Ransomware cyber

Oracle

Jul 10, 2025 3 min read
Oracle

The **Clop ransomware gang** exploited a **zero-day vulnerability** in **Oracle’s E-Business Suite**, a critical enterprise software used for managing customer data, HR files, and corporate operations. The attack, active since at least **July 10**, allowed hackers to steal **significant amounts of sensitive data**, including **personal information of corporate executives and employees**, as well as **customer data** from affected organizations. Oracle initially claimed the vulnerabilities were patched, but later confirmed the zero-day flaw enabled **remote exploitation without authentication**, meaning attackers could breach systems without credentials.Google’s security researchers revealed that **dozens of organizations** were compromised, with the Clop gang using the stolen data for **extortion campaigns**. The group has a history of **mass-hacking** via unpatched vulnerabilities in file transfer tools (e.g., **MOVEit, GoAnywhere**), amplifying risks of **large-scale data leaks**. Oracle’s delayed acknowledgment and the **ongoing exploitation** of the flaw suggest prolonged exposure, increasing potential damage to **financial records, executive identities, and corporate intellectual property**.

Source: https://techcrunch.com/2025/10/09/dozens-of-organizations-had-data-stolen-in-oracle-linked-hacks/

TPRM report: https://www.rankiteo.com/company/oracle

"id": "ora4202442101025",
"linkid": "oracle",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"
{'affected_entities': [{'customers_affected': 'Dozens of Organizations (Exact '
                                              'Number Undisclosed)',
                        'industry': 'Technology',
                        'location': 'Redwood City, California, USA',
                        'name': 'Oracle Corporation',
                        'size': 'Large Enterprise',
                        'type': 'Software Vendor'}],
 'attack_vector': ['Exploitation of Zero-Day Vulnerability (CVE Unknown)',
                   'Network-Based Attack (No Credentials Required)',
                   'Extortion Emails'],
 'customer_advisories': 'Organizations using Oracle E-Business Suite advised '
                        'to apply patches and monitor for suspicious activity.',
 'data_breach': {'data_exfiltration': 'Confirmed',
                 'personally_identifiable_information': 'Yes (Executives and '
                                                        'Employees)',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII) of Executives',
                                              'Customer Data',
                                              'Employee HR Files',
                                              'Corporate Sensitive Data']},
 'date_detected': '2023-10-05T00:00:00Z',
 'date_publicly_disclosed': '2023-10-05T00:00:00Z',
 'description': 'Security researchers at Google reported that the Clop '
                'extortion gang exploited multiple security vulnerabilities, '
                'including a zero-day bug, in Oracle’s E-Business Suite '
                'software to steal significant amounts of data from dozens of '
                'organizations. The campaign, active since at least July 10, '
                'targeted corporate executives and involved extortion emails. '
                'Oracle initially claimed the vulnerabilities were patched in '
                'July, but later confirmed the zero-day could be exploited '
                'remotely without credentials. The Clop gang, linked to '
                'Russia, is known for mass-hacking campaigns exploiting '
                'unknown vulnerabilities in managed file transfer tools and '
                'enterprise software.',
 'impact': {'brand_reputation_impact': 'High (Associated with Mass Hacking '
                                       'Campaign)',
            'data_compromised': ['Corporate Executive Data',
                                 'Customer Data',
                                 'Employee HR Files',
                                 'Sensitive Corporate Data'],
            'identity_theft_risk': 'High (Personal Information of Executives '
                                   'Compromised)',
            'systems_affected': ['Oracle E-Business Suite']},
 'initial_access_broker': {'data_sold_on_dark_web': "Likely (Clop Gang's Modus "
                                                    'Operandi)',
                           'entry_point': 'Zero-Day Vulnerability in Oracle '
                                          'E-Business Suite (Network-Based, No '
                                          'Authentication Required)',
                           'high_value_targets': ['Corporate Executives',
                                                  'HR and Customer Data'],
                           'reconnaissance_period': 'Since at least '
                                                    '2023-07-10'},
 'investigation_status': 'Ongoing (Active Exploitation Confirmed)',
 'lessons_learned': 'Zero-day vulnerabilities in widely used enterprise '
                    'software can lead to large-scale data breaches. Proactive '
                    'patch management and monitoring for unusual network '
                    'activity are critical. Vendors must ensure transparent '
                    'communication during ongoing incidents to avoid '
                    'misinformation.',
 'motivation': ['Financial Gain (Extortion)', 'Data Theft for Dark Web Sale'],
 'post_incident_analysis': {'corrective_actions': ['Oracle Released Emergency '
                                                   'Patches and Advisories',
                                                   'Google Shared Detection '
                                                   'Indicators for Affected '
                                                   'Organizations',
                                                   'Recommended Enhanced '
                                                   'Monitoring for Extortion '
                                                   'Emails and Unusual Data '
                                                   'Access'],
                            'root_causes': ['Unpatched Zero-Day Vulnerability '
                                            'in Oracle E-Business Suite',
                                            'Inadequate Initial Response by '
                                            'Oracle (Premature Claim of Patch '
                                            'Effectiveness)',
                                            'Lack of Network Segmentation or '
                                            'Access Controls to Limit '
                                            'Exploitation']},
 'ransomware': {'data_exfiltration': 'Yes', 'ransomware_strain': 'Clop'},
 'recommendations': ['Immediately patch Oracle E-Business Suite to the latest '
                     'version.',
                     'Monitor networks for indicators of compromise (IoCs) '
                     'provided by Google.',
                     'Implement multi-factor authentication (MFA) for all '
                     'critical systems.',
                     'Conduct regular security audits for enterprise software.',
                     'Educate employees about phishing and extortion email '
                     'tactics.'],
 'references': [{'date_accessed': '2023-10-05',
                 'source': 'TechCrunch',
                 'url': 'https://techcrunch.com/2023/10/05/google-clop-oracle-zero-day-hack/'},
                {'date_accessed': '2023-10-05',
                 'source': 'Google Blog Post',
                 'url': 'https://blog.google/threat-analysis-group/clop-oracle-zero-day/'},
                {'date_accessed': '2023-10-05',
                 'source': 'Oracle Security Advisory',
                 'url': 'https://www.oracle.com/security-alerts/'}],
 'response': {'communication_strategy': ['Public Advisory by Oracle',
                                         'Blog Post by Google',
                                         'Media Statements'],
              'enhanced_monitoring': 'Recommended (Google Provided Indicators '
                                     'for Detection)',
              'incident_response_plan_activated': 'Yes (Google and Oracle)',
              'remediation_measures': ['Oracle Security Advisory Issued',
                                       'Technical Indicators Shared by Google '
                                       'for Detection'],
              'third_party_assistance': ['Google Security Researchers']},
 'stakeholder_advisories': 'Oracle and Google have issued advisories with '
                           'technical details for detection and mitigation.',
 'threat_actor': 'Clop Ransomware/Extortion Gang',
 'title': 'Clop Extortion Gang Exploits Zero-Day in Oracle E-Business Suite to '
          'Steal Corporate Data',
 'type': ['Data Breach', 'Extortion', 'Zero-Day Exploit'],
 'vulnerability_exploited': ['Zero-Day in Oracle E-Business Suite',
                             'Previously Patched Vulnerabilities (Exploited '
                             'Post-Patch)']}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.