Oracle E-Business Suite attacks undetected for months, report finds

Vulnerable Oracle E-Business Suite servers have been subjected to malicious activity as early as July, with the critical CVE-2025-61882 flaw being exploited in attacks in August, more than a month before alleged Clop ransomware hackers claimed responsibility for the intrusions, reports The Register. Dozens of organizations are believed to have been compromised by the Oracle EBS attacks, which commenced with the targeting of the servers' UiServlet component on July 10 and were followed by successful unauthenticated remote code execution almost a month later, resulting in the deployment of multiple payloads, according to a Google Threat Intelligence Group and Mandiant analysis. Aside from the delivery of the GOLDVEIN.JAVA downloader that spread the TLSv3.1 handshake-spoofing GOLDVEIN beacon, intrusions involving CVE-2025-61882 abuse also led to the injection of the Java-based SAFEGIFT loader, SAGELEAF dropper, and SAGEWAVE servlet filter. Additional findings showed overlaps between the new attack campaign's UiServlet targeting with a Scattered Lapsus$ Hunters exploit unveiled earlier this month, as well as data leak site similarities with FIN11, which is known to harness Clop ransomware. However, more evidence is needed to firmly attribute the Oracle EBS compromise to a specific threat operation, said researchers.