- Cyber Syrup
- Posts
- Oracle E-Business Suite Extortion Campaign: What We Know
Oracle E-Business Suite Extortion Campaign: What We Know
Researchers from Google’s Threat Intelligence Group (GTIG) and Mandiant have sounded the alarm about a new wave of extortion emails targeting organizations worldwide
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
Stop being the bottleneck
Every leader hits the same wall: too many priorities, not enough bandwidth. Wing clears that wall with a full-time virtual assistant who runs the drag layer so you lead, not chase.
Offload scheduling, inbox, follow-ups, vendor wrangles
Keep your stack, your process, your control
Scale scope as you scale revenue
This isn’t gig work. It’s dedicated support that shows up every day and allows founders to delegate without losing control.
Oracle E-Business Suite Extortion Campaign: What We Know
Researchers from Google’s Threat Intelligence Group (GTIG) and Mandiant have sounded the alarm about a new wave of extortion emails targeting organizations worldwide. The attackers claim to have stolen sensitive data from Oracle E-Business Suite (EBS) instances, raising concerns among enterprises that rely on the system to manage critical business operations.
What Is Oracle E-Business Suite?
Oracle E-Business Suite (EBS) is a widely used enterprise resource planning (ERP) system. Thousands of organizations rely on its integrated applications to manage everything from finance to supply chains. Because of its widespread adoption and the sensitive information it handles, EBS is a valuable target for cybercriminals.
Details of the Extortion Campaign
Timeline: Malicious activity appears to have begun around September 29.
Tactics: Executives at multiple companies received emails threatening exposure of stolen EBS data.
Attribution Claims: The attackers claimed affiliation with the well-known Cl0p ransomware group.
The campaign is large-scale, using hundreds of compromised accounts. Some of these accounts were previously tied to FIN11, a long-standing cybercrime group known for ransomware and extortion.
Links to Cl0p and FIN11
Investigators have identified circumstantial evidence tying the campaign to Cl0p. Specifically:
Contact details in the extortion emails matched addresses listed on the Cl0p leak site.
Both Cl0p and FIN11 have a history of exploiting zero-day vulnerabilities in enterprise software for mass data theft.
However, researchers caution that attribution remains uncertain. Criminal groups often impersonate established actors like Cl0p to increase pressure on victims.
Past Campaigns for Context
If confirmed, the attacks would be consistent with past operations by Cl0p and FIN11:
Cl0p: Responsible for large-scale data thefts via zero-day flaws in MOVEit Transfer, Cleo file transfer tools, and Fortra GoAnywhere MFT.
FIN11: Previously tied to a campaign exploiting a zero-day in Accellion’s file transfer service, leading to widespread data theft.
Researchers have previously observed overlap between the two groups, further complicating attribution.
Industry Response
Charles Carmakal, CTO of Mandiant, emphasized that the investigation is still in its early stages. He noted:
Attribution in financially motivated cybercrime is complex.
Threat actors frequently borrow the branding of notorious groups to intimidate targets.
For now, organizations are advised to treat these extortion attempts as potentially serious threats, regardless of whether the claims of stolen data are confirmed.
Conclusion
The Oracle EBS extortion campaign highlights the increasingly aggressive tactics used by cybercriminals to pressure organizations. While the link to Cl0p or FIN11 remains unproven, the campaign underlines the importance of robust email security, incident response readiness, and continuous monitoring of enterprise applications. As investigations continue, enterprises must remain cautious, especially when facing high-volume extortion attempts tied to critical business platforms.