Groups of attackers associated with the Clop ransomware have begun sending emails to Oracle customers, demanding extortion payments and claiming to have stolen data from their E-Business Suite. Although investigators have not confirmed the veracity of these claims, multiple investigations are underway into the Oracle environments belonging to the organizations that received such communications.
Extortion or real data theft?
According to Charles Carmakal, CTO of Mandiant Consulting, a high-volume email campaign has been observed launched from hundreds of compromised accounts. The emails contain contact information and, interestingly, it has been verified that some of the provided addresses are publicly listed on the Clop data leak site. Despite this, Clop has not yet made its claims public on its leak platforms.
The extortion campaign has involved sending emails directed at company executives from compromised third-party accounts, starting on or before September 29. Genevieve Stark, head of cybercrime intelligence analysis at Google Threat Intelligence Group, commented that, although the indications point to Clop, it is unclear whether the group’s claims are credible or how they gained access to Oracle’s information.
Although efforts are being made to determine the authenticity of these threats, there is currently no evidence of a successful data breach or specific malware related to this campaign. Extortion communications pressure victims to initiate negotiations, but do not include concrete demands. Researchers are continuously working to clarify the details of how this possible access to Oracle’s E-Business Suite occurred and the impact it could have on its customers.
