Dozens of organizations hit in Oracle-linked data breach
▼ Summary
– The Clop extortion gang exploited vulnerabilities in Oracle’s E-Business Suite software to steal data from dozens of organizations.
– Oracle’s E-Business software is used by companies to manage operations, including customer data and employee HR files.
– The hacking campaign targeting Oracle customers began around July 10, three months before it was first detected.
– Oracle confirmed that hackers are still abusing a zero-day vulnerability in its software that requires no username or password to exploit.
– Google provided technical details to help network defenders identify extortion emails and signs of system compromise.
A widespread data breach impacting numerous organizations has been traced back to security flaws within Oracle’s widely used E-Business Suite software. According to security researchers at Google, the Russia-linked Clop ransomware and extortion gang has been exploiting these vulnerabilities to steal substantial volumes of sensitive corporate information. The hackers have specifically targeted corporate executives with extortion emails, marking one of the initial indicators that this hacking campaign could have extensive consequences.
Oracle’s E-Business Suite is a critical application that enables companies to manage essential operations, including storing customer records and employee human resources files. Google disclosed in a statement that the Clop group leveraged multiple security weaknesses in this software to access and exfiltrate data from dozens of affected entities. A corresponding blog post from the tech giant noted that the malicious activity targeting Oracle customers began as early as July 10, approximately three months before the intrusions were first identified.
Earlier this week, Oracle acknowledged that the hackers responsible for the extortion campaign continue to abuse its software to obtain personal details about executives and their companies. This admission came just days after Oracle’s chief security officer, Rob Duhart, asserted in a since-removed post that the campaign was connected to previously identified vulnerabilities patched by Oracle in July, implying the attacks had concluded. However, a security advisory released over the weekend revealed a zero-day vulnerability, so named because hackers were already exploiting it before Oracle could develop a fix. Oracle confirmed this bug can be “exploited over a network without the need for a username and password,” significantly lowering the barrier for unauthorized access.
The Clop ransomware gang has built a notorious reputation in recent years for orchestrating mass-hacking campaigns. They frequently take advantage of vulnerabilities that are unknown to software vendors at the time of exploitation, enabling them to harvest vast amounts of corporate and customer data. Their past operations have involved managed file transfer tools such as Cleo Software, MOVEit, and GoAnywhere, which businesses rely on to transmit confidential data securely over the internet.
To assist organizations in defending against these threats, Google’s blog post includes specific email addresses and technical indicators that network security teams can use to scan for extortion emails and other signs of compromise within their Oracle systems. This information provides actionable intelligence for identifying whether their infrastructure has been affected by this ongoing campaign.
(Source: TechCrunch)
