Google security researchers say hackers targeting company executives with extortion emails stole data from “dozens of organizations,” one of the first signs that the hacking campaign could be large-scale.
The tech giant said in a statement shared with TechCrunch on Thursday that the Clop extortion gang exploited several security vulnerabilities in Oracle’s E-Business Suite software to steal significant amounts of data from affected organizations.
Oracle’s E-Business software helps businesses manage their operations, such as storing their customer data and employee human resources records.
Google said in a corresponding blog post that the hacking campaign targeting Oracle customers dates back to at least July 10, about three months before the hacks were first detected.
Oracle acknowledged earlier this week that the hackers behind the extortion campaign continued to abuse its software to steal personal information about company executives and their companies. Days earlier, Oracle security chief Rob Duhart claimed in the same post – since deleted – that the extortion campaign was linked to previously identified vulnerabilities that Oracle patched in July, suggesting the hacks were over.
But in a security advisory released over the weekend, Oracle said the zero-day bug — so named because Oracle didn’t have time to patch it because it was already being exploited by hackers — could be “exploited over a network without the need for a username and password.”
The Russia-linked ransomware and extortion group Clop has made a name for itself in recent years with its massive hacking campaigns, often involving the exploitation of vulnerabilities unknown to the software company at the time of their exploitation, to steal large amounts of corporate and customer data. This includes managed file transfer tools, such as Cleo Software, MOVEit, and GoAnywhere, that businesses use to send sensitive corporate data over the Internet.
Google’s blog post includes email addresses and other technical details that network defenders can use to search for extortion emails and other indications that their Oracle systems may have been compromised.