In early October 2025, cybersecurity experts from Google Threat Intelligence Group (GTIG) and Mandiant uncovered a series of sophisticated cyberattacks targeting Oracle E-Business Suite (EBS) users. These attacks involved the deployment of advanced malware and the exploitation of both known and previously undisclosed vulnerabilities within the EBS platform.
Discovery and Initial Findings
The campaign came to light when numerous executives received extortion emails claiming that sensitive data had been exfiltrated from their Oracle EBS instances. The attackers demanded ransom payments to prevent the public release of the stolen information. Initial analyses suggested that the cybercriminals exploited vulnerabilities patched by Oracle in July 2025. However, further investigation revealed the use of a zero-day vulnerability, designated as CVE-2025-61882, which had not been previously identified or patched.
Exploitation Timeline
CrowdStrike, a leading cybersecurity firm, reported that exploitation of CVE-2025-61882 began on August 9, 2025. GTIG and Mandiant’s research indicated suspicious activities as early as July 10, 2025, just before Oracle’s July patch release. While definitive proof is lacking, it’s plausible that these early activities were preliminary attempts to exploit EBS servers.
Attack Methodology
The attackers employed a multi-stage exploit chain to compromise Oracle EBS systems:
1. Malicious Template Creation: They inserted a malicious template into vulnerable Oracle EBS databases.
2. Payload Deployment: This template stored a payload that was activated in the final stage of the exploit chain.
3. Payload Variants: Two primary payloads were identified:
– GoRed: A downloader designed to fetch and execute additional malicious code.
– GoGreen: A backdoor providing persistent access to the compromised system.
Technical Analysis of the Malware
The sophistication of the malware used in these attacks is noteworthy:
– GoRed: This downloader is engineered to evade detection and ensure the seamless delivery of secondary payloads.
– GoGreen: The backdoor establishes a persistent foothold, allowing attackers to execute commands, exfiltrate data, and potentially deploy additional malware.
Both payloads exhibit advanced obfuscation techniques, complicating efforts to analyze and mitigate the threats.
Threat Actors Involved
The cybercriminal groups ShinyHunters and Scattered Spider, now operating under the moniker Scattered LAPSUS$ Hunters, have been linked to these attacks. They released a proof-of-concept (PoC) exploit targeting CVE-2025-61882. The relationship between these groups and the Cl0p ransomware gang, known for similar extortion campaigns, remains under investigation.
Implications for Organizations
The exploitation of Oracle EBS vulnerabilities underscores the critical need for organizations to:
– Regularly Update Systems: Ensure that all software, especially enterprise solutions like Oracle EBS, are updated promptly to incorporate the latest security patches.
– Monitor for Suspicious Activity: Implement robust monitoring to detect unauthorized access or anomalies indicative of a breach.
– Develop Incident Response Plans: Establish and regularly update incident response protocols to address potential breaches effectively.
Oracle’s Response
In response to these attacks, Oracle has:
– Released Patches: Addressed the identified vulnerabilities, including CVE-2025-61882.
– Provided Indicators of Compromise (IoCs): Supplied IoCs to assist organizations in identifying potential breaches.
– Issued Security Advisories: Offered guidance on mitigating risks associated with these vulnerabilities.
Conclusion
The recent attacks on Oracle EBS highlight the evolving tactics of cybercriminals and the importance of proactive cybersecurity measures. Organizations must remain vigilant, ensuring that systems are up-to-date, monitoring for unusual activities, and preparing comprehensive incident response strategies to mitigate the impact of such sophisticated threats.
