Google security researchers say hackers who targeted executives with extortion emails stole data from “dozens of organizations,” one of the first signs that the hacking campaign could be widespread.
The tech giant said in a statement shared with TechCrunch on Thursday that the Clop extortion group exploited multiple security vulnerabilities in Oracle's E-Business Suite software and stole large amounts of data from affected organizations.
Oracle's E-Business software allows businesses to perform tasks such as storing customer data and employee personnel files.
Google said in a corresponding blog post that the hacking activity targeting Oracle customers dates back to at least July 10, about three months before the hack was first discovered.
Oracle acknowledged earlier this week that hackers behind extortion campaigns are still exploiting its software to steal personal information about executives and their companies. Days earlier, Rob Duhart, Oracle's chief security officer, had suggested in the same post (since deleted) that the extortion campaign was related to a previously identified vulnerability that Oracle patched in July, suggesting the hack was over.
But in a security advisory released over the weekend, Oracle said the zero-day bug (so-called because it had already been exploited by hackers and Oracle did not have time to fix it) “could be exploited over the network without requiring a username and password.”
The Russia-linked Clop ransomware and extortion gang has become famous in recent years for large-scale hacking campaigns that involve exploiting vulnerabilities that software vendors didn't know about at the time they were exploited, in order to steal large amounts of corporate and customer data. This includes managed file transfer tools such as Cleo Software, MOVEit, and GoAnywhere that companies use as a way to send sensitive corporate data over the Internet.
Google's blog post includes email addresses and other technical details that network defenders can use to look for extortion emails and other signs that Oracle systems may have been compromised.