Clop, the notorious ransomware group, began targeting Oracle E-Business Suite customers three months ago and started exploiting a zero-day affecting the enterprise platform to steal massive amounts of data from victims as early as Aug. 9, Google Threat Intelligence Group and Mandiant said in a report Thursday. 

“We’re still assessing the scope of this incident, but we believe it affected dozens of organizations. Some historic Clop data extortion campaigns have had hundreds of victims,” John Hultquist, chief analyst at GTIG, said in a statement. “Unfortunately large scale zero-day campaigns like this are becoming a regular feature of cybercrime.”

The new timeline provided by Google’s incident response firm and security researchers confirms malicious activity against Oracle E-Business Suite customers began almost three months before Clop sent extortion emails to executives of alleged victim organizations demanding payment on Sept. 29. 

Oracle disclosed the critical zero-day vulnerability — CVE-2025-61882 — Saturday, two days after it said its customers had received extortion emails following exploitation of vulnerabilities it previously identified and addressed in a July security update. 

The widespread attack spree actually involved at least five distinct defects, including the zero-day, that were chained together to achieve pre-authenticated remote code execution, watchTowr researchers said earlier this week.

Researchers at watchTowr reproduced the full exploit chain after obtaining a proof of concept and published a flow chart depicting how attackers chained multiple vulnerabilities together. 

“It’s currently unclear which specific vulnerabilities or exploit chains correspond to CVE-2025-61882, however, GTIG assesses that Oracle EBS servers updated through the patch released on Oct. 4 are likely no longer vulnerable to known exploitation chains,” Google said in the report.

Researchers identified suspicious traffic that may point to early attempts at exploitation prior to Oracle’s July security update, but Google has not confirmed the precise nature of that activity. 

Many customers remain exposed and potentially vulnerable to attacks. Shadowserver scans found 576 potentially vulnerable instances of Oracle E-Business Suite on Oct. 6, with the majority of those IPs based in the United States.

Clop’s ransom demands have reached up to $50 million, according to Halcyon. “We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop.

Investigations into Clop’s activity underscore the stealthy nature of the threat group’s operations, including the use of multi-stage fileless malware designed to evade file-based detection. Other critical details remain unknown and cybercriminals from other groups have complicated analysis through unsubstantiated claims. 

Mandiant said it observed artifacts on Oct. 3 that overlap with an exploit leaked in a Telegram group dubbed “Scattered LAPSUS$ Hunters.” Yet, Google hasn’t gathered enough evidence to definitively link the malicious July 2025 activity with this exploit. 

“At this time, GTIG does not assess that actors associated with UNC6240 (also known as “Shiny Hunters”) were involved in this exploitation activity,” Google said in the report. 

While multiple pieces of evidence indicate Clop is behind the attacks, Google said it’s possible other threat groups are involved.

Clop has successfully intruded multiple technology vendors’ systems, particularly file-transfer services, allowing it to steal data on many downstream customers. The threat group achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The post Dozens of Oracle customers impacted by Clop data theft for extortion campaign appeared first on CyberScoop.

Federal cyber authorities and threat hunters are on edge following Oracle’s Saturday disclosure of an actively exploited zero-day vulnerability the Clop ransomware group used to initiate a widespread data theft and extortion campaign researchers initially warned about last week. 

Oracle addressed the critical vulnerability — CVE-2025-61882 affecting Oracle E-Business Suite — in a security advisory Saturday and advised customers to apply the patch as soon as possible. The tech giant previously said it was aware some customers had received extortion emails and said vulnerabilities it addressed in its July security update were potentially involved. 

Rob Duhart, chief security officer at Oracle Security, updated his blog post Saturday to alert customers to the zero-day. Oracle did not say the zero-day is actively exploited but it provided indicators of compromise, which indirectly confirm the defect has been exploited in the wild. 

The Cybersecurity and Infrastructure Security Agency added CVE-2025-61882 to its known exploited vulnerabilities catalog Monday, noting that it has been used in ransomware campaigns. 

Brett Leatherman, assistant director of the FBI’s Cyber Division, described the zero-day as an emergency putting Oracle E-Business Suite environments at risk of full compromise. 

“Oracle E-Business Suite remains a backbone enterprise resource planning system for major enterprises and public-sector environments, which means attackers have every incentive to weaponize this one fast,” he said in a LinkedIn post.

The zero-day isn’t the only problem confronting Oracle and its customers. Clop exploited multiple vulnerabilities, including the zero-day, in Oracle E-Business Suite to steal large amounts of data from several victims in August, according to Mandiant Consulting CTO Charles Carmakal. 

Researchers at watchTowr reproduced the full exploit chain after a proof of concept and published a flow chart depicting how attackers chained multiple vulnerabilities together. 

“The chain demonstrates a high level of skill and effort, with at least five distinct bugs orchestrated together to achieve pre-authenticated remote code execution,” watchTowr researchers wrote in a blog post Monday. The cybersecurity firm said there is a high probability more vulnerabilities will be found in Oracle E-Business Suite tied to this campaign. 

The zero-day vulnerability, which has a CVSS rating of 9.8, can be exploited remotely without authentication, resulting in remote code execution. 

The significant lag time between when the attacks occurred and Oracle’s zero-day vulnerability disclosure indicates Clop was breaking into and stealing data from Oracle E-Business Suite customers’ environments for months. Researchers were not aware of the attacks until executives of alleged victim organizations received extortion emails demanding payment. 

CrowdStrike researchers said the first known exploitation occurred Aug. 9, eight weeks before Oracle disclosed and patched the zero-day defect. 

The number of organizations impacted by Clop’s attack spree remains unknown, yet researchers have identified victims across multiple sectors and geographies. Clop’s ransom demands have reached up to $50 million, according to Halcyon.

“We have seen seven- and eight-figure demands thus far,” Cynthia Kaiser, senior vice president of Halcyon’s ransomware research center, told CyberScoop.

“This group is notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations,” she said.

Clop is a ransomware group that has successfully intruded multiple technology vendors’ systems, allowing it to steal data on many downstream customers. The threat group specializes in exploiting vulnerabilities in file-transfer services to conduct large-scale attacks. 

Clop achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The group is driven by profit, as it operates within a Russia-aligned cybercrime environment, Kaiser said. “Clop’s operations can simultaneously extract financial value and produce outcomes useful to state actors, such as data collection, disruption, or pressure on targeted organizations.”

The post Oracle zero-day defect amplifies panic over Clop’s data theft attack spree appeared first on CyberScoop.

The software giant’s investigation showed that vulnerabilities patched in July 2025 may be involved.

The post Oracle Says Known Vulnerabilities Possibly Exploited in Recent Extortion Attacks appeared first on SecurityWeek.

Emails sent to Oracle customers by members of the Clop ransomware group assert that the cybercriminals are solely interested in a financial payout, framing the extortion as a business transaction rather than a politically motivated attack.  

The extortion emails were sent to executives of alleged victim organizations earlier this week, with attackers claiming they would provide victims copies of any three files or data rows upon request to verify their organization’s data was stolen. 

“But, don’t worry,” the attackers wrote in an extortion email, which CyberScoop obtained a copy of Thursday. “You can always save your data for payment. We do not seek political power or care about any business.”

Broken English and poor spelling appears throughout the email. The sender begins the message by introducing themselves as “CL0P team” and encourages the recipient to search for information about Clop on the internet if they haven’t heard of the highly prolific threat group.  

The extortion email is designed to achieve several goals: intimidate recipients, apply a deadline to create urgency, show proof of compromise and provide contact info to negotiate an extortion payment.  

“We always fulfil all promises and obligations,” the email said. “We are not interested in destroying your business. We want to take the money and you not hear from us again.”

Clop hasn’t made the claims public through its leak site. Researchers have yet to verify if a breach occurred or if the threat group is behind the attacks, yet the contact info in the emails has been previously used by the group.

Oracle on Thursday confirmed it’s aware some Oracle E-Business Suite customers have received extortion emails.

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” Rob Duhart, chief security officer at Oracle Security, said in a blog post.

Oracle did not say which vulnerabilities are under active exploitation, nor did it confirm if its customers’ data was stolen. The July security update included 309 patches, including nine that addressed defects in Oracle E-Business Suite. 

The vendor, at the time, said three of the Oracle E-Business Suite vulnerabilities, all of which it designated as medium-severity, can be remotely exploited without authentication. Three additional Oracle E-Business Suite vulnerabilities addressed in July were designated high severity. 

The company has not responded to multiple requests for comment. 

The emails were sent from hundreds of compromised third-party accounts beginning on or before Monday, researchers said.

“The compromised accounts belong to various, unrelated organizations,” Austin Larsen, principal analyst at Google Threat Intelligence Group, told CyberScoop. “This is a common tactic where threat actors acquire credentials for legitimate accounts, often from infostealer malware logs sold on underground forums, to add a layer of legitimacy to their campaigns and help bypass spam filters.”

In the email obtained by CyberScoop, the sender claims to have carefully examined the data they allegedly stole, warning “that estimated financial losses, harm to reputation and regulatory fines are likely to materially exceed the amount claimed.” 

This tactic has appeared in previous extortion attacks wherein hackers mention accompanying effects of a compromise, such as legal penalties, as a reason to pay the ransom.

The extortion email ends with a threatening call to action, claiming the clock is ticking and data will be published in a few days. 

“Please convey this information to your executive and managers as soon as possible,” the attackers said in the email. “We advice not reach point of no return.”

The full text of the email is below:

Dearest executive,

We are CL0P team. If you haven’t heard about us, you can google about us on internet.

We have recently breached your Oracle E-Business Suite application and copied a lot of documents. All the private files and other information are now held on our systems.

But, don’t worry. You can always save your data for payment. We do not seek political power or care about any business.

So, your only option to protect your business reputation is to discuss conditions and pay claimed sum. In case you refuse, you will lose all abovementioned data: some of it will be sold to the black actors, the rest will be published on our blog and shared on torrent trackers.

We always fulfil all promises and obligations.

We have carefully examined the data we got. And, regrettably for your company, this analysis shows that estimated financial losses, harm to reputation , and regulatory fines are likely to materially exceed the amount claimed.

Lower you see our contact email addresses:

[REDACTED]

[REDACTED]

As evidence, we can show any 3 files you ask or data row.

We are also ready to continue discussing the next steps after you confirm that you are a legitimate representative of the company.

We are not interested in destroying your business. We want to take the money and you not hear from us again.

Time is ticking on clock and in few days if no payment we publish and close chat.

Please convey this information to your executive and managers as soon as possible.

After a successful transaction and receipt of payment we promise

1) technical advice

2) We will never publish you data

3) Everything we download will be delete w/proof

4) Nothing will ever disclose

Decide soon and recall that no response result in blog posting. Name is first and soon data after. We advice not reach point of no return.

KR CL0P

Update: 10/02/25, 5:30 p.m: This story has been updated with information about Oracle’s alert.

The post Here is the email Clop attackers sent to Oracle customers appeared first on CyberScoop.

Executives at major firms received extortion threats alleging theft of sensitive data from Oracle EBS, with possible ties to Cl0p and FIN11.

The post Hackers Launch Extortion Campaign Targeting Oracle E-Business Suite Customers appeared first on SecurityWeek.

Attackers appearing to be aligned with the Clop ransomware group have sent emails to Oracle customers seeking extortion payments, claiming they stole data from the tech giant’s E-Business Suite, according to researchers who spoke with CyberScoop. 

Researchers haven’t confirmed the veracity of Clop’s claimed data theft, but multiple investigations into Oracle environments belonging to organizations that received the emails are underway.

“We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts,” Mandiant Consulting CTO Charles Carmakal told CyberScoop. “The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site,” he added.

Clop hasn’t made the claims public through its leak sites.

Oracle on Thursday confirmed it’s aware some Oracle E-Business Suite customers have received extortion emails.

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 critical patch update,” Rob Duhart, chief security officer at Oracle Security, said in a blog post.

Oracle did not say which vulnerabilities are under active exploitation, nor did it confirm if its customers’ data was stolen. The July security update included 309 patches, including nine that addressed defects in Oracle E-Business Suite. 

The vendor, at the time, said three of the Oracle E-Business Suite vulnerabilities, all of which it designated as medium-severity, can be remotely exploited without authentication. Three additional Oracle E-Business Suite vulnerabilities addressed in July were designated high severity. 

The company has not responded to multiple requests for comment. 

The extortion activity involves targeted emails sent to company executives from hundreds of compromised third-party accounts beginning on or before Sept. 29, according to Genevieve Stark, head of cybercrime and information operations intelligence analysis at Google Threat Intelligence Group.

“It is not yet clear whether the threat actor’s claims are credible, and if so, how they obtained access,” Stark told CyberScoop.

While the tactics and contact email addresses align with Clop, researchers have yet to verify if the financially-motivated group is behind the attacks.

Clop is a highly prolific and notorious ransomware group that has successfully intruded multiple technology vendors’ systems, allowing it to steal data on many downstream customers. 

The financially motivated threat group specializes in exploiting vulnerabilities in file-transfer services to conduct large-scale attacks. Clop achieved mass exploitation as it infiltrated MOVEit environments in 2023, ultimately exposing data from more than 2,300 organizations, making it the largest and most significant cyberattack that year.

The extortion emails originate from hundreds of compromised third-party accounts at various legitimate websites, and not from one specific vendor, said Austin Larsen, principal analyst at GTIG. “The claim within those emails is that they have stolen data from the Oracle E-Business Suite of the targeted organizations,” he added. 

The emails observed by researchers don’t contain a specific demand, but pressure victims to contact the threat group to start negotiations.  

“The primary indicators of this new campaign are the extortion emails themselves and the use of email addresses associated with the Clop data leak site,” Stark said. “At this time, we do not have evidence of a successful data breach or a specific malware family associated with this particular campaign.”

Investigators are working through the night to confirm if and how attackers gained access to Oracle’s E-Business Suite and the extent to which Oracle customers may be impacted.

Update: 10/02/25, 5:30 p.m.: This story has been updated with information about Oracle’s security alert.

The post Oracle customers being bombarded with emails claiming widespread data theft appeared first on CyberScoop.

Editor’s Note: We’ll feature Lawrence’s List every week.  It will include interesting things he’s come across during the week as he’s an avid consumer of internet garbage and follows a […]

The post Lawrence’s List 061316 appeared first on Black Hills Information Security, Inc..