Google 's threat intelligence team and Mandiant have tracked a large-scale extortion campaign that began last month. The company’s security researchers have warned that in this campaign, hackers are targeting companies that use Oracle E-Business Suite (EBS). The threat actors, who claim an affiliation with the CL0P extortion brand, sent a high volume of emails to executives at numerous organisations. These messages falsely claimed that sensitive data had been stolen from the victims' Oracle EBS environments. Oracle later reported that the hackers may have exploited vulnerabilities that were patched in July. Earlier this month, Oracle recommended that customers apply the latest critical patch updates. Now, a Google blog post has also advised Oracle customers to apply emergency patches immediately and has shared steps to know if they’ve been affected. The company asked Oracle customers to hunt for malicious database templates, restrict outbound internet access, monitor network logs for suspicious activity and use memory forensics to know their status.
Google explains how hackers are targeting Oracle customers
Google claimed that the attackers may have exploited a zero-day vulnerability starting in August, weeks before Oracle released a patch. Some suspicious activity dates back to July as well. The CL0P data leak site was established in 2020 and has been used for extortion operations, the researchers warned.
Recently, most victims have been associated with data theft resulting from the exploitation of zero-day vulnerabilities in Oracle EBS file transfer systems. The attackers typically conduct mass exploitation, steal data, and then begin extortion attempts weeks later, Google noted.
Last month, the attacker launched a high-volume email campaign using hundreds or thousands of compromised third-party accounts. These credentials likely came from stolen password databases sold on underground forums. The emails, sent to company executives, claimed the attacker had breached their Oracle EBS systems and stolen documents.
The emails contained contact addresses that have been listed on the CL0P site since at least May. The attacker provided legitimate file listings from victim systems, dating back to mid-August, Google claimed.
The extortion emails indicated victims could prevent data release by making a payment, though the amount and method were not specified.
Google has not yet observed victims from this campaign posted on the CL0P site, as in past campaigns, where actors typically wait several weeks before posting victim data.
Oracle has released a patch for the security flaw, and Google has assessed that EBS servers updated with this patch are likely no longer vulnerable to known exploitation methods.
Google explains how hackers are targeting Oracle customers
Google claimed that the attackers may have exploited a zero-day vulnerability starting in August, weeks before Oracle released a patch. Some suspicious activity dates back to July as well. The CL0P data leak site was established in 2020 and has been used for extortion operations, the researchers warned.
Recently, most victims have been associated with data theft resulting from the exploitation of zero-day vulnerabilities in Oracle EBS file transfer systems. The attackers typically conduct mass exploitation, steal data, and then begin extortion attempts weeks later, Google noted.
Last month, the attacker launched a high-volume email campaign using hundreds or thousands of compromised third-party accounts. These credentials likely came from stolen password databases sold on underground forums. The emails, sent to company executives, claimed the attacker had breached their Oracle EBS systems and stolen documents.
The emails contained contact addresses that have been listed on the CL0P site since at least May. The attacker provided legitimate file listings from victim systems, dating back to mid-August, Google claimed.
The extortion emails indicated victims could prevent data release by making a payment, though the amount and method were not specified.
Google has not yet observed victims from this campaign posted on the CL0P site, as in past campaigns, where actors typically wait several weeks before posting victim data.
Oracle has released a patch for the security flaw, and Google has assessed that EBS servers updated with this patch are likely no longer vulnerable to known exploitation methods.
You may also like
"Names of DGP, SSP must appear in FIR," says Congress MP Varun Chaudhry in Senior IPS Officer Puran Kumar's suicide case
Punjab AAP MP wants fair probe into Haryana IPS officer's suicide
India vs USA: American mum says India is more 'resourceful and less wasteful' than the US
Health Tips - Consuming junk food causes these health problems, learn the full details
Skin Care Tips - Has the cold weather caused dry skin? Here's how to treat it.
