CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Clop extortion campaign targets Oracle E-Business Suite

First reported
Last updated
4 unique sources, 23 articles

Summary

Hide ▲

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. Envoy Air stated that no sensitive or customer data was affected, but a limited amount of business information and commercial contact details may have been compromised. The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. GlobalLogic, a digital engineering services provider, has notified over 10,000 current and former employees that their data was stolen in an Oracle E-Business Suite (EBS) data breach. The attackers exploited an Oracle EBS zero-day vulnerability (CVE-2025-61882) to steal personal information belonging to 10,471 employees. GlobalLogic's investigation identified access and exfiltration on October 9, 2025, with the earliest date of threat actor activity as July 10, 2025, and the most recent activity occurring on August 20, 2025. The stolen data includes names, addresses, phone numbers, emergency contact details, email addresses, dates of birth, nationalities, countries of birth, passport information, national identifiers or tax identifiers (e.g., Social Security Numbers), salary information, and bank account details. Clop has yet to add GlobalLogic to its leak site, suggesting the company is still negotiating with the threat group or has already paid a ransom. The Washington Post is also among the victims, with nearly 10,000 employees and contractors affected by the data breach. The hackers leveraged a then-zero-day vulnerability in Oracle E-Business Suite software, stole data, and attempted to extort the firm in late September. The compromised data includes full names, bank account numbers and routing numbers, Social Security numbers (SSNs), and tax and ID numbers. Logitech International S.A. confirmed a data breach after a cyberattack by the Clop extortion gang, which exploited a third-party zero-day vulnerability in Oracle E-Business Suite. Logitech filed a Form 8-K with the U.S. Securities and Exchange Commission confirming the data breach. The breach likely includes limited information about employees, consumers, customers, and suppliers, but not sensitive data like national ID numbers or credit card information. Clop added Logitech to its data-leak extortion site, leaking almost 1.8 TB of data allegedly stolen from the company. Logitech confirmed that the breach occurred through a third-party zero-day vulnerability that was patched as soon as a fix was available. Cox Enterprises detected a data breach in late September 2025, which occurred between August 9-14, 2025, due to a zero-day vulnerability in Oracle E-Business Suite. The Cl0p ransomware gang has taken credit for exploiting CVE-2025-61882 as a zero-day vulnerability in Oracle E-Business Suite. The threat actor added Cox Enterprises to their data leak website on the dark web on October 27 and published the stolen information. Cl0p listed 29 new companies as their victims earlier today, including major organizations in the automotive, software, and technology sectors. Cox Enterprises is offering identity theft protection and credit monitoring services through IDX at no cost for 12 months to 9,479 impacted individuals. Canon has confirmed being targeted in the recent Oracle E-Business Suite (EBS) hacking campaign. The incident is limited to a subsidiary of Canon U.S.A., Inc., and only affected the web server. Canon has taken security measures and resumed service, but is continuing to investigate further to ensure that there is no other impact. No Canon data has been leaked at the time of writing. Canon was previously targeted in a ransomware attack back in 2020, where hackers stole employee information from the firm’s systems. More than 100 organizations have been named to date on the Cl0p ransomware website as alleged victims of the campaign. Nearly half of the named organizations are major companies in sectors such as IT and telecoms, heavy industry and manufacturing, healthcare and pharma, retail, automotive and transportation, media, and energy and utilities. The United Kingdom’s National Health Service (NHS) is conducting an investigation but has yet to confirm a data breach. The list of big companies that have yet to publicly confirm a data breach includes Michelin, Broadcom, and Bechtel. Cl0p has been the public-facing group to take credit for the Oracle campaign, but an unknown cluster of a threat actor tracked as FIN11 is believed to be behind the attacks. FIN11 conducted similar campaigns targeting other widely used enterprise products in the past. Organizations are typically not listed on the Cl0p website without cause, but the actual scope of the breach may be exaggerated by the threat actors. Dartmouth College has disclosed a data breach after the Clop extortion gang leaked data allegedly stolen from the school's Oracle E-Business Suite servers on its dark web leak site. The private Ivy League research university, founded in 1769, has an endowment of $9 billion as of June 30, 2025, over 40 academic departments and programs, and more than 4,000 undergraduate students, with a 7:1 undergraduate-to-faculty ratio. In a breach notification letter filed with the office of Maine's Attorney General, Dartmouth says the attackers exploited an Oracle E-Business Suite (EBS) zero-day vulnerability to steal personal information belonging to 1,494 individuals. The total number of people potentially impacted by this data breach is likely much larger, given that the school is headquartered in Hanover, New Hampshire, and it hasn't yet filed a breach notice with the state's Attorney General. "Through the investigation, we determined that an unauthorized actor took certain files between August 9, 2025, and August 12, 2025. We reviewed the files and on October 30, 2025, identified one or more that contained your name and Social Security number," the college says in letters mailed to those affected by the data leak. In a separate appendix filed with Maine's AG, Dartmouth added that the threat actors also stole documents containing the financial account information of impacted individuals. A Dartmouth College spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today regarding the ransom demanded by the Clop gang and the total number of individuals impacted by the breach. The incident is part of a much larger extortion campaign in which the Clop ransomware gang has exploited a zero-day flaw (CVE-2025-61882) since early August 2025 to steal sensitive files from many victims' Oracle EBS platforms. While Clop has yet to disclose the total number of impacted organizations, Google Threat Intelligence Group chief analyst John Hultquist has told BleepingComputer that dozens of organizations were likely breached. The extortion group has also targeted Harvard University, The Washington Post, Logitech, GlobalLogic, and American Airlines subsidiary Envoy Air in this campaign, with their data also leaked online and now available for download via Torrent.

Timeline

  1. 17.10.2025 22:11 1 articles · 1mo ago

    Clop ransomware operation history of exploiting zero-day vulnerabilities

    The Clop ransomware operation, also tracked as TA505, Cl0p, and FIN11, launched in 2019 when it began breaching corporate networks to deploy a variant of the CryptoMix ransomware and steal data. Since 2020, the extortion gang shifted from primarily ransomware to exploiting zero-day vulnerabilities in secure file transfer or data storage platforms to steal data. Notable campaigns include exploiting zero-days in Accellion FTA, SolarWinds Serv-U FTP, GoAnywhere MFT, MOVEit Transfer, and Cleo file transfer products.

    Show sources
    Open in new tab
  2. 13.10.2025 14:14 3 articles · 1mo ago

    Clop extortion gang lists Harvard University in data leak site

    The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site.

    Show sources
    Open in new tab
  3. 06.10.2025 04:37 8 articles · 1mo ago

    Oracle patches zero-day vulnerability exploited in Clop data theft attacks

    The campaign followed months of intrusion activity targeting EBS customer environments, dating as far back as July 10, 2025. After Oracle released a Critical Patch Update in July 2025, which addressed nine flaws affecting EBS, Mandiant observed more likely exploitation attempts. Threat actors began exploiting the zero-day CVE-2025-61882 against Oracle EBS customers as early as August 9, 2025, weeks before a patch was made available. GTIG assessed that Oracle EBS servers updated through the patch are likely no longer vulnerable to known exploitation chains. GlobalLogic's investigation identified access and exfiltration on October 9, 2025, with the earliest date of threat actor activity as July 10, 2025, and the most recent activity occurring on August 20, 2025.

    Show sources
    Open in new tab
  4. 02.10.2025 06:13 23 articles · 1mo ago

    Clop extortion emails claim theft of Oracle E-Business Suite data

    Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. Envoy Air stated that no sensitive or customer data was affected, but a limited amount of business information and commercial contact details may have been compromised. The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. GlobalLogic, a digital engineering services provider, has notified over 10,000 current and former employees that their data was stolen in an Oracle E-Business Suite (EBS) data breach. The attackers exploited an Oracle EBS zero-day vulnerability (CVE-2025-61882) to steal personal information belonging to 10,471 employees. GlobalLogic's investigation identified access and exfiltration on October 9, 2025, with the earliest date of threat actor activity as July 10, 2025, and the most recent activity occurring on August 20, 2025. The stolen data includes names, addresses, phone numbers, emergency contact details, email addresses, dates of birth, nationalities, countries of birth, passport information, national identifiers or tax identifiers (e.g., Social Security Numbers), salary information, and bank account details. Clop has yet to add GlobalLogic to its leak site, suggesting the company is still negotiating with the threat group or has already paid a ransom. The Washington Post is also among the victims, with nearly 10,000 employees and contractors affected by the data breach. The hackers leveraged a then-zero-day vulnerability in Oracle E-Business Suite software, stole data, and attempted to extort the firm in late September. The compromised data includes full names, bank account numbers and routing numbers, Social Security numbers (SSNs), and tax and ID numbers. Logitech International S.A. confirmed a data breach after a cyberattack by the Clop extortion gang, which exploited a third-party zero-day vulnerability in Oracle E-Business Suite. Logitech filed a Form 8-K with the U.S. Securities and Exchange Commission confirming the data breach. The breach likely includes limited information about employees, consumers, customers, and suppliers, but not sensitive data like national ID numbers or credit card information. Clop added Logitech to its data-leak extortion site, leaking almost 1.8 TB of data allegedly stolen from the company. Logitech confirmed that the breach occurred through a third-party zero-day vulnerability that was patched as soon as a fix was available. Cox Enterprises detected a data breach in late September 2025, which occurred between August 9-14, 2025, due to a zero-day vulnerability in Oracle E-Business Suite. The Cl0p ransomware gang has taken credit for exploiting CVE-2025-61882 as a zero-day vulnerability in Oracle E-Business Suite. The threat actor added Cox Enterprises to their data leak website on the dark web on October 27 and published the stolen information. Cl0p listed 29 new companies as their victims earlier today, including major organizations in the automotive, software, and technology sectors. Cox Enterprises is offering identity theft protection and credit monitoring services through IDX at no cost for 12 months to 9,479 impacted individuals. Canon has confirmed being targeted in the recent Oracle E-Business Suite (EBS) hacking campaign. The incident is limited to a subsidiary of Canon U.S.A., Inc., and only affected the web server. Canon has taken security measures and resumed service, but is continuing to investigate further to ensure that there is no other impact. No Canon data has been leaked at the time of writing. Canon was previously targeted in a ransomware attack back in 2020, where hackers stole employee information from the firm’s systems. More than 100 organizations have been named to date on the Cl0p ransomware website as alleged victims of the campaign. Nearly half of the named organizations are major companies in sectors such as IT and telecoms, heavy industry and manufacturing, healthcare and pharma, retail, automotive and transportation, media, and energy and utilities. The United Kingdom’s National Health Service (NHS) is conducting an investigation but has yet to confirm a data breach. The list of big companies that have yet to publicly confirm a data breach includes Michelin, Broadcom, and Bechtel. Cl0p has been the public-facing group to take credit for the Oracle campaign, but an unknown cluster of a threat actor tracked as FIN11 is believed to be behind the attacks. FIN11 conducted similar campaigns targeting other widely used enterprise products in the past. Organizations are typically not listed on the Cl0p website without cause, but the actual scope of the breach may be exaggerated by the threat actors. Dartmouth College has disclosed a data breach after the Clop extortion gang leaked data allegedly stolen from the school's Oracle E-Business Suite servers on its dark web leak site. The private Ivy League research university, founded in 1769, has an endowment of $9 billion as of June 30, 2025, over 40 academic departments and programs, and more than 4,000 undergraduate students, with a 7:1 undergraduate-to-faculty ratio. In a breach notification letter filed with the office of Maine's Attorney General, Dartmouth says the attackers exploited an Oracle E-Business Suite (EBS) zero-day vulnerability to steal personal information belonging to 1,494 individuals. The total number of people potentially impacted by this data breach is likely much larger, given that the school is headquartered in Hanover, New Hampshire, and it hasn't yet filed a breach notice with the state's Attorney General. "Through the investigation, we determined that an unauthorized actor took certain files between August 9, 2025, and August 12, 2025. We reviewed the files and on October 30, 2025, identified one or more that contained your name and Social Security number," the college says in letters mailed to those affected by the data leak. In a separate appendix filed with Maine's AG, Dartmouth added that the threat actors also stole documents containing the financial account information of impacted individuals. A Dartmouth College spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today regarding the ransom demanded by the Clop gang and the total number of individuals impacted by the breach. The incident is part of a much larger extortion campaign in which the Clop ransomware gang has exploited a zero-day flaw (CVE-2025-61882) since early August 2025 to steal sensitive files from many victims' Oracle EBS platforms. While Clop has yet to disclose the total number of impacted organizations, Google Threat Intelligence Group chief analyst John Hultquist has told BleepingComputer that dozens of organizations were likely breached. The extortion group has also targeted Harvard University, The Washington Post, Logitech, GlobalLogic, and American Airlines subsidiary Envoy Air in this campaign, with their data also leaked online and now available for download via Torrent.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Princeton University Database Compromised in Phishing Attack

On November 10, 2025, Princeton University suffered a data breach after a phishing attack targeted an employee. The breach exposed personal information of alumni, donors, faculty, and students, including names, email addresses, phone numbers, and home and business addresses. The compromised database did not contain financial information, credentials, or records protected by privacy regulations. The university has since blocked the attackers' access and advised affected individuals to be cautious of phishing attempts. On November 18, 2025, Harvard University experienced a similar data breach due to a voice phishing attack. The breach exposed personal information of students, alumni, donors, staff, and faculty members. The compromised systems did not contain Social Security numbers, passwords, payment card information, or financial information. Harvard is working with law enforcement and third-party cybersecurity experts to investigate the incident and has sent data breach notifications to affected individuals. The breach was discovered on November 18, 2025, and involved unauthorized access to systems used by Harvard's Alumni Affairs and Development department. Harvard University is also one of the many victims of the recent Oracle E-Business Suite hacking campaign.

Open in new tab

Five Vulnerabilities Added to CISA's Known Exploited Vulnerabilities Catalog

Five new vulnerabilities have been added to the CISA Known Exploited Vulnerabilities (KEV) Catalog. These include a server-side request forgery (SSRF) flaw in Oracle E-Business Suite (EBS) and four other vulnerabilities affecting Microsoft Windows SMB Client, Kentico Xperience CMS, and Apple's JavaScriptCore. The SSRF vulnerability in Oracle EBS has been actively exploited in real-world attacks. The vulnerabilities affect widely used software and have varying CVSS scores, indicating different levels of severity. Federal Civilian Executive Branch (FCEB) agencies must remediate these vulnerabilities by November 10, 2025, to protect against active threats.

Open in new tab

Capita fined £14m for 2023 data breach affecting 6.6 million people

Capita has been fined £14 million for security failings that led to a 2023 data breach impacting nearly 6.6 million people. The breach was caused by an employee downloading malware, which allowed the Black Basta ransomware group to gain access to the network. The ICO initially planned to fine Capita £45 million but reduced the penalty due to improvements made after the attack and cooperation with regulators. The ICO fined Capita plc £8 million and Capita Pension Solutions Limited £6 million. The breach compromised sensitive information, including pension and staff records, criminal records, financial data, and special category data. Over half of the 600 Capita Pension Solutions clients were affected, and 8,000 claimants brought a High Court case against Capita. The breach impacted 325 pension scheme providers in the UK. The ICO highlighted several security failures, including inadequate privilege management, delayed responses to security alerts, and insufficient penetration testing. The cyberattack occurred on March 22, 2023, and nearly one terabyte of data was exfiltrated between March 29 and 30, 2023.

Open in new tab

Unauthenticated access vulnerability in Oracle E-Business Suite Configurator

A critical vulnerability in Oracle E-Business Suite (EBS) allows unauthenticated attackers to access sensitive data via HTTP. The flaw, CVE-2025-61884, affects versions 12.2.3 through 12.2.14 and has a CVSS score of 7.5. CISA has confirmed that the vulnerability is being exploited in attacks and has added it to its Known Exploited Vulnerabilities catalog. Oracle has issued an emergency security update and patch, but exploitation in the wild has been reported. The vulnerability is in the Runtime UI component and could lead to unauthorized access to critical data. Oracle has silently fixed the vulnerability after it was actively exploited and a proof-of-concept exploit was leaked by the ShinyHunters extortion group. This development follows recent disclosures of zero-day exploitation in EBS software, attributed to a group with ties to the Clop ransomware group. The Clop group has been involved in major data theft campaigns targeting zero-days in Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer.

Open in new tab

TwoNet hacktivists target critical infrastructure with realistic honeypot attack

The pro-Russian hacktivist group TwoNet, previously known for DDoS attacks, targeted a water treatment facility in September 2025. The facility was a realistic honeypot set up by Forescout researchers to observe adversaries’ movements. The attack demonstrated TwoNet’s ability to move from initial access to disruptive actions in approximately 26 hours. The group exploited default credentials, SQL vulnerabilities, and an XSS flaw to gain access and disrupt operations. They created a new user account, displayed a hacking message, and disabled real-time updates and alarms. The intrusion was detected and logged by Forescout researchers monitoring the honeypot. TwoNet publicly claimed responsibility for the attack on its Telegram channel. The attack originated from an IP address linked to a German hosting provider, and the attacker used the Firefox browser on the Linux operating system. The attacker conducted defacement, process disruption, manipulation, and evasion activities. TwoNet has expanded its activities to include targeting HMI and SCADA interfaces, publishing personal details of personnel, and offering cybercrime services. The group has also ceased operations as of September 30, 2025, according to a message in an affiliated group, CyberTroops.

Open in new tab