Oracle-Linked Hacks: Data Stolen from Dozens of Organizations

Corporate Executives Targeted in Widespread Hacking Campaign

Security researchers at Google have revealed that hackers are targeting corporate executives with extortion emails. Data breaches have been confirmed across “dozens of organizations,” indicating a potentially extensive scope to this malicious activity.

Clop Gang Exploits Oracle Vulnerabilities

The tech company announced on Thursday, in a statement provided to TechCrunch, that the Clop extortion group successfully exploited several security weaknesses within Oracle’s E-Business Suite software. This exploitation resulted in the theft of substantial data from numerous affected entities.

Oracle’s E-Business Suite is a critical software solution utilized by companies to manage core operational functions. These functions include the storage of customer information and employee human resources records.

Campaign Timeline and Initial Detection

According to a related blog post from Google, the hacking campaign specifically targeting Oracle customers commenced as early as July 10th. This was approximately three months prior to the initial detection of the breaches.

Oracle's Shifting Statements

Initially, Oracle acknowledged earlier this week that the hackers continued to leverage its software for data theft, specifically targeting personal information belonging to corporate executives and their respective companies.

However, prior to this, Oracle’s chief security officer, Rob Duhart, had stated in a now-removed post that the campaign was tied to vulnerabilities already addressed with patches released in July, implying the attacks had ceased.

Zero-Day Vulnerability Discovered

A recent security advisory from Oracle detailed a zero-day bug – a vulnerability exploited before a fix could be developed – that allows for network exploitation without requiring usernames or passwords.

Clop's History of Mass-Hacking

The Russia-affiliated Clop ransomware and extortion gang has gained notoriety for conducting large-scale hacking operations. These operations frequently involve exploiting previously unknown software vulnerabilities to steal significant volumes of corporate and customer data.

Past targets have included managed file transfer tools such as Cleo, MOVEit, and GoAnywhere, which are commonly used for secure data transmission over the internet.

Resources for Network Defenders

Google’s blog post provides valuable resources for network security professionals. This includes email addresses and other technical indicators that can be used to identify potential extortion emails and determine if Oracle systems have been compromised.

• Key Takeaway: The Clop gang is actively exploiting a zero-day vulnerability in Oracle E-Business Suite.
• Recommendation: Organizations using Oracle E-Business Suite should review Google’s blog post for indicators of compromise.