Oracle has rolled out an emergency patch for a flaw in its E-Business Suite (EBS), a week after Google warned executives were facing extortion threats from a notorious ransomware gang using data leaked from that software.
Last week, Google revealed companies were receiving emailed threats claiming Oracle's EBS had been hacked, demanding a ransom payment or risk data being leaked. Over the weekend, Oracle issued an emergency patch, with security authorities in the US, UK, and elsewhere advising companies to take swift action.
However, that only addresses a single flaw – and this attack appears to make use of multiple vulnerabilities in EBS, including another patched in July.
And over the weekend, exploit code for the recently patched flaw was made public, making it even easier for other attackers to make use of it.
"It's likely that almost no one patched over the weekend," noted Jake Knott, principal security researcher at watchTowr. "So we're waking up to a critical vulnerability with public exploit code and unpatched systems everywhere. Based on the evidence, we believe this is Cl0p activity, and we fully expect to see mass, indiscriminate exploitation from multiple groups within days."
Companies need to take action
Companies need to take action now, Knott added. "If you run Oracle EBS, this is your red alert. Patch immediately, hunt aggressively, and tighten your controls – fast."
The UK National Cyber Security Centre called for companies to "take immediate action," while Brett Leatherman, FBI assistant director in the cyber division, said in a social media post that this is a "'stop-what-you're-doing and patch immediately' vulnerability."
He added: "In plain terms: if your EBS environment is reachable on the network, and especially if it's internet facing, it's at risk for full compromise."
All victims may not yet be aware they have been compromised. The attacks began in August, but extortion emails didn't start arriving until the end of September. "However, please note they may not have attempted to reach out to all victims yet," noted Mandiant CTO Charles Carmakal in a social media post.
Oracle's patching problem
Oracle issued a security alert over the weekend addressing a flaw in some version of EBS, CVE-2025-61882, that can be remotely exploitable without authentication and may result in code execution.
"Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible," the security alert notes.
Cian Heasley, principal consultant at Acumen Cyber, noted: "Oracle haven't released much technical detail, but has disclosed that the flaw was identified during an investigation into the recent Cl0p gang data theft campaign that targeted Oracle EBS."
Oracle also offered details of potential indicators of compromise (IOCs) to help support detection and containment, including IP addresses, observed commands, and files to watch out for. "Included in the IOCs are several file hashes for a suspected leaked exploit script," noted Rapid7 in a blog post. "It is currently unknown if the leaked exploit script is viable, and whether it leverages CVE-2025-61882 or an older n-day vulnerability."
Rapid7 noted that any EBS customers should immediately update to the latest version of the software "on an emergency basis". Rapid7 added: "Oracle E-Business Suite, versions 12.2.3 through to, and including, version 12.2.14 are affected. The vulnerability is in the 'Oracle Concurrent Processing' product within Oracle E-Business Suite.
Even if the patch and update are applied, it's worth examining systems in case a breach has already happened. "Given the broad mass zero-day exploitation that has already occurred... irrespective of when the patch is applied, organizations should examine whether they were already compromised," added Carmakal in that social media post.
Who is Cl0p?
Cl0p is a ransomware attack believed to be behind a wide range of attacks against high-profile victims including banks and utilities. The gang was also responsible for the MOVEit File Transfer attacks that also saw companies contacted with extortion demands.
Acumen's Heasley noted that Cl0p runs carefully researched campaigns, rather than opportunistic techniques more often associated with ransomware. "Active since early 2019, Cl0p is among the oldest ransomware gangs still operating in a space characterised by frequent rebrands, shutdowns and short-lived schemes," Heasley noted."The group was part of the first wave of so-called 'big game hunting' ransomware operators, targeting entire organisations instead of individuals."
Cl0P claimed responsibility for the extortion emails in a message to security site BleepingComputer. "Soon all will become obvious that Oracle bugged up their core product, and once again, the task is on clop to save the day," the group said.
Rapid7 shared a copy of one of the extortion messages sent to companies, which advises recipients to "Google about us on internet" if they are unaware of who Cl0p is.
The message claims to have breached EBS and copied documents, but adds that ransom is all the gang is after: "We do not seek political power or care about any business."
Victims are told they can ask for files or data as evidence of the breach, but warned they only have a few days to pay up before data will be leaked. After payment, the attackers pledged to never publish the data and offer any "technical advice" required.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
TD Synnex adds Boxphish security awareness training to UK&I portfolionews Partners can now provide customers with Boxphish's security training, combined with phishing simulations and dark web monitoring services
-
IT and business pros call for more tech trainingnews Projects are being abandoned thanks to a lack of tech skills
