A significant number of organizations have received extortion emails from hackers who claim to have stolen sensitive information from their Oracle E-Business Suite instances, Google’s Threat Intelligence Group and Mandiant unit warn.
Oracle E-Business Suite (EBS) is a suite of integrated business applications used by large organizations to automate and manage business processes. Oracle says thousands of organizations around the world use this enterprise resource planning (ERP) system.
According to Google Threat Intelligence Group (GTIG) and Mandiant, the malicious activity allegedly targeting Oracle EBS appears to have started on or around September 29. The attackers have sent extortion emails to executives at “numerous” companies, claiming to be affiliated with the notorious Cl0p cybercrime group.
GTIG and Mandiant researchers have described the attacks as a high-volume email campaign leveraging hundreds of compromised accounts, including ones previously linked to a profit-driven threat group named FIN11. This long-running cybercrime gang is known to engage in ransomware deployment and extortion.
The researchers also found some evidence indicating a connection to Cl0p. Specifically, the contact information provided by the attackers in the emails sent to targeted organizations matches contact addresses listed on the Cl0p leak website.
Mandiant and GTIG said they are in the early stages of their investigations and could not confirm whether the hackers’ claims are substantiated.
“It is critical to note that while the tactics align with an extortion motive and the actor is explicitly claiming this connection, GTIG does not currently have sufficient evidence to definitively assess the veracity of these claims,” said Charles Carmakal, CTO of Mandiant.
Carmakal added, “Attribution in the financially motivated cybercrime space is often complex, and actors frequently mimic established groups like Clop to increase leverage and pressure on victims.”
If Cl0p or FIN11 hackers are confirmed to be behind the attacks, it would not come as a surprise. Both groups are known to launch campaigns that target many organizations through vulnerable software, often via the exploitation of zero-day flaws.
Cl0p last year claimed to have stolen data from dozens of organizations after exploiting a zero-day vulnerability in Cleo file transfer tools. The group previously managed to steal the information of tens of millions of users from thousands of organizations through the exploitation of a zero-day in MOVEit Transfer file transfer software.
In addition, Cl0p was blamed for a 2023 attack that involved a Fortra GoAnywhere managed file transfer product zero-day and which hit dozens of organizations.
A few years ago, the FIN11 group was behind a similar campaign that involved the theft of sensitive data from dozens of organizations that had been using an Accellion file transfer service. That campaign also involved the exploitation of a zero-day vulnerability.
In some campaigns analyzed in the past, researchers had found links between Cl0p and FIN11.
SecurityWeek has reached out to Oracle for comment and will update this article if the company responds.
Related: Infostealers: The Silent Smash-and-Grab Driving Modern Cybercrime
Related: Recent Fortra GoAnywhere MFT Vulnerability Exploited as Zero-Day
