Oracle Links New Extortion Campaign to Bugs Addressed in July Patch

Threat Summary

Category: Corporate Extortion Campaign
Features: Oracle E-Business Suite exploitation, extortion emails, seven- and eight-figure ransom demands, patch advisories referenced
Delivery Method: Exploitation of vulnerabilities → mass extortion emails with proof-of-access screenshots
Threat Actor: Clop ransomware gang (aka FIN11) — attribution supported but still under investigation

---

Oracle has confirmed that dozens of its customers have received extortion emails threatening to release stolen data unless ransom payments are made. The campaign, already being tracked by Mandiant and Google Threat Intelligence Group (GTIG), is believed to involve exploitation of Oracle E-Business Suite, a widely deployed business management platform used for finance, HR, and supply chain operations.

In a Thursday evening statement, Oracle’s Chief Security Officer Rob Duhart acknowledged that the extortion campaign may have leveraged flaws addressed in the company’s July 2025 Critical Patch Update (CPU).

“Our ongoing investigation has found the potential use of previously identified vulnerabilities that are addressed in the July 2025 Critical Patch Update,” Duhart said. “Oracle reaffirms its strong recommendation that customers apply the latest Critical Patch Updates.”

Oracle did not clarify which vulnerabilities were abused or whether exploitation occurred after the July patches were released.

---

Anatomy of the Campaign

• Start Date: September 29, 2025 (per GTIG).
• Attack Surface: Oracle E-Business Suite, impacting dozens of corporate customers.
• Extortion Tactics: High-value ransom demands, threatening to publish or sell corporate data.
• Proof of Access: Screenshots and filetree listings shared with victims to demonstrate access.

Former FBI Cyber Division Deputy Director Cynthia Kaiser, now with incident response firm Halcyon, confirmed that initial extortion emails were observed in late September, with seven- and eight-figure ransom demands — placing victims under immense financial and reputational pressure.

---

Clop’s Playbook

The campaign bears all the hallmarks of Clop, also known as FIN11, a financially motivated threat group notorious for exploiting unpatched enterprise software.

Key features of Clop’s historical campaigns:

• Focus on data theft, not disruption — exfiltrating sensitive information rather than locking systems.
• Leveraging vulnerabilities in widely deployed enterprise tools: MOVEit, Accellion, GoAnywhere, Cleo.
• Double extortion tactics: exfiltrate first, then threaten exposure or sale on the dark web.
• Use of extortion portals and leak sites to pressure victims by threatening public disclosure.

Clop’s MOVEit campaign in 2023 illustrated the global stakes: nearly 2,800 organizations compromised, 96 million individuals impacted, and ransom payments estimated between $75 million and $100 million.

The reuse of similar tactics in this Oracle campaign suggests that Clop is attempting to replicate its most lucrative model — exploiting corporate reliance on centralized platforms.

---

Infrastructure at Risk

Oracle’s E-Business Suite represents a particularly attractive target. Used across finance, HR, and logistics, it stores sensitive corporate records and employee data, including payroll and supply chain documentation. Exploitation of this platform means attackers can access material with both high financial value and operational leverage.

The involvement of an initial access broker market — where stolen credentials are sold to groups like Clop — is suspected but not yet confirmed. Given the scale of corporate E-Business Suite deployments, even a handful of compromised accounts could cascade across industries.

---

Policy and Allied Pressure

The Cybersecurity and Infrastructure Security Agency (CISA) has so far declined to confirm direct involvement with Oracle victims, referring reporters back to its 2023 advisory on Clop. The advisory remains relevant because Clop’s operational methods have evolved but not fundamentally changed: it still exploits the lag between patch release and deployment in real-world corporate environments.

Mandiant CTO Charles Carmakal noted that Clop’s infrastructure overlaps with prior campaigns, including extortion email accounts tied to earlier MOVEit and GoAnywhere incidents.

---

Forecast — 30 Days

• Escalation of extortion: Victims can expect increasing pressure, including staged data leaks to prove seriousness.
• Patch urgency: Organizations that have not applied Oracle’s July CPU remain at high risk. Expect rapid scanning and opportunistic exploitation by additional actors.
• Global ripple: Oracle’s multinational customer base means the campaign may cross multiple regulatory jurisdictions, raising the risk of compliance fallout.
• Copycat campaigns: Once Clop demonstrates a successful Oracle attack path, other ransomware crews will replicate it.

---

The Bigger Picture

This campaign highlights a dangerous truth: patch cycles are too slow for the speed of extortionware. Oracle patched in July, yet exploitation continues because organizations delay updates for stability testing, leaving a window of opportunity wide open for adversaries.

Clop has already proven it can exploit this delay at global scale. By pivoting to Oracle, the group is signaling that enterprise backbone platforms are its next arena. The consequences stretch beyond technical breaches — they threaten the trust of global supply chains, payroll systems, and HR infrastructures.

---

---

---

---

---

---

Support truth, health, and preparedness by shopping the Alex Jones Store through our link. Every purchase helps sustain independent voices and earns us a 10% share to fuel our mission. Shop now and make a difference!

https://thealexjonesstore.com?sca_ref=7730615.EU54Mw6oyLATer7a

---

---