Cybercrime,
Fraud Management & Cybercrime
Ransomware Expert Alerts Executives to Ransom Demands as High as $50 Million
Digital extortionists are directly targeting executives at companies utilizing Oracle E-Business Suite, alleging they have compromised sensitive data, according to reports from multiple cybersecurity firms.
In a statement, Google’s Mandiant incident response unit has initiated an investigation into a widespread email campaign linked to a group claiming affiliation with the Clop ransomware operation. The emails, disseminated across various organizations, assert that attackers have accessed and stolen data from Oracle enterprise applications.
Oracle has yet to provide a response to inquiries regarding this matter. The Oracle E-Business Suite encompasses a range of software solutions, including enterprise resource planning, customer relationship management, human resources, and supply chain management systems.
Halcyon, a prominent cybersecurity firm, is also addressing this threat. Reports indicate that assailants might have exploited stolen user credentials in conjunction with a password-reset function within internet-facing E-Business Suites to infiltrate targets. Cynthia Kaiser, senior vice president at Halcyon’s ransomware research division, revealed that recent ransom demands have escalated, including a staggering $50 million request, as reported by Bloomberg.
Unlike previous attacks attributed to Clop, this campaign does not seem to leverage any zero-day vulnerabilities. Kaiser noted that the attackers are likely exploiting misconfigurations rather than leveraging inherent vulnerabilities. “It is critical that organizations conduct thorough checks of their systems,” she advised.
Genevieve Stark from Google’s threat intelligence division noted that the extortion campaign appears to have commenced earlier this week. Despite the group’s claims of affiliation with Clop, investigations by Mandiant have yet to confirm these assertions. An immediate inquiry into the activities that occurred within targeted organizations is essential.
According to Charles Carmakal, Mandiant’s Chief Technology Officer, a number of entities have received emails originating from compromised accounts previously associated with Clop. The presence of known contact details on these emails suggests a strong connection to the Clop operation, intended to leverage brand recognition for extortion purposes.
Canadian cybersecurity firm Cypfer has also reported a concerning trend of extortionists targeting organizations utilizing Oracle E-Business Suite. Ed Dubrovsky, Cypfer’s chief operating officer, advised organizations to ensure their systems are fully patched and monitored to mitigate risks.
Attributing attacks in the cybercrime landscape can be exceedingly complex, as many perpetrators tend to embellish their capabilities. Cybercriminals frequently repackage data stolen from previous breaches, presenting them as new attacks or overstate the sensitivity of the information they claim to possess.
Carmakal remarked on the intricacies of attribution in this domain, highlighting how cyber actors often mimic established groups to heighten pressure on victims. While the attackers’ assertions should be treated with caution, immediate investigations into the affected environments are paramount for the targeted organizations.
