4 Minutes
Oracle says it is investigating a wave of extortion emails aimed at customers using its E-Business Suite, with attackers claiming links to the Clop ransomware gang and referencing vulnerabilities disclosed in a July critical patch update. Security teams and threat researchers are urging administrators to review patches and hunt for signs of compromise.
What Oracle disclosed and why it matters
Oracle confirmed on Thursday that it is looking into dozens — and possibly hundreds — of spear-phishing extortion messages sent to corporate executives who use E-Business Suite products. The company’s chief security officer, Rob Duhart, warned that the activity could be tied to critical vulnerabilities Oracle disclosed in its July patch release.
Oracle’s public post encouraged customers to revisit the July security bulletin and apply any outstanding fixes. In short: if you run E-Business Suite and haven’t patched since July, your environment could be at greater risk.
Who’s claiming responsibility — and what researchers say
Emails circulating since September 2025 include threats from actors who claim affiliation with Clop. Google’s Threat Intelligence Group and its Mandiant incident response team have tracked the senders and flagged the messages, but they did not provide immediate proof that data was actually exfiltrated.
Both Google/Mandiant and independent investigators map the activity to groups historically linked to Clop. Analysts call the cluster FIN11; other firms, like Kroll, label the same activity KTA080. Those connections are based on reused contact emails and behavioral patterns tied to earlier incidents, including the notorious MOVEit and Cleo file transfer exploits in prior years.
What the extortion emails look like
According to Kroll and other incident responders, the messages are targeted spear-phishing attempts addressed to executives and IT leaders. They assert access to sensitive ERP data and include contact addresses that, in some cases, match email accounts used in earlier Clop/KTA080 ransom demands. Recipients are urged to treat these messages seriously and investigate.
Advice for administrators and security teams
- Review and apply the July critical patch update from Oracle immediately if you haven’t already.
- Search logs and telemetry for unusual access patterns or data exfiltration signs, especially around E-Business Suite components.
- Confirm that multi-factor authentication and least-privilege controls are in place for administrative accounts.
- Preserve suspicious emails and associated headers to support incident response and threat intelligence sharing.
- Consider engaging an incident response provider to perform a focused investigation if you received an extortion demand.
Why analysts are concerned
Clop and related groups have a track record of weaponizing file transfer and enterprise software vulnerabilities to harvest sensitive data and extort organizations. The group’s previous campaigns against MOVEit and Cleo led to dozens of breaches across retail and logistics sectors — and researchers say the reuse of contact details in new extortion notes strengthens the possibility of a repeating pattern.
As Max Henderson, global head of digital forensics and incident response at Kroll, noted, the ransom demands seen so far ‘‘match contact emails used in previous KTA080 (Clop) ransom demands,’’ which is why investigators are urging rapid, defensive action.
For organizations running Oracle E-Business Suite: patch first, investigate thoroughly, and document everything. In the current threat climate, that combination is often the difference between a contained incident and a costly breach.
Source: cybersecuritydive
Leave a Comment