Oracle EBS exploitation similar to Clop’s MOVEit, GoAnywhere attacks

News on Nov. 25 that Dartmouth College became the latest victim of Clop’s ongoing attacks on Oracle E-Business Suite servers had industry pros pointing out that many of these attacks represent a similar playbook across numerous campaigns.

“The Clop ransomware group is leveraging zero-day vulnerabilities in Oracle EBS, similar to their tactics with MOVEit and GoAnywhere,” said Casey Ellis, founder at Bugcrowd. “They exploit pre-auth flaws to gain access, steal data, and extort victims through public leaks. This campaign highlights the need for robust vulnerability intelligence and patch management, as these aren't just zero-day issues, but part of a broader trend of exploiting n-day vulnerabilities.”

A Nov. 21 blog post by SOCRadar reported that Clop’s Oracle EBS campaign has shown wide impact, with the group’s leak site listing 103 affected organizations and 77 victim datasets appearing on torrent and magnet links.

Other victims include Harvard University, The Washington Post, Logitech, and American Airlines subsididary Envoy Air.

Noelle Murata, senior security engineer at Xcape, Inc., said that the Dartmouth attack further demonstrated Clop’s strategy: targeting widely used enterprise software to steal large amounts of data and then extort the organization.

“SOCRadar’s research highlights commonalities with MOVEit and GoAnywhere, an approach that’s important to note because Oracle EBS is a popular platform that acts as a single point of compromise, whose integrations significantly expand the impact,” said Murata. “The attack pattern is clear: quickly exploit a new vulnerability, quietly collect stolen information, and apply pressure through public data leak sites instead of traditional encryption ransom.”

Clop ransomware group tactics shift to exploiting zero-days

Heath Renfrow, co-founder and chief information security officer at Fenix24, added that Clop has evolved far beyond a ransomware crew looking for opportunistic targets. Over the past two years, Renfrow said Clop shifted toward supply chain exploitation of widely deployed enterprise file transfer platforms to core business systems such as Oracle E-Business Suite.

“The playbook is consistent: find a ubiquitous technology, identify a zero-day that gives deep access, and then leverage the victim’s own position in the supply chain to expand impact,” said Renfrow. “What makes the Oracle EBS intrusions so concerning is their operational depth. These aren’t smash-and-grab attacks. Clop is taking time to understand business workflows, exfiltrate sensitive data, and extort organizations that often never expected their core ERP stack to be the attack vector.”

Andi Ursry, threat intelligence analyst at Blackpoint Cyber, said Clop has established itself as a data extortion group focused on high reward attacks. Rather than target hundreds of victims all year, they’ve narrowed their focus to supply chain attacks, said Ursry.

“Clop has been active since 2019 and conducting large-scale supply chain attacks since 2020, making them one of the longest standing operations today,” said Ursry.

Ursry added that there are roughly 75 to 100 zero-days reported each year, but Clop likely isn’t looking for any zero-day that serves-up a victim. The group likely hunts for zero-day vulnerabilities in software that sit at the network edge, handle sensitive data by default, and are widely deployed across large enterprises.

“These types of vulnerabilities provide them with access, persistence, data, and many potential victims,” said Ursry. “Clop operates opportunistically, but they very likely have baseline criteria zero-days must meet before they invest in custom tooling and large-scale exploitation.”