A new wave of cyber extortion is targeting executives at large organizations, with attackers claiming to have stolen sensitive data from Oracle E-Business Suite applications. As of October 2, 2025, there have been no publicly reported breaches. Oracle is still investigating these claims and recommends applying the latest Oracle E-Business Suite Critical Patch Update security patches, as detailed in a https://blogs.oracle.com/security/post/apply-july-2025-cpu .
The most recent reports highlight a sophisticated blend of tactics: hijacked legitimate accounts are being used to deliver extortion emails, while the well-known CL0P ransomware “brand” is leveraged to add credibility and pressure. What stands out in this campaign is not the technical approach, but the psychological impact. Even when attribution is unclear, the pressure on executives is real—and that alone can create costly distractions and operational risk.
Extortion Campaigns: Credibility Over Technical Prowess
It’s important to remember that extortion campaigns don’t necessarily need a technical component to be effective. Attackers rely on credibility in the eyes of their targets. A convincing email, a familiar brand, or a hijacked legitimate account can be enough to trigger panic or rash decisions at the executive level.
Spinnaker Support suggests two areas of focus for extortion campaigns focused on Oracle E-Business Suite.
Focus on Critical Controls: Prioritizing Detection, Response, and Resilience
1. Formulate and Act on Priority Intelligence Requirements (PIRs):
To counter these threats, organizations should immediately formulate Priority Intelligence Requirements (PIRs) and focus on the most likely attack vectors. Using concrete actions like the ones listed below provide focus to addressing potential issues:
- Have any executives received emails from [email protected] or [email protected] addresses in the last week?
Review email logs and alert executives to be vigilant for messages from these addresses, which have been linked to the current campaign. - Is there any evidence of anomalous access patterns or failed logins targeting the Oracle E-Business Suite environment?
Analyze authentication logs for unusual activity, such as repeated failed login attempts, logins from unexpected locations, or access outside of normal business hours.
2. Monitor for Lateral Movement and Orphaned Credentials
The weak link is often not the Oracle suite itself, but forgotten or orphaned accounts that attackers can exploit. Regularly audit user accounts, especially those with elevated privileges or that have not been used recently. Monitor for lateral movement within your environment, as attackers may use compromised accounts to escalate privileges or access sensitive data.
3. Raise Executive Awareness
Brief executives and key staff about the campaign. Emphasize the importance of reporting any suspicious emails, especially those referencing Oracle E-Business Suite or threatening to leak sensitive data.
4. Review and Update Incident Response Plans
Ensure your incident response plan includes clear procedures for handling extortion attempts, including internal reporting, legal considerations, and communication strategies.
5. Strengthen Email Security Controls
Review email filtering and anti-phishing protections. Implement DMARC, DKIM, and SPF to reduce the risk of email spoofing and improve detection of malicious messages. However, remember the caveat: if the sender’s account is truly compromised, SPF/DKIM/DMARC can all pass.
- Enforce DMARC with appropriate policy.
- Review VIP/exec bypass rules and remove risky exceptions.
- Add content and header rules for “pubstorm” and EBS-leak language.
- Monitor abnormal send patterns from newly seen sender domains.
6. Stay Informed
Monitor advisories from Oracle, Google Threat Intelligence Group, and other reputable sources for updates on the campaign and related indicators of compromise. Incorporate new IoCs into your hunts as they emerge.
7. Do Not Engage or Pay
Do not respond or pay. Preserve evidence, route to Security and Legal, and follow the IR playbook. Do not move conversations to personal accounts or alternative channels.
8. Address Legal and Regulatory Requirements
Consult Legal early to determine notification triggers, even if no intrusion is confirmed. Align on what constitutes sufficient evidence to move from “extortion claim” to “possible breach.”
Focus on Oracle E-Business Suite Cyber Security Hygiene
Given the specific targeting of Oracle E-Business Suite environments, administrators should take the following technical steps to reduce risk and improve detection:
EBS Exposure & Authentication Hardening
- Enable HTTPS on the web tier to ensure encrypted communications.
- Evaluate moving to SSO-only authentication for regular users, with hashed FND passwords, to reduce credential theft risk.
- Reduce the default 90-minute session window if feasible, to limit the window for session replay attacks from compromised endpoints.
- Assure that WebADI servlets are not exposed externally.
Outbound & Lateral-Movement Controls
- Replace the wildcard XML DB network ACL so the APPS user cannot call “any host.” Instead, enforce an approved host list for SQL*Net at the application layer. This closes common exfiltration paths used in data theft and ransom-note scenarios.
Privilege and Role Hygiene
- Remove PUBLIC/“ANY” and unnecessary catalog access.
- Review and restrict broad System Administrator/Application Developer responsibilities.
- Disable or remove unused accounts and enforce strong password policies.
- Fix default accounts (FND and DB) and move risky users off DEFAULT profiles. These steps reduce the blast radius if a single set of credentials is compromised.
Monitoring That Actually Runs
- Schedule EBS sign-on audit programs and establish a minimal audit baseline (traditional now; plan for unified later).
- Alert on privilege changes, grants/revokes, synonyms/procedures/triggers, and DB links.
This provides early-signal telemetry for ransomware tactics, techniques, and procedures (TTPs).
Recovery Assurance
- Validate that EBS/DB backups are recent, immutable, and restorable.
- Run a short restore drill to ensure recovery processes are effective. Ransomware risk is as much about “how fast can we get back” as it is about “how do we stop it.” This should be a regular, witnessed exercise—not just a checkbox.
Conclusion:
Ultimately, the greatest danger in these campaigns lies not only in technical vulnerabilities, but in the convincing narratives attackers craft and the intense pressure they place on executives. By prioritizing strong E-Business Suite security hygiene, staying alert to actionable intelligence, actively monitoring for lateral movement and unused credentials, and keeping executives informed, organizations can significantly lower their risk of being sidetracked or compromised by these costly extortion attempts.
