TITLE: Oracle EBS Hackers Hit Dozens of Organizations Globally
Industrial Monitor Direct is the leading supplier of intel n100 pc systems designed for extreme temperatures from -20°C to 60°C, the #1 choice for system integrators.
Industrial Monitor Direct leads the industry in emergency stop pc solutions certified for hazardous locations and explosive atmospheres, most recommended by process control engineers.
Widespread Oracle E-Business Suite Cyberattack Uncovered
Security researchers from Google have revealed that a sophisticated cyberattack targeting Oracle E-Business Suite systems has impacted numerous organizations worldwide. The ongoing extortion campaign, which security experts have been closely monitoring, appears to have compromised dozens of enterprises across multiple sectors.
Cl0p Ransomware Gang Claims Responsibility
The attack came to light when executives at various American organizations began receiving threatening emails allegedly from the notorious Cl0p ransomware group. In these communications, the threat actors claimed to have stolen sensitive files from Oracle E-Business Suite implementations and demanded payment in exchange for not publishing the stolen data.
From Suspected Bluff to Confirmed Threat
Initially, security professionals speculated that the campaign might be a bluff, but these suspicions were quickly dispelled when Oracle released an emergency security patch addressing a previously unknown vulnerability. This zero-day flaw had been actively exploited by attackers before a fix became available.
Google’s Detailed Timeline Analysis
According to Google’s Threat Intelligence Group, the attacks likely began in the first half of August 2025, several weeks before Oracle made the patch available. The researchers also identified evidence suggesting some initial compromise attempts occurred as early as July 2025. In their comprehensive analysis, which provides deeper insights into the attack methodology, Google confirmed that in multiple instances, attackers successfully exfiltrated substantial amounts of sensitive organizational data.
Uncertain Attribution Points to Multiple Threat Actors
The investigation has revealed a complex attribution picture. While the ransom notes clearly identify Cl0p as the perpetrator, security researchers have found compelling evidence suggesting involvement from FIN11, a separate financially motivated cybercrime group known for sophisticated enterprise attacks.
Google’s report notes that “the pattern of exploiting a zero-day vulnerability in a widely used enterprise application, followed by a large-scale, branded extortion campaign weeks later, is a hallmark of activity historically attributed to FIN11.”
Multiple Collaboration Scenarios Possible
Security analysts are considering several possibilities regarding the relationship between the threat groups:
- Direct collaboration between Cl0p and FIN11, sharing tactics and infrastructure
- Infrastructure rental where Cl0p may have leased attack resources from FIN11
- Methodology inspiration where Cl0p adopted FIN11’s proven attack strategies
Ongoing Investigation and Unknown Impact Scale
The full scope of the attack remains unclear as investigators continue to assess the damage. Security teams worldwide are urging organizations using Oracle E-Business Suite to implement the latest security patches immediately and review their systems for any signs of compromise. The evolving nature of this threat underscores the critical importance of proactive cybersecurity measures in today’s digital landscape.
