Google 's threat intelligence team and Mandiant have tracked a large-scale extortion campaign that began last month. The company’s security researchers have warned that in this campaign, hackers are targeting companies that use Oracle E-Business Suite (EBS). The threat actors, who claim an affiliation with the CL0P extortion brand, sent a high volume of emails to executives at numerous organisations. These messages falsely claimed that sensitive data had been stolen from the victims' Oracle EBS environments. Oracle later reported that the hackers may have exploited vulnerabilities that were patched in July. Earlier this month, Oracle recommended that customers apply the latest critical patch updates. Now, a Google blog post has also advised Oracle customers to apply emergency patches immediately and has shared steps to know if they’ve been affected. The company asked Oracle customers to hunt for malicious database templates, restrict outbound internet access, monitor network logs for suspicious activity and use memory forensics to know their status.
Google explains how hackers are targeting Oracle customers
Google claimed that the attackers may have exploited a zero-day vulnerability starting in August, weeks before Oracle released a patch. Some suspicious activity dates back to July as well. The CL0P data leak site was established in 2020 and has been used for extortion operations, the researchers warned.
Recently, most victims have been associated with data theft resulting from the exploitation of zero-day vulnerabilities in Oracle EBS file transfer systems. The attackers typically conduct mass exploitation, steal data, and then begin extortion attempts weeks later, Google noted.
Last month, the attacker launched a high-volume email campaign using hundreds or thousands of compromised third-party accounts. These credentials likely came from stolen password databases sold on underground forums. The emails, sent to company executives, claimed the attacker had breached their Oracle EBS systems and stolen documents.
The emails contained contact addresses that have been listed on the CL0P site since at least May. The attacker provided legitimate file listings from victim systems, dating back to mid-August, Google claimed.
The extortion emails indicated victims could prevent data release by making a payment, though the amount and method were not specified.
Google has not yet observed victims from this campaign posted on the CL0P site, as in past campaigns, where actors typically wait several weeks before posting victim data.
Oracle has released a patch for the security flaw, and Google has assessed that EBS servers updated with this patch are likely no longer vulnerable to known exploitation methods.
Google explains how hackers are targeting Oracle customers
Google claimed that the attackers may have exploited a zero-day vulnerability starting in August, weeks before Oracle released a patch. Some suspicious activity dates back to July as well. The CL0P data leak site was established in 2020 and has been used for extortion operations, the researchers warned.
Recently, most victims have been associated with data theft resulting from the exploitation of zero-day vulnerabilities in Oracle EBS file transfer systems. The attackers typically conduct mass exploitation, steal data, and then begin extortion attempts weeks later, Google noted.
Last month, the attacker launched a high-volume email campaign using hundreds or thousands of compromised third-party accounts. These credentials likely came from stolen password databases sold on underground forums. The emails, sent to company executives, claimed the attacker had breached their Oracle EBS systems and stolen documents.
The emails contained contact addresses that have been listed on the CL0P site since at least May. The attacker provided legitimate file listings from victim systems, dating back to mid-August, Google claimed.
The extortion emails indicated victims could prevent data release by making a payment, though the amount and method were not specified.
Google has not yet observed victims from this campaign posted on the CL0P site, as in past campaigns, where actors typically wait several weeks before posting victim data.
Oracle has released a patch for the security flaw, and Google has assessed that EBS servers updated with this patch are likely no longer vulnerable to known exploitation methods.
You may also like
Kabul bombing: Taliban terms it 'provocative act' by Pakistan; sends big message from Delhi
WHO's 'deep concern' at deaths of 20 Indian children from toxic cough syrup
'No confusion': Tariq Anwar on Bihar poll seat sharing buzz
Ryan Moore gives verdict on teenage son Toby's jockey debut for Godolphin at Kempton
Meghan Markle bombshell as pal's claim she will 'return to UK this year' sparks mystery
