Blackmail attempts after Oracle gap may affect hundreds of companies

The recently publicized blackmail attempts following a security vulnerability in Oracle's e-business suite have affected dozens, if not hundreds, of companies. This is the estimate of Google's security experts following an investigation into this campaign. Behind it is a group of cybercriminals called Clop, which has already attracted attention in the past as a ransomware gang and has blackmailed several organizations after exploiting system vulnerabilities.

Just a few days ago, Oracle issued a reminder to urgently install security updates after attackers blackmailed customers of the e-business suite. Initially, the manufacturer assumed that the gaps had already been closed since July, but shortly afterward issued an emergency update. The corresponding gap enables remote code execution without authentication (CVSS 9.8) in Oracle 12.2.3 to 12.2.14. As the exploit code is now circulating underground, users of these versions should patch it immediately.

Ransom for internal company data

Following an investigation into the vulnerability and the extortion campaign, security experts from the Google Threat Intelligence Group (GTIG) and Mandiant write in a report that the attackers have written to hundreds, if not thousands, of compromised email accounts. They threaten to publish internal documents if the affected company does not pay. There are no specific demands for money in the first contact; this is usually only negotiated after a response.

However, the captured data is said to result in major financial losses for the companies after publication, such as fines from supervisory authorities and a decline in sales following a loss of reputation. The e-business suite is used by Oracle customers to manage customers, suppliers, manufacturing, logistics, and other business processes, so access to it could also reveal trade secrets.

Dozens of victims known, but probably hundreds affected

When asked by Reuters, one of the authors of the Google report, Austin Larsen, explained that they know of dozens of victims but believe there are many more. “Given the scale of previous Clop campaigns, it's probably over a hundred,” Larsen continued. The ransomware gang itself has previously only stated that it will soon emerge that Oracle has “bugged its core product.”

In 2023, Clop had blackmailed companies following a security vulnerability in MOVEit. This is data transfer software that was used by numerous companies, especially financial institutions. Shortly afterward, it was discovered that ING, Deutsche Bank, and others were more severely affected by the MOVEit vulnerability. Government agencies such as ministries were not spared from the MOVEit vulnerability either. In the same year, Clop published health data on millions of people in the USA.

(fds)