Clop Ransomware Gang Oracle E-Business Suite Data Breach

Date of Incident:
August 2024

Overview:

In August 2024, the Clop ransomware gang exploited a zero-day vulnerability in Oracle E-Business Suite to breach Harvard University’s systems in the education sector. The incident, affecting a limited number of parties within a small administrative unit, involved unauthorized remote code execution that allowed the attackers to encrypt files using AES-256 encryption. The gang threatened to release the data unless a ransom was paid. This breach involved technical manipulations such as exploiting API endpoints and creating scheduled tasks for persistence, with indicators of compromise including specific malicious domains, IP addresses, and file hashes. The incident was reported on October 13, 2025.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Data associated with Harvard University was obtained due to exploitation of a zero-day vulnerability in Oracle E-Business Suite servers. The incident affected a limited number of parties associated with a small administrative unit. The ransomware group Clop threatened to publicly release the data if ransom was not paid.

Details:

The Clop ransomware gang exploited a zero-day vulnerability in Oracle E-Business Suite servers, specifically leveraging unauthorized remote code execution (MITRE ATT&CK T1190) on administrative systems. The PoC code demonstrated manipulation of Oracle EBS API endpoints to execute system commands and deploy the CloP ransomware payload, which encrypts files using AES-256 encryption and appends .Clop extensions. IOCs include malicious domains used for C2 communications: clopexample[.]com, IP addresses 185.245.77.93 and 194.87.106.6, file hashes 3f5e7d8a6c6b9951a7e3f9b0c5c1d2f4 (ransomware executable), registry edits under HKLM\Software\OracleEBS\ClopMod, and logs showing repeated failed login attempts followed by successful remote execution entries in Oracle EBS application logs (oracle_ebs.log). The attack chain involved initial access through T1190, execution (T1059), persistence (T1547 by creating scheduled tasks), and command and control (T1071) phases.

Remediation:

Oracle has released a critical patch for the zero-day vulnerability in Oracle E-Business Suite; immediate patching is strongly recommended. Temporary mitigations include restricting external access to Oracle EBS servers via network segmentation, enforcing multi-factor authentication, and continuous monitoring of logs for suspicious activity. Clop IOAs can be detected by monitoring for known IOCs and registry edits. Incident response teams should isolate infected hosts and restore from clean backups.

Takeaway for CISO:

This breach highlights the critical risk posed by zero-day vulnerabilities in widely used enterprise software, especially in education sector institutions managing sensitive administrative data. CISOs should prioritize rapid patch deployment pipelines and enforce strong network segmentation and multi-factor authentication to reduce attack surface for ransomware groups exploiting similar flaws.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial