InfoSecBulletin Cybersecurity for mankind
Researchers at Google Mandiant and GTIG are monitoring a suspected Cl0p ransomware affiliate conducting a mass extortion campaign against Oracle E-Business Suite customers. The attackers allege they have stolen sensitive corporate data and are demanding ransoms up to $50 million, as reported by the incident response firm Halcyon, which is assisting the impacted organizations.
The Road Ahead:
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Oracle’s E-Business Suite helps companies manage finance, supply chain, and customer relations, so claims of a breach are concerning. Investigators haven’t confirmed the full extent yet, but at least one company has confirmed that data from its Oracle systems was stolen.
Modus Operandi: Email Hacks and Credential Abuse:
Attackers may have used compromised emails and Oracle E-Business Suite’s password reset to access valid accounts. Victims received file trees and screenshots as proof, a typical tactic used by Cl0p to raise ransom pressure.
“This group is notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations,” said Cynthia Kaiser, Vice President at Halcyon’s Ransomware Research Center. “We’ve seen Cl0p demand seven- and eight-figure ransoms in just the last few days.”
FIN11 Links and the Cl0p Connection:
According to Mandiant’s CTO Charles Carmakal, the extortion campaign involves “hundreds of compromised accounts” in a coordinated push. At least one account has been tied to FIN11, a financially motivated threat group long associated with Cl0p ransomware deployment.
Cl0p has exploited significant vulnerabilities in software like Accellion, SolarWinds, Fortra GoAnywhere, and MOVEit, impacting thousands of global organizations. Mandiant researchers indicate that the group likely operates mainly from the Commonwealth of Independent States (CIS) but intentionally avoids activities in that area.
Early Stage, But Risks Are High:
Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG, emphasized caution. “This activity began on or before September 29, but we are still in the early stages of multiple investigations. While some indicators tie this campaign to Cl0p affiliates, we lack definitive proof that the attackers’ claims are fully accurate.”
Mandiant has advised organizations using Oracle E-Business Suite to check for signs of compromise associated with Cl0p and FIN11.
Cybersecurity experts indicate that if the claims are true, this could be one of the largest extortion attempts related to Oracle, affecting industries from finance and energy to healthcare and defense.
The ongoing investigations highlight how ransomware groups are becoming more sophisticated, using technical tricks and aggressive extortion. For companies using Oracle E-Business Suite, this situation emphasizes the need for patching, managing credentials, and adopting a zero-trust security model.
As Carmakal of Mandiant put it: “This is a high-volume, global campaign. Organizations need to take immediate steps to detect compromise, patch vulnerabilities, and prepare response playbooks before these extortion threats escalate further.”
