Ransomware, Data Security, Critical Infrastructure Security

Oracle EBS zero-day attacks claim Emerson, Schneider Electric as victims

Emerson Automation Solutions office in Calgary, Alberta, Canada, on July 4, 2023. Emerson is a technology, software and engineering company.

(Adobe Stock)

Industrial leaders Schneider Electric and Emerson have reportedly joined the ranks of the organizations now victimized in the latest wave of zero-day attacks on Oracle E-Business Suite (EBS) applications.

The major critical infrastructure companies are the latest in a growing list of victims that includes Harvard University, South Africa’s Wits University, and Envoy Air, a subsidiary of American Airlines.

While not proven yet, security pros theorize that the financially motivated threat group FIN11 is behind the attacks, mainly because they are known to frequently deploy Clop ransomware.

Clop’s leak website reportedly has links to 2.7 terabytes of Emerson information and 116 gigabytes of data from Schneider Electric.

“Clop was inside for three months exploiting the Oracle EBS zero-day with impunity,” said Michael Bell, chief executive officer at Suzu Labs. “What worries me most isn’t the breach itself, it’s that traditional monitoring completely missed 2.7TB of exfiltration. The ‘trusted vendor’ security model just died, and every board running Oracle EBS is realizing their attack surface includes dependencies they never assessed.”

Heath Renfrow, co-founder and chief information security officer at Fenix24, added that the inclusion of industrial powerhouses such as Schneider Electric and Emerson signals a troubling escalation. These are not just commercial organizations — Renfrow said they sit across operational technology supply chains and critical infrastructure dependencies worldwide.

“Any compromise involving ERP data, financial records, procurement workflows, HR files, engineering docs, supply chain intelligence, dramatically increases the risk of both commercial disruption and downstream security exposures,” said Renfrow. “While initial impacts appear primarily data-loss driven, the risk does not end at exfiltration. Sophisticated actors are increasingly pivoting from pure extortion to supply chain exploitation, credential harvesting, and mapping business-critical workflows that can later be disrupted or manipulated.”

Jake Ouellette, lead incident detection engineer at Blumira, said we’re dealing with an experienced threat actor known for its mass-hacking campaigns, operating with an easily exploitable, high-severity vulnerability.

“The attack they performed here and the data they got access to as a result are well within their wheelhouse,” said Ouellette. “They know where to advertise it and how to sell it. I suspect this will have a long tail for potentially years to come. For every big company that we hear got breached as a result of this activity, I’d wager there are multiple other smaller companies with breaches that they are just not aware of yet.”

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Block CipherByteCiphertextCryptographic Hash FunctionsData Encryption Standard (DES)DecryptionDiffie-HellmanDigital SignatureDigital Signature Algorithm (DSA)Digital Signature Standard (DSS)

You can skip this ad in 5 seconds