The IT Nerd

There’s a newly reported extortion campaign, where hackers claim to have stolen sensitive data through Oracle’s E-Business Suite and are now targeting executives directly:

According to Google Threat Intelligence Group (GTIG) and Mandiant, the malicious activity allegedly targeting Oracle EBS appears to have started on or around September 29. The attackers have sent extortion emails to executives at “numerous” companies, claiming to be affiliated with the notorious Cl0p cybercrime group.

GTIG and Mandiant researchers have described the attacks as a high-volume email campaign leveraging hundreds of compromised accounts, including ones previously linked to a profit-driven threat group named FIN11. This long-running cybercrime gang is known to engage in ransomware deployment and extortion.

The researchers also found some evidence indicating a connection to Cl0p. Specifically, the contact information provided by the attackers in the emails sent to targeted organizations matches contact addresses listed on the Cl0p leak website.

Mandiant and GTIG said they are in the early stages of their investigations and could not confirm whether the hackers’ claims are substantiated. 

Dr. Chris Pierson, a former DHS cybersecurity official and CEO/founder of BlackCloak, a digital executive protection firm had this to say:

     “Extortion attempts like this highlight the reality that executives are increasingly being singled out as the soft underbelly of the corporation for cybercriminals. Cybercriminals recognize that targeting the C-suite creates urgency, exposes them to high risk, and instills fear that can lead to other issues. The challenge for organizations is twofold: hardening the systems that store the most sensitive corporate data, and ensuring executives are prepared with the right playbook when extortion attempts land in their inbox. Third-party vendor risks will continue to be a favorite target of cybercriminals, and we’ve seen a marked increase in these systems being targeted because they yield information on not one company, but hundreds or thousands of companies.  The companies that come out ahead are those that treat digital executive protection as part of their overall cybersecurity posture rather than an afterthought.”

Oracle said via a blog post that they believe the threat actors exploited vulnerabilities patched in the July 2025 security updates. But they have said no more than that. Which likely means that this is going to be very, very bad. Oracle looks like it has some explaining to do.

This entry was posted on October 3, 2025 at 9:16 am and is filed under Commentary with tags Hacked, Oracle. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.