Security researchers at Google report that hackers targeting corporate executives with extortion emails have successfully stolen data from dozens of organizations. This is one of the first signs that the hacking campaign could be far-reaching.
The tech giant stated that the Clop extortion gang exploited multiple security vulnerabilities in Oracle’s E-Business Suite software. These exploits allowed the hackers to steal significant amounts of data from the affected organizations. Oracle’s E-Business software is used by companies to run their operations, including storing customer data and employee human resources files.
Google noted in a corresponding blog post that this hacking campaign targeting Oracle customers dates back to at least July 10. This was approximately three months before the hacks were first detected.
Oracle conceded earlier this week that the hackers behind the extortion campaign are still abusing its software to steal personal information about corporate executives and their companies. Just days prior, Oracle’s chief security officer, Rob Duhart, had claimed the extortion campaign was linked to previously identified vulnerabilities that Oracle patched in July, suggesting the attacks were over. That post has since been removed.
However, in a security advisory published over the weekend, Oracle confirmed the existence of a zero-day bug. This type of vulnerability is named because the software vendor had no time to fix it before hackers began exploiting it. Oracle stated this particular bug can be exploited over a network without requiring a username or password.
The Russia-linked Clop ransomware and extortion gang has become known in recent years for its mass-hacking campaigns. The group often abuses vulnerabilities unknown to the software vendor at the time of exploitation to steal large amounts of corporate and customer data. Their past targets have included managed file transfer tools like Cleo Software, MOVEit, and GoAnywhere, which companies use to send sensitive data over the internet.
Google’s blog post includes email addresses and other technical details that network defenders can use to search for extortion emails and other signs that their Oracle systems may have been compromised.