Oracle Customers Warned of E-Business Suite Data Breach

▼ Summary
– Unknown attackers claiming Cl0p affiliation are emailing executives about alleged data theft from Oracle E-Business Suite systems.
– This high-volume email campaign began in late September 2025 using hundreds of compromised accounts, with at least one linked to the FIN11 threat group.
– The authenticity of the data breach claims and Cl0p involvement remains unverified by Google’s Threat Intelligence Group and industry partners.
– Cl0p is known for exploiting zero-day vulnerabilities in enterprise file transfer tools to exfiltrate data and demand ransoms.
– Oracle confirmed awareness of the extortion emails and recommended applying the July 2025 Critical Patch Update to address potential vulnerabilities.
Businesses relying on Oracle’s E-Business Suite are confronting a wave of threatening emails, with unknown attackers claiming to have stolen sensitive corporate data. These messages, which began circulating in late September 2025, assert affiliation with the notorious Cl0p extortion gang and demand substantial ransoms, reportedly reaching into the millions. Security experts caution that while the emails include contact details linked to Cl0p’s public leak site, the actual breach claims remain unverified.
According to Google’s threat intelligence teams, this high-volume campaign originated from hundreds of compromised email accounts. Charles Carmakal, CTO at Mandiant, part of Google Cloud, noted that at least one of these accounts had prior connections to FIN11, a financially motivated threat group known for ransomware and extortion schemes. Still, Carmakal emphasized that definitive proof of either a genuine data breach or Cl0p’s direct involvement is currently lacking. He pointed out that cybercriminals often imitate established gangs like Cl0p to intimidate victims and increase pressure.
Bloomberg, citing security firm Halcyon, reported that the attackers are demanding seven- and eight-figure payments and have shared screenshots and file directories as supposed evidence of compromise. However, none of this material has been independently confirmed. The Cl0p ransomware operation first appeared in 2019 and initially focused on ransomware attacks. Over the past five years, however, the group gained notoriety by exploiting zero-day vulnerabilities in enterprise file transfer tools, including Accellion FTA and MOVEit, to steal corporate data and extort payments in exchange for not publishing or selling it.
Oracle has not issued an official statement regarding the situation, but security professionals are urging targeted organizations to take immediate steps. Carmakal advised companies to conduct thorough investigations of their IT environments for any signs of unauthorized access or data theft. Richard Berkahn, a partner at Atmos First Response in Australia and New Zealand, shared on LinkedIn that industry partners have so far been unable to validate the attackers’ claims. Berkahn noted past incidents where fraudsters impersonated the Cl0p gang, raising the possibility that this campaign could be a hoax.
Even so, Berkahn recommended that organizations treat the threat as credible until proven otherwise. He suggested that Oracle E-Business Suite users review their email quarantine logs for any extortion-related messages. A useful search term, he noted, is “pubstorm.com/pubstorm.net,” which appears in the content of the threat emails. While the sender addresses vary, this text may help identify whether any malicious emails were intercepted. Berkahn stressed that even if the campaign turns out to be an impersonation, affected companies should activate their incident response teams, including cyber insurance support, and prepare as though the breach claims are real.
In an update provided on October 3, 2025, Oracle Chief Security Officer Rob Duhart confirmed that the company is aware some EBS customers have received extortion emails. Oracle’s investigation points to the potential exploitation of vulnerabilities that were already addressed in the July 2025 Critical Patch Update. Duhart reiterated Oracle’s firm recommendation that customers apply the latest security patches without delay to protect their systems.
(Source: HelpNet Security)