Oracle customers targeted by extortion emails claiming E‑Business Suite data theft

A financially motivated hacking campaign is pressuring executives at large organisations to pay ransoms after claiming data was stolen from Oracle’s E‑Business Suite, according to multiple cybersecurity firms investigating the incidents.

Mandiant and Google’s Threat Intelligence Group said they are tracking a high‑volume wave of extortion emails sent on or before 29 September from hundreds of compromised third‑party accounts, asserting theft from internet‑facing Oracle E‑Business Suite portals. “We are currently observing a high‑volume email campaign being launched from hundreds of compromised accounts,” said Charles Carmakal, chief technology officer at Mandiant Consulting. “The malicious emails contain contact information, and we’ve verified that the two specific contact addresses provided are also publicly listed on the Clop data leak site,” he added.

Investigators cautioned that core claims remain unproven. “It is not yet clear whether the threat actor’s claims are credible, and if so, how they obtained access,” said Genevieve Stark, head of cybercrime and information operations intelligence analysis at Google Threat Intelligence Group. She noted the campaign began on or before 29 September and involves compromised email infrastructure.

BleepingComputer reported that contact details in the emails match addresses listed on the Clop ransomware gang’s leak site and that one sending account has been linked to FIN11, a long‑running extortion group. “We are currently observing a high‑volume email campaign being launched from hundreds of compromised accounts and our initial analysis confirms that at least one of these accounts has been previously associated with activity from FIN11,” Carmakal said. Mandiant advised recipients to review Oracle E‑Business Suite environments for unusual access.

Bloomberg, citing Halcyon, said the hackers provided screenshots and file trees as alleged proof and, in at least one case, demanded up to £50 million. “We have seen Cl0p demand huge seven‑ and eight‑figure ransoms in the last few days,” said Cynthia Kaiser, vice president at Halcyon’s ransomware research centre. “This group is notorious for stealthy, mass data theft that heightens their leverage in ransom negotiations.” Halcyon added that attackers abused default password‑reset functions to gain valid credentials.



Share Story:

Recent Stories


The future-ready CFO: Driving strategic growth and innovation
This National Technology News webinar sponsored by Sage will explore how CFOs can leverage their unique blend of financial acumen, technological savvy, and strategic mindset to foster cross-functional collaboration and shape overall company direction. Attendees will gain insights into breaking down operational silos, aligning goals across departments like IT, operations, HR, and marketing, and utilising technology to enable real-time data sharing and visibility.

The corporate roadmap to payment excellence: Keeping pace with emerging trends to maximise growth opportunities
In today's rapidly evolving finance and accounting landscape, one of the biggest challenges organisations face is attracting and retaining top talent. As automation and AI revolutionise the profession, finance teams require new skillsets centred on analysis, collaboration, and strategic thinking to drive sustainable competitive advantage.