Full Report
Cybereason is continuing to investigate. Check the Cybereason blog for additional updates. Last update: Oct 7, 11am EST Overview and What Cybereason Knows So Far July 2025, Oracle releases security updates including 309 patches, which included nine that addressed flaws/vulnerabilities in Oracle E-Business Suite (EBS). July 2025 (end of) through September 2025 (beginning of), Cybereason has assessed based on emerging evidence and ongoing forensic investigations, that CL0P orchestrated an Intrusion Path that allowed for unauthorized access to on-premise, customer-managed Oracle E-Business Suite (EBS) solutions, enumerated accessible and stored data, and conducted data exfiltration. September 2025 (end of) through October 2025 (beginning of), a widespread orchestrated email extortion campaigns emerged targeting users of on-premise, customer-managed Oracle E-Business Suite (EBS) and requesting contact with CL0P in order to not expose data allegedly exfiltrated. October 2025 (beginning of), Cybereason is aware of ongoing investigations in which CL0P has provided proof of data. CL0P does not appear to have named new victims associated with this incident as of October 4, 2025. October 5, 2025, Oracle confirms CVE-2025-61882 in Oracle E-Business Suite (EBS). This vulnerability was remotely exploitable without authentication (i.e., it can be exploited over a network without the need for a username and password). Successful exploitation can lead to remote code execution (RCE). October 7, 2025, Cybereason confirms earliest evidence of threat actor activity occurred August 9, but is subject to change based on ongoing investigations.
Analysis Summary
# Incident Report: CL0P Extortion Campaign Targeting Oracle EBS via CVE-2025-61882
## Executive Summary
Between late July and September 2025, the threat actor CL0P exploited vulnerabilities in customer-managed, on-premise Oracle E-Business Suite (EBS) environments, potentially including the zero-day CVE-2025-61882 disclosed on October 5, 2025, to gain unauthorized access and exfiltrate data. This activity culminated in widespread extortion emails starting in late September/early October 2025. Cybereason's earliest evidence of activity dates back to August 9, 2025, and investigations remain ongoing.
## Incident Details
- **Discovery Date:** October 7, 2025 (Earliest confirmed threat actor activity: August 9, 2025)
- **Incident Date:** July 2025 (Patch release) through October 2025 (Extortion campaign peak)
- **Affected Organization:** Customers utilizing on-premise, customer-managed Oracle E-Business Suite (EBS). (Specific victims not named.)
- **Sector:** Unspecified (Implied enterprise/business sector utilizing Oracle EBS)
- **Geography:** Global (Based on the nature of the targeted software and reported distribution of extortion emails)
## Timeline of Events
### Initial Access
- **Date/Time:** Estimated between July 2025 (post-patch release) and August 9, 2025 (earliest known actor activity).
- **Vector:** Exploitation of severe vulnerabilities in Oracle E-Business Suite (EBS), specifically CVE-2025-61882 (remotely exploitable, unauthenticated RCE) and potentially a combination of up to five unpatched CVEs from the July 2025 CPU update.
- **Details:** The threat actor established an Intrusion Path allowing unauthorized access and Remote Code Execution (RCE) capability on customer-managed EBS instances.
### Lateral Movement
- **Date/Time:** Late July 2025 through September 2025.
- **Vector:** Enumeration of accessible and stored data post-initial access. Specific lateral movement techniques beyond RCE are not detailed but were sufficient to facilitate data collection.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing through end of September 2025.
- **Vector:** Conducted data exfiltration from the compromised EBS instances.
- **Impact:** Alleged theft of data leading to subsequent extortion campaigns.
### Detection & Response
- **Date/Time:** Beginning late September/early October 2025.
- **Vector:** Widespread email extortion campaigns targeting victims globally, demanding payment to prevent data exposure. CL0P provided proof of data to some entities.
- **Response actions taken:** Cybereason is actively investigating. Victims are urged to scan their email infrastructure for CL0P contact emails and conduct DFIR investigation if the July patches were not applied by July 31, 2025. Oracle released patches for critical vulnerabilities, including CVE-2025-61882 on October 5, 2025.
## Attack Methodology
The report focuses heavily on the initial access vector and extortion phase:
- **Initial Access (IIV):** Exploitation of CVE-2025-61882 and/or other unpatched Oracle EBS vulnerabilities addressed in the July 2025 CPU to achieve RCE.
- **Persistence:** Not explicitly detailed, but implied through established unauthorized access necessary for data enumeration and exfiltration.
- **Privilege Escalation:** Not explicitly detailed, but the exploitation of RCE vulnerabilities implies the ability to execute code with sufficient privileges to extract data.
- **Defense Evasion:** Extortion emails were sent via hundreds of seemingly compromised, legitimate email accounts across various organizations to mask the source and evade filtering.
- **Discovery:** Enumeration of accessible and stored data on the EBS instance.
- **Collection:** Enumeration and collection of data stored within the EBS environment.
- **Exfiltration:** Data exfiltration occurred before the extortion phase.
- **Impact:** Financial extortion attempt based on data compromise.
## Impact Assessment
- **Financial:** Threat of direct financial loss via extortion payments.
- **Data Breach:** Data was allegedly accessed, enumerated, and exfiltrated from customer-managed EBS systems. Proof of data was provided by CL0P to some entities.
- **Operational:** Potential disruption resulting from the need for emergency patching and DFIR investigations across affected organizations.
- **Reputational:** High potential for reputational damage due to public extortion campaign linked to CL0P.
## Indicators of Compromise
*Note: Specific IOCs (IPs, URLs) were not provided in the excerpt.*
- **Behavioral indicators:** Receipt of extortion emails explicitly naming CL0P and demanding negotiation regarding EBS data compromise. Sender email accounts matching those previously used by CL0P/FIN11.
## Response Actions
- **Containment:** Organizations not applying the July 2025 patches before July 31, 2025, are advised to perform thorough DFIR investigation to identify backdoors, webshells, and compromised credentials.
- **Eradication:** Remediation relies on patching vulnerable Oracle E-Business Suite components.
- **Recovery:** Validation and verification of patching levels, and remediation of any identified persistence mechanisms or compromised accounts.
## Lessons Learned
1. **Patch Urgency is Critical:** The exploitation window opened immediately after the July 2025 CPU release, indicating that failure to apply patches quickly (especially those addressing RCE vulnerabilities) directly leads to compromise.
2. **Defense-in-Depth for Critical Applications:** The successful exploitation of an RCE vulnerability highlights that strong authentication mechanisms like SSO/MFA, if properly configured, may mitigate the impact even if lower-layer vulnerabilities are exploited.
3. **Multi-vector Evasion:** CL0P utilized a concerted effort using hundreds of legitimate, compromised email accounts for extortion, demonstrating sophisticated techniques to bypass email filtering.
## Recommendations
1. **Immediate Patching:** Implement Oracle's July 2025 CPU patches, paying special attention to all related Oracle components (Database, Fusion Middleware).
2. **Apply Specific Fixes:** Implement Oracle SBE Patch for CVE-2025-61882 immediately (released October 5, 2025).
3. **Strengthen Authentication:** Integrate Oracle EBS login portals with Single Sign-On (SSO) and Multi-Factor Authentication (MFA) solutions.
4. **Enhance Logging:** Integrate Web Application Firewall (WAF), Firewall, and Web Access logs into a Security Information Management (SIM) or Log Aggregator for long-term preservation and analysis.
5. **Proactive DFIR:** Any client that failed to implement the July 2025 patching by July 31, 2025, must engage in a thorough DFIR assessment to rule out prior compromise.