According to Google security experts, cybercriminals sending blackmail emails to business leaders have managed to obtain information from "dozens of organizations," indicating that the scope of this hacking operation could be extensive.
On Thursday, the technology company revealed in a statement provided to TechCrunch that the Clop extortion group took advantage of several security flaws in Oracle’s E-Business Suite, leading to the theft of substantial data from impacted companies.
Oracle’s E-Business platform enables organizations to manage their business processes, including maintaining customer records and employee HR information.
Google noted in a related blog entry that this wave of attacks against Oracle users has been ongoing since at least July 10, which is roughly three months before the breaches were initially discovered.
Earlier this week, Oracle acknowledged that the group behind the extortion attacks continues to exploit its software to access confidential data about company leaders and their businesses. Just days before, Oracle’s chief security officer, Rob Duhart, had stated in a now-removed post that the extortion attempts were tied to previously known vulnerabilities that Oracle addressed in July, implying the threat had ended.
However, in a security notice released over the weekend, Oracle explained that the zero-day vulnerability—so named because it was already being abused before Oracle could issue a fix—can be “exploited over a network without requiring a username or password.”
The Clop ransomware and extortion group, which has ties to Russia, has become notorious for orchestrating large-scale cyberattacks, frequently leveraging security weaknesses unknown to software makers at the time of exploitation, to exfiltrate vast quantities of business and client data. This includes attacks on managed file transfer solutions such as Cleo, MOVEit, and GoAnywhere, which organizations rely on to transmit sensitive information online.
Google’s blog post provides email addresses and other technical indicators that IT security teams can use to detect extortion attempts and signs that their Oracle environments may have been breached.
