Google Mandiant and Google Threat Intelligence Group (GTIG) have identified a new extortion campaign targeting organizations using Oracle E-Business Suite (EBS), potentially linked to the Cl0p ransomware group. This campaign involves sending extortion emails to executives claiming that sensitive data has been stolen from their Oracle EBS environments. The attackers appear to gain initial access by compromising user email accounts and abusing Oracle EBS's default password reset functionality, which relies on local Oracle accounts that bypass enterprise Single Sign-On (SSO) protections and often lack multi-factor authentication (MFA). This allows attackers to trigger password resets and gain valid credentials without requiring zero-day exploits or direct system vulnerabilities. The campaign is characterized by a high volume of emails sent from hundreds of compromised accounts, some linked to the FIN11 subgroup of the TA505 threat actor, known for ransomware and extortion activities. Oracle has acknowledged the issue and pointed to the July 2025 Critical Patch Update that addresses relevant vulnerabilities, urging customers to apply these patches promptly. The attackers provide proof of compromise such as screenshots and file trees to support their ransom demands, which have reached up to $50 million. Although the exact vulnerabilities exploited remain unclear, the modus operandi aligns with previous Cl0p campaigns that exploited zero-day vulnerabilities in other enterprise file transfer platforms. The campaign is opportunistic, targeting various industries without specific focus, and leverages the Cl0p brand to increase pressure on victims. Organizations are advised to investigate their environments for signs of compromise, especially focusing on email security and Oracle EBS account management.

For European organizations, this threat poses significant risks including potential data breaches, financial losses from extortion payments, and operational disruptions. Oracle EBS is widely used across Europe in sectors such as manufacturing, finance, public administration, and utilities, making these industries vulnerable to data theft and ransomware follow-on attacks. The abuse of local Oracle accounts that bypass SSO and lack MFA increases the attack surface, especially in organizations with legacy configurations or insufficient identity management controls. The high ransom demands and public exposure of stolen data can damage organizational reputation and lead to regulatory penalties under GDPR for inadequate data protection. Additionally, compromised executive email accounts can facilitate further phishing or business email compromise (BEC) attacks. The campaign's opportunistic nature means many organizations, regardless of size or sector, could be targeted, amplifying the threat landscape. The lack of confirmed zero-day exploitation reduces immediate risk but does not diminish the severity given the ease of credential abuse and potential for widespread impact.

European organizations should immediately apply Oracle's July 2025 Critical Patch Update to address known vulnerabilities in Oracle EBS. Enforce multi-factor authentication (MFA) on all Oracle EBS accounts, including local accounts that currently bypass SSO protections, to prevent unauthorized password resets. Conduct thorough audits of Oracle EBS user accounts to identify and disable or secure local accounts where possible. Enhance email security by implementing advanced threat protection, monitoring for suspicious login and password reset activities, and securing executive and privileged accounts against compromise. Deploy anomaly detection tools to identify unusual access patterns within Oracle EBS and related systems. Educate executives and staff about extortion email tactics to reduce the likelihood of successful social engineering. Establish incident response plans specifically addressing extortion and ransomware scenarios involving Oracle EBS. Collaborate with threat intelligence providers to stay updated on Cl0p-related activity and indicators of compromise. Finally, consider network segmentation and least privilege principles to limit lateral movement if initial access occurs.