Harvard University is the first confirmed victim of the recent cybercrime campaign targeting customers of Oracle’s E-Business Suite (EBS) solution.
Harvard was listed on the data leak website dedicated to victims of the Cl0p ransomware on October 12. The university was initially only named, but the cybercriminals have now published a link that points to data allegedly stolen from Harvard.
The hackers have made available over 1.3 TB of archive files that allegedly contain Harvard data. SecurityWeek has not verified the content of the leaked files.
In a statement, Harvard confirmed being targeted in the Oracle EBS campaign. The organization’s investigation is ongoing, but it believes the incident impacts “a limited number of parties associated with a small administrative unit”.
Harvard said the vulnerability exploited by the hackers has been patched and there is no evidence of other systems being compromised.
Google’s Threat Intelligence Group (GTIG) and Mandiant believe dozens of organizations have been targeted.
While the hackers are believed to have stolen a significant amount of data, the sensitivity of the information likely differs for each victim. Information typically stored in an EBS instance can include financial, customer, supplier, HR, and inventory data.
The cybercriminals behind the Oracle EBS campaign sent out extortion emails to executives at the targeted organizations on behalf of the Cl0p ransomware group, likely due to the reputation it has built after conducting similar campaigns in the past. Those campaigns targeted customers of Cleo, MOVEit, Fortra and Accellion file transfer products.
The Oracle attack has not been attributed to a specific threat group, but GTIG and Mandiant found several links to a cybercrime group tracked as FIN11, which alongside Cl0p was tied to the previous campaigns targeting file transfer products.
The attacks targeting Oracle EBS customers appear to have involved the exploitation of known and zero-day vulnerabilities, as well as the deployment of sophisticated malware.
CrowdStrike reported that exploitation of the software flaws appears to have started on August 9, but Google has seen some indication that the attacks may have begun as early as July 10.
Related: Oracle Patches EBS Vulnerability Allowing Access to Sensitive Data
Related: Exploitation of Oracle EBS Zero-Day Started 2 Months Before Patching
Related: Extortion Group Leaks Millions of Records From Salesforce Hacks
