Oracle has confirmed that a group of hackers stole data from its E‑Business Suite (EBS) applications and is leveraging the information in a wave of extortion emails targeting large enterprises.
The company says attackers exploited vulnerabilities addressed in the July 2025 Critical Patch Update (CPU) and urged all customers to apply the latest patches immediately to prevent further intrusions.
Executives and IT leaders at multiple organizations have received emails claiming their EBS data was copied, with ransom demands reportedly reaching up to 50 million dollars.
Victims have been shown screenshots, file indexes, and sample records as proof to pressure payment attempts.
Halcyon incident responders say the threat actors are presenting themselves as affiliated with the Cl0p ransomware operation, a group known for stealthy mass data theft and high-dollar extortion.
Cl0p previously exploited MOVEit file-transfer flaws to compromise hundreds of organizations, including major brands such as Shell, British Airways, and the BBC.
Security researchers note the extortion notes in this campaign feature the same poor English and grammar historically seen in Cl0p communications.
Google’s Threat Intelligence Group added that at least one email address used in these notes was previously linked to a Cl0p affiliate.
Oracle’s investigation is ongoing, and the company has not publicly confirmed the precise intrusion vector.
Details of the Campaign
The extortion emails began on or before September 29, sent from hundreds of compromised third‑party accounts to evade filtering and increase credibility.
At least one affected organization has publicly acknowledged EBS data exfiltration.
While some reports suggest the actors abused default password‑reset functions on internet‑exposed EBS portals, others believe the breach stems from exploitation of an EBS flaw remediated in the July CPU.
Oracle advises all EBS customers to verify that the July 2025 CPU has been applied across every instance, especially internet‑facing environments and non‑production clones often overlooked in patch cycles.
Immediate defensive actions include reviewing access logs for anomalous password‑reset activity, monitoring third‑party and shared mailboxes for compromise, enforcing strong multi‑factor authentication for all EBS access, and restricting administrative functions to trusted networks.
Organizations should also validate system integrity with automated scans, ensure offline, tested backups, and tighten email authentication controls (SPF, DKIM, DMARC) to reduce the impact of account hijacking used in this campaign.
Oracle is coordinating with law enforcement and cybersecurity partners and emphasizes that applying the July 2025 CPU remains the most critical step to mitigate these extortion threats.
CVE Table (related to July 2025 CPU for Oracle E‑Business Suite)
- Affected Products: Oracle E‑Business Suite (various modules)
- Impact: Data exfiltration risk via exploited application/server vulnerabilities
- Exploit Prerequisites: Internet‑exposed EBS endpoints, outdated CPU level, weak MFA or misconfigured password‑reset workflows
- CVSS 3.1: High to Critical (organization‑specific per module and patch advisory)
- Notes: Oracle states the exploited issues were fixed in the July 2025 CPU; customers must verify full deployment across all instances and environments
Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates
%20(1)%20(1).webp?resize=1600,900&ssl=1&description=The company says attackers exploited vulnerabilities addressed in the July 2025 Critical Patch Update (CPU) and urged all customers){kind=link}