CFC are monitoring renewed activity from cybercriminal group CLOP, which is now targeting Oracle E-Business Suite (EBS) environments. While it’s not yet clear if a new vulnerability is being exploited, there’s credible evidence of data theft and extortion attempts. This activity has been spotted in several regions worldwide.
What we know
Recently, threat actors linked to CLOP have started sending extortion emails, claiming to have stolen data from Oracle EBS applications. These emails are coming from hundreds of compromised accounts, some previously associated with the FIN11 group. The contact details in these emails match those used on CLOP’s public data leak site. Security experts, including Google’s Threat Intelligence Group, have also reported similar incidents. While we’re still verifying the claims relating to stolen data, this campaign fits CLOP’s established pattern of exploiting vulnerabilities in enterprise software to carry out mass extortion.
Why this matters to businesses
Oracle EBS is a vital platform for many organisations, managing sensitive data and key business operations. If compromised, it could mean data loss, disruption to business operations, and reputational damage. CLOP’s approach is to pressure victims into paying up, often by threatening to leak stolen information.
About CLOP
CLOP is a financially motivated cybercriminal group, active since 2019. They’re known for exploiting zero-day vulnerabilities in widely used business software, such as MOVEit and Accellion. Unlike some other groups, CLOP tends to focus on data theft and extortion rather than deploying ransomware. They also run a public leak site to increase pressure on victims and have targeted organisations across government, healthcare, finance, education, and other critical sectors.
How to protect your network
If you or your client’s business uses Oracle EBS, we recommend taking these steps as soon as possible:
- Check for unusual activity by reviewing Oracle EBS logs for unexpected account behaviour or large data exports.
- Strengthen email security and ensure extortion-style emails are flagged and sent to IT or security teams, not end users.
- Block or keep a close watch on any network traffic leaving your Oracle EBS systems to unfamiliar or suspicious external addresses.
- Enable multi-factor authentication (MFA), especially on privileged and administrative accounts.
- Test backups to confirm they are secure, working, and kept separate from your main systems.
All CFC cyber policyholders benefit from our proactive cyber security services and can contact our cyber security team 24/7/365. We’ll continue to monitor this threat closely to help businesses stay protected.
Clients can get in touch via our Response app to report any suspicious activity or use the ‘Ask the expert’ function if you have any questions. You can also get in touch via customersupport@cfc.com for any questions or support.
