A criminal group is extorting executives and tech departments at large organizations, claiming to have stolen data from their Oracle Corp. applications. Cybersecurity experts familiar with the situation believe the hackers are targeting the company’s popular E-Business Suite, which manages essential operations like finance, supply chain, and customer relations. In one case, the ransom demand reached a staggering $50 million. The group, which says it’s affiliated with the well-known criminal outfit Cl0p, has been providing victims with proof of the data theft, including screenshots and file trees, and at least one company has confirmed the breach.
The hackers began sending out extortion emails on or before September 29. These messages were sent from hundreds of compromised third-party accounts and claimed that the recipient’s data had been stolen. Genevieve Stark, the head of cybercrime at Google’s Threat Intelligence Group, noted that at least one of the email addresses used in the extortion notes was previously linked to a Cl0p affiliate. Additionally, the contact details provided in the messages are the same ones listed on Cl0p’s own website.
According to cybersecurity firm Halcyon, which is currently responding to the campaign, the group has demanded significant ransoms. Cynthia Kaiser, the vice president of Halcyon’s ransomware research center, stated that the group has asked for seven- and eight-figure ransoms in the last few days. She added that Cl0p is “notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations.”
The extortion emails themselves contain poor grammar and sloppy English, which is considered characteristic of this group. The targets of the extortion letters haven’t been disclosed, nor has it been revealed if any victims have paid the ransom. While the hackers provided proof of the breach, Alphabet Inc.’s Google has yet to find enough evidence to independently verify the claims made in the extortion demands.
Halcyon’s analysis suggests that the hackers compromised user emails and then exploited the default password-reset function to get valid credentials for the internet-facing Oracle E-Business Suite portals. However, another source familiar with the matter believes the data theft was caused by the exploitation of a different, previously unknown vulnerability in the Oracle E-Business Suite software.
Reference:
