We often hear news about hackers discovering and exploiting new vulnerabilities from around the world. Well, Oracle just corrected a critical vulnerability (or zero-day) in its E-Business Suite (EBS) software that criminals were already using to steal data. And it was exploited by the Clop hack and ransom gang.
The vulnerability was part of the Concurrent Processing feature of EBS that several major enterprises use for their critical business processes. Clop hackers leveraged this vulnerability to steal data and threaten victims with a ransom.
Now, Oracle has issued an emergency fix for you to patch. The vulnerability is found in releases 12.2.3 through 12.2.14 of the EBS system, which Oracle rated a 9.8 out of 10, meaning critical. If that doesnβt raise some alarm bells, I'm not sure what will.
They even emailed company executives as if they had stolen proprietary documents and were demanding ransom payments. The tricky part about that is that some of these emails originated from real hacked email accounts, so they were quite realistic.
Currently, investigators are still attempting to assess how much data was, in fact, taken, but apparently, Clop moved quickly to extract the data before companies had time to implement their patch.
Because the deficiency did allow for remote access that didn't require a password, attackers accomplished the attack without needing to phish anyone. They could walk in and simply steal data.
To make matters worse, a proof-of-concept exploit is already out on the web, which means other malicious actors could lever it.
1. Deploy the new patch immediately.
2. Review the system logs for unusual activity.
3. Notify staff to be suspicious of any emails and/or demands for extortion.
4. Review your schedule for applying patches so you avoid delays in future patches.
If and when you rely on Oracle EBS, don't wait. The longer that door remains open, the easier it is for someone to walk in.
So, What Happened?
Oracle found a zero-day vulnerability in the system, which means hackers found this critical bug before Oracle knew about it. The vulnerability allowed hackers into the company's systems without any form of login. Missing the login barrier to enter a system is tantamount to leaving a front door wide open.The vulnerability was part of the Concurrent Processing feature of EBS that several major enterprises use for their critical business processes. Clop hackers leveraged this vulnerability to steal data and threaten victims with a ransom.
Now, Oracle has issued an emergency fix for you to patch. The vulnerability is found in releases 12.2.3 through 12.2.14 of the EBS system, which Oracle rated a 9.8 out of 10, meaning critical. If that doesnβt raise some alarm bells, I'm not sure what will.
How the Flaw was Leveraged by Clop
The Clop group is famously known as a group of software bugs assault group targeting widely used products. This time, they leveraged the Oracle zero-day to gain access to enterprise systems to extract sensitive information.They even emailed company executives as if they had stolen proprietary documents and were demanding ransom payments. The tricky part about that is that some of these emails originated from real hacked email accounts, so they were quite realistic.
Currently, investigators are still attempting to assess how much data was, in fact, taken, but apparently, Clop moved quickly to extract the data before companies had time to implement their patch.
Why is This Important
If your organization utilizes Oracle EBS, these events are important. EBS often stores financial data, employee records, inventory and supply chain data, in effect the lifeblood of many organizations.Because the deficiency did allow for remote access that didn't require a password, attackers accomplished the attack without needing to phish anyone. They could walk in and simply steal data.
To make matters worse, a proof-of-concept exploit is already out on the web, which means other malicious actors could lever it.
What You Need To Do Right Now
If you (or your organization) utilize Oracle EBS:1. Deploy the new patch immediately.
2. Review the system logs for unusual activity.
3. Notify staff to be suspicious of any emails and/or demands for extortion.
4. Review your schedule for applying patches so you avoid delays in future patches.
Closing Thoughts
This shows how fast threat actors are. The Clop gang has repeatedly demonstrated the ability to attack prominent companies like Oracle. Instead of asking questions, patch first and ask questions later.If and when you rely on Oracle EBS, don't wait. The longer that door remains open, the easier it is for someone to walk in.