Data-Theft Attacks Compromise Organizations Amid Absence of July Patch Update
Oracle has reported that its customers are under attack from data-seeking extortionists. While cybersecurity researchers and the software giant emphasize that no new zero-day vulnerabilities are being exploited, the situation remains critical.
Rob Duhart, Chief Security Officer at Oracle, noted in a Thursday blog post that the investigations have pointed to the utilization of vulnerabilities previously identified and addressed in the critical July 2025 patch update. He emphasized the company’s strong recommendation for clients to apply these updates promptly.
Among the 309 newly issued security patches, nine pertain specifically to Oracle E-Business Suite, with three of those allowing remote exploitation without prior authentication. Oracle has highlighted the necessity for EBS users to implement multiple patches, particularly affecting Oracle Database and Oracle Fusion Middleware, to safeguard against potential breaches.
Reports have emerged from multiple cybersecurity firms indicating that executives within organizations utilizing Oracle E-Business Suite have been targeted with ransom demands reaching as high as $50 million, with extortionists threatening to leak stolen data if their demands are not met. Evidence suggests that attackers are gaining access to internet-facing EBS portals, utilizing local account login pages that often bypass enterprise single sign-on controls, especially when multifactor authentication (MFA) is not enforced.
Halcyon, a cybersecurity firm, indicated in a security alert that the lack of MFA on these accounts permits attackers to reset passwords through compromised email addresses, ultimately granting them valid access. The emergence of a high-volume email campaign featuring messages dispatched from numerous compromised accounts has been noted by Google’s Mandiant incident response team. These attackers have claimed affiliation with Clop, a Russian-speaking ransomware collective known for swift supply chain attacks aimed at data theft.
Mandiant’s report highlights that two email addresses used in the campaigns had previously been linked to Clop, with the links in these communications directing to Clop’s data leak website. However, no definitive confirmation has been provided by cybersecurity experts or victim organizations regarding the actual theft of sensitive data, nor its potential nature.
The extortion messages sent directly to senior executives have included claims of infiltration and data exfiltration, although how the attackers sourced the executives’ contact information remains unresolved. One plausible theory is that the data may have been compromised during the hack of Oracle systems.
Halcyon reported that the ransom demands, which have peaked at $50 million, are accompanied by proof of compromise, including screenshots and file trees. The targeting of senior executives appears to exploit the fear and urgency surrounding the attacks, aiming to distress organizations into compliance. Chris Pierson, CEO of BlackCloak, emphasized the dual challenge organizations face—strengthening systems storing sensitive corporate data while equipping executives with strategic responses to potential extortion attempts. The targeting of third-party vendor risks by cybercriminals has increased, as these systems often encompass data from a multitude of companies.
In examining the tactics and techniques that may have been employed, the attack aligns with several frameworks within the MITRE ATT&CK Matrix. Initial access could have been facilitated through compromised emails or weak authentication protocols, with attackers maintaining persistence through exploited vulnerabilities. Privilege escalation may have occurred via bypassing security measures designed to enforce multifactor authentication, thereby allowing unauthorized access to critical systems.
