Oracle has sent immediate notifications to clients concerning attempts of extortion still underway after a zero-day sneak attack was determined in its E-Business Suite, which has been utilized by the hackers to steal delicate executive information. The technology giant published emergency patches on the weekend upon finding that the infamous Clop ransomware team was leveraging the never-before-seen security vulnerability in carrying out large-scale data theft campaigns targeting executives of companies.
Clop hackers use executive targeting on a zero-day vulnerability
In its E-Business Suite, Oracle patched a severe, zero-day vulnerability that was being pursued as CVE-2025-61882 since Clop hackers were actively taking advantage of the flaw to intercept personal information about corporate leaders. It is possible to exploit the vulnerability using a network without user names or passwords, and thus, it is quite hazardous to organizations that use the flagship business software of the Oracle brand.
The security advisory was an indication that the hackers had already been compromising the systems of the Oracle customers, as it contained indicators of compromise to enable the customers to locate evidence of the hackers. Oracle E-Business Suite is a software that thousands of organizations globally operate businesses using to store customer data and files of employee human resources files, and therefore, breaches are of great concern among the affected businesses.
Mass exploitation campaign- high-value executives
Charles Carmakal, the chief technology officer of the Google-based incident response team, Mandiant, confirmed that it was being used in a mass exploitation campaign to steal and extort data.ย A lot of the exploitation was done in August, following the patch releases of Oracle in July, which still showed the hackers finding new attack vectors.
Scattered LAPSUS$ Hunters escalate Salesforce extortion tactics
A threat actor who identifies themselves as Scattered LAPSUSHunters, supposedly comprising members of notorious hacking communities Lapsus, Scattered Spider, and ShinyHunters, has stated that they stole data of dozens of Salesforce customers. The organization included 39 companies on their leaks site on Tor that consisted of well-known brands such as Adidas, Air France/KLM, Cisco, Disney, FedEx, Google, and Toyota.
According to the hackers, they have stolen roughly 1 billion records belonging to the Salesforce instances of affected companies and are threatening to release the information unless the CRM provider pays a ransom. This is a strange strategy in which the attackers are not merely blackmailing victim organizations, but also intimidating them to cooperate with the plaintiffs in pending lawsuits against Salesforce over the recent breaches.
A new form of extortion includes direct vendors of the platform
According to AppOmni co-founder Brian Soby, it is the first instance of a hacker threatening to join ongoing litigation against an extremely hacked platform vendor as part of an extortion effort. It is also evident that most organizations did not adopt the required tools to fulfill their duty of shared responsibility, since the hackers might have exploited social engineering and stolen account credentials to compromise Salesforce instances.
Oracle reacts with emergency patches and customer advice
The revised security advisory by Oracle is a reversal of its earlier ORIGINAL advisories that the extortion attack was linked with old vulnerabilities that it had earlier fixed. The discovery of the new zero-day bug implies that hackers kept taking advantage of the undiscovered weaknesses in Oracle E-Business software despite the July patches.
Such advanced attacks show how threat actors are changing their strategies to ensure that they exploit their strengths to exert pressure on individual organizations and technology companies. To counter these increasing extortion campaigns, companies need to have in place highly integrated security strategies by installing adequate access protective mechanisms, training the workforce, and incident response strategies to protect both the security of operations and legal responsibilities.