Clop began targeting Oracle E-Business Suite customers three months ago, exploiting multiple vulnerabilities including a zero-day (CVE-2025-61882) to conduct large-scale data theft and extortion. The attack chain involved at least five distinct defects enabling pre-authenticated remote code execution. Oracle released patches in July and October, but Shadowserver scans as of early October detected over 570 potentially vulnerable instances, mostly in the US.
These attacks are part of Clop’s broader campaign involving stealthy, multi-stage, fileless malware designed to evade traditional detection methods. Although Google and Mandiant attribute the activity primarily to Clop, possible involvement of other threat groups cannot be ruled out. Clop has previously compromised various technology vendors, particularly file-transfer services, leading to massive data exposures such as the 2023 MOVEit breach affecting over 2,300 organizations.
The implications of this attack include sustained risk for unpatched Oracle customers and potential for huge ransom payments reaching up to $50 million. The difficulty in fully attributing attacks and ongoing exploitation attempts stress the importance of timely security updates and enhanced monitoring. Analysts warn that zero-day campaigns are becoming increasingly common in cybercrime, which escalates the overall threat landscape for enterprise platforms like Oracle E-Business Suite.
👉 Pročitaj original: CyberScoop
