Security researchers at Google say hackers targeting corporate executives with extortion emails have stolen data from “dozens of organizations,” one of the first signs that the hacking campaign may be far-reaching.
The tech giant said Thursday in a statement shared with TechCrunch that the Clop extortion gang exploited multiple security vulnerabilities in Oracle’s E-Business Suite software to steal significant amounts of data from affected organizations.
Oracle’s E-Business software allows companies to run their operations, such as storing their customer data and their employees’ human resources files.
Google said in a corresponding blog post that the hacking campaign targeting Oracle customers dates back to at least July 10, some three months before the hacks were first detected.
Oracle conceded earlier this week that the hackers behind the extortion campaign were still abusing its software to steal personal information about corporate executives and their companies. Days earlier, Oracle’s chief security officer, Rob Duhart, claimed in the same post — since scrubbed — that the extortion campaign was linked to previously identified vulnerabilities that Oracle patched in July, suggesting the hacks were over.
But in a security advisory published over the weekend, Oracle said the zero-day bug — named because Oracle had no time to fix the bug, as it was already being exploited by hackers — can be “exploited over a network without the need for a username and password.”
The Russia-linked Clop ransomware and extortion gang has made a name for itself in recent years for mass-hacking campaigns, often involving the abuse of vulnerabilities unknown to the software vendor at the time they were exploited, to steal large amounts of corporate and customer data. This includes managed file transfer tools, like Cleo, MOVEit, and GoAnywhere, which companies use as a way to send sensitive corporate data over the internet.
Google’s blog post includes email addresses and other technical details that network defenders can use to look for extortion emails and other indications that their Oracle systems may have been compromised.
