Execs: Don’t ‘engage rashly’: There are no common vulnerabilities and exposures (CVEs) for this attack; the issue “stems from configuration and default business logic abuse rather than a specific vulnerability,” according to Halcyon.The firm advises organizations to check if EBS portals are publicly accessible (via /OA_HTML/AppsLocalLogin.jsp#) and if so, immediately restrict exposure. It is also critical to enforce MFA for all accounts; remove or “tightly control” internet access to EBS via hardened reverse proxies that bounce traffic; disable or secure password reset abilities and require secondary verification; monitor for anomalous logins and reset attempts; and deploy anti-ransomware tools.As a standard practice, organizations should train users, especially executive staff, on threat actor tactics, so they are naturally wary of emails, texts, or voice calls that “play on fear, urgency, or claim knowledge of systems by name,” Info-Tech’s Avakian advised. Executives in particular should not “engage rashly” when receiving a threatening message.In addition, security teams should investigate, validate, and look for any evidence of successful exfiltration. This can include examining logs and looking for unusual queries or large amounts of data being exported.”This type of attack provides an opportunity for organizations to tighten monitoring and employ zero-trust principles across the protected surface, such as mission-critical applications, particularly around the Oracle EBS,” he advised.
Threat actors changing tactics: Cl0p emerged in February 2019, according to Halcyon, quickly establishing itself as a prolific, financially successful ransomware operation. The group has generated more than $500 million in extorted payments and compromised more than 11,000 organizations worldwide.The group’s modus operandi is to infiltrate corporate networks, steal data, and deploy ransomware to encrypt it. One of its most notable acts was its exploitation of the MOVEit zero-day vulnerability in 2023.This latest attack sheds light on a possible shift to extortion without ransomware, said Avakian, while also pointing out that hackers “can and often do” change their tactics at any time.This campaign also reveals a key pattern in which hackers are directly targeting leadership, as well as very specific products or applications, to create maximum pressure. “Even if the attackers don’t have the data they are claiming to have, they’re still exploiting fear and urgency to pressure leadership,” said Avakian.
Oracle missteps may have led to this: This case is “fascinating” from a PR angle, according to David Shipley of Beauceron Security; many concerns were raised earlier this year when news broke of data breaches on Oracle Health. The company was accused in a lawsuit of covering up the attack, prompting it to inform customers of potential compromise of usernames, passkeys, and encrypted passwords.This poor communication has created a “massive amount of uncertainty, fear, and doubt” that has led to a “toxic hangover,” said Shipley.”They’ve clouded the waters so badly with their communications that people don’t know what to believe,” he said. That provides a “huge opportunity” for threat actors, because so much distrust may prompt organizations to assume a breach is real and give in to extortion demands.Ultimately, this should serve as a case study illustrating how important it is for companies to have a clear communications plan and share information as quickly and accurately as possible when breached, Shipley noted. “This is more about PR and crisis communications and a little bit about criminal branding and reputation all mixed together,” he said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4067501/cl0p-linked-threat-actors-target-oracle-e-business-suite-in-extortion-campaign.html
