Oracle links extortion campaign to bugs addressed in July patch

Software giant Oracle confirmed reports that dozens of its customers have received extortion emails from cybercriminals demanding payment in exchange for not releasing troves of stolen information.

In a statement published Thursday evening, Oracle chief security officer Rob Duhart said they are investigating claims made by the Clop ransomware gang that there was a breach of some Oracle E-Business Suite customers.

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update,” Duhart said. “Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates.”

The company did not explain which vulnerabilities in the July update were exploited and whether exploitation occurred after the update.

Incident responders at Mandiant and Google Threat Intelligence Group (GTIG) released a warning about the incident on Wednesday evening, telling Recorded Future News in an email that they are tracking a campaign launched by a threat actor potentially linked to Clop — a gang that previously made a name for itself with high-profile data thefts involving file transfer tools. 

The latest campaign, according to the incident responders, involves data the hackers said was stolen through the Oracle E-Business Suite, a widely-used business platform containing several applications that manage finance, human resources and supply chain functions.  

Genevieve Stark, a senior cybercrime investigator at GTIG, said the team believes the campaign started on September 29 but is still in the early stages of multiple investigations. 

The extortion emails threaten to either publish victim company data or sell it on the dark web. 

The Cybersecurity and Infrastructure Security Agency (CISA) would not say whether it is assisting potential victims in response to the extortion emails, instead directing Recorded Future News to a 2023 advisory about Clop. 

Cynthia Kaiser, former Deputy Director of the FBI’s Cyber Division who now works for incident response firm Halcyon, said the first observed email contact from Clop began in late September. 

“We have seen seven and eight figure demands thus far,” Kaiser said of Clop’s ransom demands. 

Kaiser explained that the threat actors shared screenshots and filetree listings to prove they had accessed data, noting that the tactics used aligned with previous Clop campaigns. 

After emerging in 2019, Clop targeted vulnerabilities in internet-facing file sharing software from Cleo, MOVEit, GoAnywhere and Accellion.