Clop extortion emails claim theft of Oracle EBusiness Suite data
pSonicWall Firewall configs stolen for all cloud backup customersppNew FileFix attack uses cache smuggling to evade security softwareppHackers claim Discord breach exposed data of 55 million usersppGoogles new AI bug bounty program pays up to 30000 for flawsppFake Inflation Refund texts target New Yorkers in new scamppGet your first year of Sams Club membership for 15 MSRP 50ppSpain dismantles GXC Team cybercrime syndicate arrests leaderppGet a refurbished Lenovo Chromebook in this 70 dealppHow to access the Dark Web using the Tor BrowserppHow to enable Kernelmode Hardwareenforced Stack Protection in Windows 11ppHow to use the Windows Registry EditorppHow to backup and restore the Windows RegistryppHow to start Windows in Safe ModeppHow to remove a Trojan Virus Worm or other MalwareppHow to show hidden files in Windows 7ppHow to see hidden files in WindowsppRemove the Theonlinesearchcom Search RedirectppRemove the Smartwebfindercom Search RedirectppHow to remove the PBlock adware browser extensionppRemove the Toksearchesxyz Search RedirectppRemove Security Tool and SecurityTool Uninstall GuideppHow to Remove WinFixer Virtumonde Msevents TrojanvundoppHow to remove Antivirus 2009 Uninstall InstructionsppHow to remove Google Redirects or the TDSS TDL3 or Alureon rootkit using TDSSKillerppLocky Ransomware Information Help Guide and FAQppCryptoLocker Ransomware Information Guide and FAQppCryptorBit and HowDecrypt Information Guide and FAQppCryptoDefense and HowDecrypt Ransomware Information Guide and FAQppQualys BrowserCheckppSTOPDecrypterppAuroraDecrypterppFilesLockerDecrypterppAdwCleanerppComboFixppRKillppJunkware Removal ToolppeLearningppIT Certification CoursesppGear GadgetsppSecurityppBest VPNsppHow to change IP addressppAccess the dark web safelyppBest VPN for YouTubeppppMandiant and Google are tracking a new extortion campaign where executives at multiple companies received emails claiming that sensitive data was stolen from their Oracle EBusiness Suite systemsppAccording to Genevieve Stark Head of Cybercrime and Information Operations Intelligence Analysis at GTIG the campaign began in late SeptemberppThis activity began on or before September 29 2025 but Mandiants experts are still in the early stages of multiple investigations and have not yet substantiated the claims made by this group Stark saidppCharles Carmakal CTO of Mandiant Google Cloud stated that the extortion emails are being sent from a large number of compromised email accountsppWe are currently observing a highvolume email campaign being launched from hundreds of compromised accounts and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11 a longrunning financially motivated threat group known for deploying ransomware and engaging in extortion Carmakal explainedppIn an example of the extortion email shared with BleepingComputer Clop says they breached the companys Oracle EBusiness Suite in a data theft attackppWe are CL0P team If you havent heard about us you can google about us on internet reads the extortion email shared with BleepingComputerppWe have recently breached your Oracle EBusiness Suite application and copied a lot of documents All the private files and other information are now held on our systemsppBut dont worry You can always save your data for payment We do not seek political power or care about any business So your only option to protect your business reputation is to discuss conditions and pay claimed sumppIn case you refuse you will lose all abovementioned data some of it will be sold to the black actors the rest will be published on our blog and shared on torrent trackersppMandiant and GTIG report and BleepingComputer has confirmed that the email addresses listed in the extortion email are the same as those on the Clop ransomware gangs data leak site indicating a possible link to the extortion groupppHowever Carmakal says that while the tactics are similar to Clops previous extortion campaigns and the email addresses indicate a potential link there is not enough evidence to determine if data has actually been stolenppMandiant and GTIG recommend that organizations receiving these emails investigate their environments for unusual access or compromise in their Oracle EBusiness Suite platformsppAfter publishing this story Clop claimed to BleepingComputer that they are involved in the extortion email indicating a bug in Oracles product was exploited in the attacks However the threat actors would not share more detailed information about the alleged attacksppWe not prepared to discuss details at this time Clop told BleepingComputerppSoon all will become obvious that Oracle bugged up their core product and once again the task is on clop to save the day We do not damage to systems and only expect payment for services we provide to protect hundreds of biggest companies in worldppOracle also published a brief post today by Rob Duhart Chief Security Officer Oracle Security who said that they believe the threat actors exploited vulnerabilities patched in the July 2025 security updatesppOur ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update explained DuhartppOracle reaffirms its strong recommendation that customers apply the latest Critical Patch UpdatesppIf you have any information regarding this incident or any other undisclosed attacks you can contact us confidentially via Signal at 6469613731 or at tipsbleepingcomputercomppThe Clop ransomware operation also tracked as TA505 Cl0p and FIN11 launched in March 2019 when it began targeting enterprise networks with a variant of the CryptoMix ransomwareppLike other ransomware gangs Clop members breach corporate networks steal data and then deploy ransomware to encrypt systemsppThe stolen data and encrypted files are then used as leverage to force companies to pay a ransom demand in exchange for a decryptor and to prevent the leaking of the stolen datappWhile the group is still known to deploy ransomware since 2020 they have shifted to exploiting zeroday vulnerabilities in secure file transfer platforms to steal datappSome of their most notable attacks includeppThe most recent campaign associated with Clop was in October 2024 when the threat actors exploited two Cleo file transfer zerodays CVE202450623 and CVE202455956 to steal data and extort companiesppThe US State Department currently offers a 10 million reward through its Rewards for Justice program for information linking Clops ransomware activities to a foreign governmentppUpdate 10225 Added sample of Clop extortion email being sent to companies
Update 10225 0742 PM ET Added statement from the Clop ransomware gang and further info from OracleppJoin the Breach and Attack Simulation Summit and experience the future of security validation Hear from top experts and see how AIpowered BAS is transforming breach and attack simulationppDont miss the event that will shape the future of your security strategyppOracle links Clop extortion attacks to July 2025 vulnerabilitiesppOracle patches EBS zeroday exploited in Clop data theft attacksppClop exploited Oracle zeroday for data theft since early AugustppCrown Resorts confirms ransom demand after GoAnywhere breachppClop ransomware gang begins extorting GoAnywhere zeroday victimsppNot a member yet Register NowppFBI takes down BreachForums portal used for Salesforce extortionppWindows 11 23H2 Home and Pro reach end of support in 30 daysppApple now offers 2 million for zeroclick RCE vulnerabilitiesppThe role of Artificial Intelligence in todays cybersecurity landscapeppJoin Huntress to discuss all things tradecraft in a monthly meeting of the technical mindsppMake the leapget certified with VMUG Advantage Start your career journey todayppRedefine security validation with Picus AIdriven Breach and Attack SimulationppSee how Material secures Gmail Drive with EDRstyle detection and rapid responseppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp
Update 10225 0742 PM ET Added statement from the Clop ransomware gang and further info from OracleppJoin the Breach and Attack Simulation Summit and experience the future of security validation Hear from top experts and see how AIpowered BAS is transforming breach and attack simulationppDont miss the event that will shape the future of your security strategyppOracle links Clop extortion attacks to July 2025 vulnerabilitiesppOracle patches EBS zeroday exploited in Clop data theft attacksppClop exploited Oracle zeroday for data theft since early AugustppCrown Resorts confirms ransom demand after GoAnywhere breachppClop ransomware gang begins extorting GoAnywhere zeroday victimsppNot a member yet Register NowppFBI takes down BreachForums portal used for Salesforce extortionppWindows 11 23H2 Home and Pro reach end of support in 30 daysppApple now offers 2 million for zeroclick RCE vulnerabilitiesppThe role of Artificial Intelligence in todays cybersecurity landscapeppJoin Huntress to discuss all things tradecraft in a monthly meeting of the technical mindsppMake the leapget certified with VMUG Advantage Start your career journey todayppRedefine security validation with Picus AIdriven Breach and Attack SimulationppSee how Material secures Gmail Drive with EDRstyle detection and rapid responseppTerms of Use Privacy Policy Ethics Statement Affiliate DisclosureppCopyright 2003 2025 Bleeping Computer LLC All Rights ReservedppNot a member yet Register NowppRead our posting guidelinese to learn what content is prohibitedp
