In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Fuel your business brain. No caffeine needed.

Consider this your wake-up call.

Morning Brew}} is the free daily newsletter that powers you up with business news you’ll actually enjoy reading. It’s already trusted by over 4 million people who like their news with a bit more personality, pizazz — and a few games thrown in. Some even come for the crosswords and quizzes, but leave knowing more about the business world than they expected.

Quick, witty, and delivered first thing in the morning, Morning Brew takes less time to read than brewing your coffee — and gives your business brain the boost it needs to stay sharp and in the know.

Try Morning Brew for free

Universities Confirm Oracle EBS Breaches as Cl0p Campaign Expands

A growing number of U.S. universities—including the University of Pennsylvania and the University of Phoenix—have confirmed data breaches linked to the broader Oracle E-Business Suite (EBS) compromise attributed to the Cl0p ransomware operation. Attackers leveraged undisclosed zero-day vulnerabilities to infiltrate EBS instances, exfiltrate sensitive data, and list victims publicly on leak sites. More than 100 organizations across multiple industries have been implicated in this ongoing campaign.

Context

Oracle EBS is a widely used enterprise software platform supporting financial operations, procurement, supplier management, and accounting workflows. Since October 2025, threat actors have exploited previously unknown vulnerabilities to breach EBS environments at universities, corporations, and government entities.

Cl0p has publicly taken credit, but cybersecurity analysts suspect a deeper, more capable threat cluster associated with FIN11 is behind the technical execution.

What Happened

The University of Pennsylvania and the University of Phoenix (UoPX) are the latest academic institutions to confirm compromises of their Oracle EBS platforms.

Penn reported to the Maine Attorney General that nearly 1,500 state residents were affected, with total victim counts still undetermined. The University of Phoenix disclosed the incident through SEC filings after discovering the intrusion one day after appearing on Cl0p’s leak site.

Other universities—including Harvard, Dartmouth, Southern Illinois University, and Tulane—were also identified as victims, though not all have publicly confirmed details.

Technical Breakdown

The intrusions share multiple characteristics:

  • Exploitation of Oracle EBS zero-day vulnerabilities
    Specific CVEs have not yet been disclosed, suggesting ongoing forensic analysis or unresolved vendor patches.

  • Unauthorized access to sensitive data
    Stolen datasets include names, contact details, dates of birth, Social Security numbers, and bank account information.

  • Mass large-scale data exfiltration
    Dartmouth alone saw over 200 GB of files leaked.

  • Post-intrusion discovery delays
    UoPX detected the breach only after being listed on Cl0p’s site.

  • Coordinated victim enumeration
    Over 100 organizations have been named, indicating a systematic exploitation effort.

Impact Analysis

The scale of the EBS campaign positions it as one of the most significant coordinated breaches of 2025:

  • Operational disruption to financial workflows and supplier payments

  • High-risk exposure of personally identifiable information (PII)

  • Potential financial fraud and identity theft

  • Regulatory and legal consequences under state, federal, and higher-education compliance regimes

  • Reputational damage across academic and corporate sectors

For universities handling large populations of students, alumni, vendors, and staff, PII exposure can have long-lasting implications.

Why It Matters

This incident highlights persistent systemic weaknesses in enterprise platforms that underpin mission-critical operations. Oracle EBS environments are deeply integrated into financial systems; a single breach can compromise years of records.

Furthermore, the attack reinforces emerging trends:

  • Zero-day exploitation targeting large ERP systems

  • Ransomware groups evolving into multi-stage, data-theft-first operations

  • Higher education institutions becoming consistent high-value targets

Expert Commentary

Security researchers note that Cl0p often serves as the public-facing brand for deeper, more sophisticated threat actors.

Analysts monitoring the campaign suggest that an unidentified cluster associated with FIN11—a well-resourced financially motivated group—is responsible for the underlying technical breach activity, with Cl0p handling data publication and extortion.

The coordinated nature of the attack strongly suggests long-term reconnaissance and exploitation planning.

Key Takeaways

  • Two major universities—Penn and UoPX—have joined a growing list of Oracle EBS breach victims.

  • More than 100 organizations have been named across sectors including education, automotive, healthcare, and manufacturing.

  • Attackers accessed sensitive PII but payment information remains unexposed for now.

  • Zero-day vulnerabilities in Oracle EBS are believed to be the root entry point.

  • Cl0p is claiming responsibility publicly, but FIN11 is suspected behind the actual exploitation.

  • The academic sector continues to face significant targeted attacks due to its decentralized infrastructures.

Keep Reading

No posts found

© 2025 The Cyber Syrup..

Privacy policy

Terms of use

Powered by beehiiv