Execs Scammed in Alleged Oracle Apps Breach

The executives at big companies are getting extortion emails from hackers who say they have stolen data from Oracle’s business software, according to security researchers and incident responders’ information on the campaign. The emails, sent from hacked email accounts, demand that companies hand over payment to keep sensitive corporate files like employee contracts and financial information private with the implication that the confidential data will be leaked if they refuse.

Extortion Wave Linked To Oracle E‑Business Suite Attacks

Utilizing the email messages, which reference hacks of Oracle E‑Business Suite, a widely used platform for finance, HR and other tasks that were intercepted, researchers at Google’s security teams identified additional intrusions into its computer systems. Some messages carry markers pointing to Clop ransomware actors, an extortion group that exploits software vulnerabilities and engages in mass‑extortion techniques.

Investigators say hundreds of inboxes that have already been hacked are being commandeered to send the messages, increasing believability by riding on top of real domains and contact histories. In many cases, attackers are believed to have exploited password‑reset workflows on externally available Oracle E‑Business Suite portals to harvest live login credentials — a tactic used in previous campaigns cited by enterprise incident responders.

Oracle has not publicly acknowledged the compromise of its own systems. Instead, the information available suggests these are cases of targeted abuse of customer‑hosted portals and reused passwords rather than a compromise of Oracle’s core network. Like many waves of extortion, the claims may be inflated in order to nudge victims toward a quick payoff.

How the Oracle E‑Business Suite attack works

But the campaign depends on three advantages: inbox compromise, reset abuse and executive pressure. Attackers begin, using stolen email accounts and poorly enforced mail authentication, to blast demands into inboxes that can skirt some filters. Second, they are testing the internet‑facing Oracle E‑Business Suite self‑service portals and are trying to reset passwords for employee or contractor accounts of vendors (frequently with success where multifactor authentication is not enforced). Third, they go directly to senior leadership, mentioning specific modules — say HR or payables — that will most raise the urgency.

In messages seen by incident responders, attackers will sometimes attach small data samples as “proof” of access and then establish tight payment deadlines. Even when the samples are legit, they may have come from previous breaches, recycled logins, or supplier systems instead of the hacking victim’s Oracle environment — a ruse seen more and more in modern extortion.

What data could be exposed in Oracle E‑Business Suite

Oracle E‑Business Suite likely contains highly sensitive information: employee records, payroll data, supplier banking details, purchase orders and general ledger entries. For adversaries, the possibility of partial access to those modules would force further social engineering — allowing for supplier fraud with real invoice data or HR‑themed lures directed at execs and payroll admin.

It’s that vulnerability that causes extortion emails to name the particular business function. The goal is psychological leverage. Executives may become players in another drama — even if the attackers never actually accessed data underneath, invoking finance or HR systems may be more than enough to set off panic at the top.

Scale and precedent for Oracle‑linked extortion emails

Actors associated with Clop led the way in mass exploitation campaigns that transformed software supply chain weaknesses into widespread extortion operations. In the 2023 MOVEit spree, thousands of affected organizations and tens of millions of exposed individuals were tallied in independent analyses by Emsisoft and other companies. The old playbook of classic ransomware encryption has evolved into pure data theft and email‑driven coercion.

The background is no less grim. The FBI Internet Crime Complaint Center said that business email compromise cost victims about $2.9 billion in losses in 2023. According to Verizon’s latest Data Breach Investigations Report, credential theft and social attacks bring about most breaches — the exact methods combined here with hacked mailboxes and reset abuse.

Advisory For Executives And Security Professionals

If you get email threats, do not pay based on the email alone. Consider each extortion message to be an incident to verify. Save any headers and the entirety of the message text, and then forward to your security operations center and legal department. Ask your incident response team to check whether any Oracle E‑Business Suite accounts were used and any data was siphoned out.

Harden Oracle access paths immediately. Require multifactor authentication and single sign‑on for Oracle E‑Business Suite if applicable; disable self‑service password resets over the internet; and require service desk validation for high‑privilege accounts. Review admin/integration accounts, rotate keys/passwords, monitor for abnormal logons from unexpected IP ranges/geos.

Accelerate patching. Oracle releases quarterly Critical Patch Updates to fix bugs in that version, so you should apply the latest CPU, and externally facing components be minimized or put behind VPN or zero‑trust access. Verify DMARC, DKIM and SPF policy adoptions on your domains and of critical vendors to mitigate against email spoofing or account takeover.

Prepare leadership. Create a mini decision matrix for extortion, pre‑approve external counsel and incident response retainers, and practice communications with executives. In the event that personal data or payroll information is verified as being exposed, work with privacy counsel to prepare regulatory notices in compliance with laws.

What to watch next as Oracle‑themed extortion evolves

Anticipate more copycat emails referring to Oracle‑related systems, supplier portals and the like as adversaries iterate based on what gets results. Monitor alerts from Google’s security teams, CISA, and reputable incident response organizations as scale and attribution indicators emerge. Enterprises that quickly shut down reset workflows, implement MFA and tighten mail authentication will be significantly less attractive to pursue as this campaign shifts.