Cl0p has launched a new large-scale extortion campaign, sending emails from compromised accounts that reference Oracle E-Business Suite data-theft claims. Cl0p is known for long quiet periods followed by industry-wide exploitation of file transfer flaws, most notably Accellion FTA, GoAnywhere MFT, MOVEit Transfer, and Cleo. In this campaign, organizations are receiving emails from “pubstorm” addresses claiming data theft and demanding response. At this time, the activity appears to be extortion-only — no file encryption has been observed.  

The MOXFIVE team is closely tracking this campaign and can provide support with forensic investigation and containment, negotiation, and data mining if your environment or vendors show signs of impact. We are already engaged on active cases supporting these workstreams.
‍
Key Points:

• ‍Attack vector: Not yet confirmed, but there appears to be connections related to Oracle E-Business Suite (EBS); review EBS file import/export paths, integration middleware, and attachment storage for signs of exfiltration.
• ‍Threat behavior: Campaign is focused on data theft and extortion with ransom demands often reduced by half during negotiation.
• ‍Risk exposure: Stolen data is typically leveraged for public release and reputational pressure. Even if your organization is not directly targeted, third-party vendors may be impacted.

Recommended Actions:

• Preserve any suspicious pubstorm emails received and share them with your security team.
• ‍Review Oracle EBS environments: Audit access logs, recent changes, and password resets for internet-facing EBS portals. Review integration file import/export directories, attachment storage, and embedded file systems for signs of exfiltration or abnormal activity.
• ‍Ensure monitoring is in place for unusual outbound traffic or large file transfers.
• ‍Stay current with vendor security advisories and apply updates/patches promptly.  

Our team is closely tracking this campaign and can provide support with forensic investigation and containment/restoration should your environment or vendors show signs of impact.  
‍
If you have questions or need any assistance, please contact us at 833-568-6695 or email our team at incident@moxfive.com.