024",
"severity": "75",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Multiple Companies (Executives Targeted)'}],
'attack_vector': ['Compromised Email Accounts',
'Potential Zero-Day Exploitation (Oracle E-Business Suite)'],
'customer_advisories': 'Recommended: Investigate Oracle E-Business Suite for '
'compromise',
'data_breach': {'data_exfiltration': 'Claimed (unsubstantiated)'},
'date_detected': '2025-09-29',
'date_publicly_disclosed': '2025-09-29',
'description': 'Mandiant and Google are tracking a new extortion campaign '
'where executives at multiple companies received emails '
'claiming that sensitive data was stolen from their Oracle '
'E-Business Suite systems. The campaign began in late '
'September 2025, with extortion emails sent from hundreds of '
'compromised accounts, some linked to the FIN11 threat group '
'(associated with Clop ransomware). The emails contain contact '
"addresses listed on Clop's data leak site, but there is "
'insufficient evidence to confirm if data was actually stolen. '
'Organizations are advised to investigate their Oracle '
'E-Business Suite environments for unusual access or '
'compromise.',
'impact': {'brand_reputation_impact': 'Potential (due to extortion claims)',
'systems_affected': ['Oracle E-Business Suite (potential)']},
'initial_access_broker': {'entry_point': 'Compromised Email Accounts',
'high_value_targets': 'Executives at multiple '
'companies'},
'investigation_status': 'Ongoing (early stages, claims unsubstantiated)',
'motivation': 'Financial Gain (Extortion)',
'ransomware': {'data_exfiltration': 'Claimed (unsubstantiated)',
'ransomware_strain': 'Clop (potential link)'},
'recommendations': ['Investigate Oracle E-Business Suite environments for '
'unusual access or compromise',
'Monitor for high-volume extortion email campaigns from '
'compromised accounts',
'Assess potential links to FIN11/Clop ransomware '
'activity'],
'references': [{'source': 'BleepingComputer'},
{'source': 'Mandiant (Google Cloud) & GTIG Analysis'},
{'source': 'U.S. State Department Rewards for Justice Program '
'(Clop)',
'url': 'https://www.state.gov/rewards-for-justice-program/'}],
'response': {'enhanced_monitoring': 'Recommended (for unusual access)',
'incident_response_plan_activated': 'Recommended (investigate '
'Oracle E-Business Suite '
'environments)',
'third_party_assistance': ['Mandiant (Google Cloud)', 'GTIG']},
'threat_actor': ['FIN11 (suspected)', 'Clop Ransomware Gang (potential link)'],
'title': 'Extortion Campaign Targeting Oracle E-Business Suite Systems',
'type': ['Extortion', 'Potential Data Breach', 'Phishing Campaign']}