Security Alert: Cl0p Abuses Oracle E-Business Suite for Account Takeover

Overview Summary

New evidence now indicates Cl0p likely used a newly-identified zero-day (CVE-2025-61882) and additional Oracle vulnerabilities to exploit internet-facing Oracle E-Business Suite (EBS) environments, successfully stealing data as early as August 2025.

Halcyon previously identified that data stolen by Cl0p likely derived from internet-exposed EBS webpages, but now assesses the actors exploited vulnerabilities in these internet-exposed environments rather than a password reset vulnerability. Oracle has provided patches and indicators of compromise (IOCs) for the zero day, an unauthenticated remote code execution vulnerability impacting EBS versions 12.2.3–12.2.14.

Targets

Internet-facing EBS portals. Environments not exposed to the internet remain unaffected.

Technical Note

This newly-identified vulnerability allows unauthenticated attackers to execute code remotely over HTTP without user interaction.

CVEs

CVE-2025-61882 (critical unauthenticated RCE) is being actively exploited. Additional vulnerabilities leveraged may include CVEs listed in Oracle's July 2025 Critical Patch Update.

Mitigation

Patch vulnerabilities associated with this campaign by:
1. Confirming installation of the October 2023 Critical Patch Update prerequisite
2. Installing patches for vulnerabilities issued in July 2025
3. Installing the patch for CVE-2025-61882
Restrict or remove internet exposure of EBS portals by:
1. Checking if EBS portals are publicly accessible via https://<IP or FQDN of EBS app server>/OA_HTML/AppsLocalLogin.jsp [M1030]
2. If exposed, placing EBS behind a hardened reverse proxy and restricting access by source networks [M1037]
3. If exposed, disabling or securing the password reset function to require secondary verification [M1054]
Conduct other mitigation best practices, including:
- Monitoring for anomalous logins, resets, and configuration changes [M1047]
- Hardening email security to reduce risk of mailbox compromise [M1021]
- Enforcing multi-factor authentication (MFA) for all accounts, including local EBS logins [M1032]
- Deploying a dedicated anti-ransomware solution to block malicious binaries pre-execution [M1038], detect runtime behavior [M1040], protect network paths needed for agent management [M1031], and harden tested backups [M1053]

References

• Oracle Security Alert for CVE-2025-61882
• Halcyon Threat Actor Profile: Cl0p Ransomware

Source Summary

This Alert is based on Halcyon observations, open-source information, and ongoing research. Findings reflect our current understanding of threat actor activity and may be updated as new evidence emerges.

‍

The Ransomware-as-a-Service (RaaS) Economy

The rise of Ransomware as a Service (RaaS) gangs mimics the more conventional Software as a Service business model in every meaningful measure. The ransomware economy involves multiple players who specialize in various aspects of the larger ransomware attack. These elements include:

Initial Access Brokers

Initial Access Brokers (IABs) are highly skilled specialists who are exceptionally good at penetrating and establishing a foothold within secure networks. IABs often sell access to these compromised networks to other threat actors, including ransomware affiliates. The deeper an IAB can penetrate a network, the more valuable their services become. Purchasing credentials and access is surprisingly easy and relatively inexpensive.

RaaS Platform Providers

Ransomware-as-a-Service (RaaS) operators provide the software platform and backend to launch attacks. They have development teams constantly improving their feature sets, they assist in negotiations during a successful attack, they manage customer service agents, market to new affiliates, and more all for a slice of the profits.

RaaS Affiliates

The actual ransomware attack is managed and executed by an affiliate; a person or group who plans and carries out the attack campaign. They obtain access via an IAB (or create their own), use a platform or toolkit from a RaaS operator, execute the attack, and then move the ransom dollars around to stay below the radar.

Command and Control Providers (C2Ps)*

C2Ps are legitimate ISPs who lease the attack infrastructure to threat actors while turning a blind eye to abuse by hiding behind privacy policies. *These "C2Ps" are a net new facet within the RaaS Economy and were discovered and reported on in the, Cloudzy with a Chance of Ransomware, by Halcyon Research.

The overall maturity, level of organization, and specialization within the ransomware economy means we are dealing with an adversary whose tactics, techniques, and procedures (TTPs) are approaching the sophistication of some nation-state-sponsored attackers. In many cases, there has been documented overlap between nation-state attack elements and those of cybercriminal ransomware gangs. Today's ransomware attacks are more complex and difficult to defend against than ever before.

Heading