The University of Pennsylvania and the University of Phoenix have both confirmed that they are among the many organizations recently targeted in a significant cybercrime campaign that exploited Oracle’s E-Business Suite (EBS) solution. The University of Pennsylvania is actively sending data breach notification letters to individuals whose personal information was compromised. This attack specifically targeted the university’s Oracle EBS instance, which is used for essential business functions like supplier payments and general ledger entries. While Penn informed the Maine Attorney General’s Office that nearly 1,500 residents of that state were impacted, the total number of individuals affected globally remains undisclosed.
The University of Phoenix, whose disclosure was made through its parent company, Phoenix Education Partners, in a filing with the Securities and Exchange Commission, discovered the intrusion on November 21st. This discovery was made just one day after the university was listed on the Cl0p ransomware leak website. A subsequent investigation into the breach revealed that the hackers successfully gained access to highly sensitive information, including names, contact details, dates of birth, Social Security numbers, and bank account information. However, unlike many other victims from whom hackers have released hundreds of gigabytes of stolen data, no information allegedly belonging to the University of Phoenix appears to have been made public so far.
These two institutions are not isolated incidents, as they are part of a growing list of universities impacted by the Oracle EBS campaign. Harvard University was the first to publicly confirm being affected, and Dartmouth College later confirmed a data breach in late November after cybercriminals leaked over 200 gigabytes of files purportedly stolen from the institution. Southern Illinois University and Tulane University have also been named as victims on the Cl0p website, though neither has publicly confirmed being targeted. Notably, the cybercriminals have yet to name the University of Pennsylvania publicly as a victim of the hack.
The scope of this cyberattack extends far beyond the academic sector, encompassing more than 100 organizations named as victims. Major companies across various industries, including Canon, Mazda, Cox, and Logitech, have all confirmed that they were targeted. Other industry giants, such as Broadcom and Schneider Electric, have not yet issued any public statements regarding the matter. This widespread impact underscores the seriousness of the campaign that originated and came to light in early October.
Several crucial questions surrounding this extensive cyber campaign still remain unanswered. It is currently unclear which specific zero-day vulnerabilities were exploited to carry out the attack and the definitive identity of the group behind the operation. While the Cl0p ransomware group is the public-facing entity that has claimed responsibility for the breach, cybersecurity experts and the industry at large suspect that an unidentified cluster of the advanced FIN11 threat group is the true entity responsible for executing the campaign.
Reference:
