Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign

Security firms and Google threat intelligence reported a large extortion campaign that abused a zero-day in Oracle E-Business Suite (and related environments), affecting “dozens” of organizations and leading to exfiltration of mass amounts of customer and operational data.

The campaign fits the CL0P/FIN-aligned extortion pattern: discover or weaponize an enterprise app vulnerability, quietly exfiltrate sensitive databases, then contact victims with threats to publish unless paid. Mandiant and Google research noted the adversaries performed careful reconnaissance, and in many cases deployed broad data collection before notifying victims.

The attack again highlights the risk of exposed, high-value enterprise applications (ERP/CRM) that aggregate financial, HR, and customer data; defenders are urged to apply emergency Oracle patches, segment networks, lock down administrative interfaces, and hunt for indicators of compromise tied to the campaign. The scale and choice of targets point to a continued trend: enterprise-grade extortion now depends as much on data theft and reputation damage as on encryption (ransomware).