Google has warned that hackers are attempting to extort executives at a variety of companies after stealing data from Oracle apps.
The flood of extortion emails are being sent to executives at large organisations, as well as their IT departments, and appear to be showing evidence of a breach involving Oracle's E-Business Suite. Oracle has yet to reply to a request for comment.
The extortion emails began arriving on or before 29 September, according to Google, which said in a statement that attackers were sending extortion emails to "executives at numerous organizations claiming to have stolen sensitive data from their Oracle E-Business Suite."
Security firm Halcyon told Bloomberg it had seen demands for "seven- and eight-figure ransoms" over the last few days – and even one for $50 million.
Another Cl0p attack?
Google said the attackers are potentially from FIN11, a group affiliated with Cl0p, a ransomware gang believed to be responsible for a wide range of attacks, including banks and utilities – and behind the MOVEit File Transfer supply chain attack that also saw victims contacted with extortion demands.
"We are currently observing a high-volume email campaign being launched from hundreds of compromised accounts and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11, a long-running financially motivated threat group known for deploying ransomware and engaging in extortion," said Charles Carmakal, CTO of Mandiant – Google Cloud, according to a report on BleepingComputer.
"The malicious emails contain contact information, and we've verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site," Carmarkal reportedly added to CyberScoop.
However, in a statement to Reuters, Google stressed that it "does not currently have sufficient evidence to definitively assess the veracity of these claims."
Austin Larsen, an analyst at Google Threat Intelligence Group (GTIG), said on social media that his organization was tracking the "high-volume extortion campaign" and the actor was claiming Cl0p affiliation, but added "we cannot yet substantiate the actor's data breach claims."
Breach details remain unclear
It remains unclear how the hackers obtained access, with GTIG saying it wasn't yet possible to say which specific malware was used.
"The primary indicators of this new campaign are the extortion emails themselves and the use of email addresses associated with the Clop data leak site," Genevieve Stark, head of cybercrime and information operations intelligence analysis at GTIG reportedly said. "At this time, we do not have evidence of a successful data breach or a specific malware family associated with this particular campaign."
Halcyon added that it appears the criminals accessed Oracle E-Business Suite by compromising user email accounts and making use of the password reset functions to access the software.
Oracle E-Business Suite is used to manage everything from financial data to human resources, supply chains and customer relationships – if compromised, a wide range of information could have been breached. Back in 2018, the US government warned about vulnerabilities in Oracle software, with severe flaws found in Oracle's E-Business Suite in 2019.
Any companies that receive the extortion emails should investigate their systems for signs of access, Google noted.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
We're in the age of "mega-tasking," and here's what HP is doing about itnews The world's first ultrawide conferencing monitor and a Nvidia-powered workstation aim to tackle our growing work demands
-
Foreign states ramp up cyber attacks on EU with AI-driven phishing and DDoS campaignsNews ENISA warns of hacktivism, especially through DDoS attacks
-
Harrods rejects contact with hackers, after 430,000 customer records stolen from third-party providerNews The luxury department store has denied any link to a failed attack on its systems in May
-
Kido nursery hackers threaten to release more details – along with the personal data of 100 employeesNews The attack is the first to be claimed by the new threat group 'Radiant'
-
Air France and KLM confirm customer data stolen in third-party breachNews A spokesperson told ITPro the airlines are investigating "fraudulent access" to customer data following a third-party breach.
-
Average Brit hit by five data breaches since 2004News While the number of breaches has fallen, the UK has been the worst-hit country in Northern Europe since 2004
-
Personal data taken in Oxford City Council cyber attacknews The personal data of election workers has been accessed, but the council says it moved quickly to limit the effects of the breach
-
Supplier hack leaks UBS data – including CEO's phone numberNews Chain IQ incident could hit Swiss banking sector hard in "grim reminder" of risk of third-party breaches
-
23andMe 'failed to take basic steps' to safeguard customer dataNews The ICO has strong criticism for the way the genetic testing company responded to a 2023 breach.
-
European financial firms are battling a huge rise in third-party breachesNews Growing vendor dependency has contributed to a marked rise in third-party breaches
