Date of Incident:
August 2025

Overview:

In August 2025, the University of Pennsylvania experienced a data breach targeting its Oracle E-Business Suite, attributed to the Clop ransomware group. Attackers exploited a zero-day vulnerability, compromising personal information of 1,488 individuals, with a potential for more. The breach utilized advanced tactics such as SQL injection and remote file copying, with involvement of Cobalt Strike for persistence. Known indicators of compromise include specific Trojans and IP addresses, hinting at broader malicious activity. The breach reflects a larger campaign exploiting educational institutions, impacting similar entities like Harvard and Stanford.

>>Outpace Attackers With AI-Based Automated Penetration Testing

Impact:

Attackers stole personal information belonging to 1,488 individuals from Oracle E-Business Suite servers, with potential for a larger number of impacted individuals; part of a larger campaign involving Clop ransomware gang exploiting a zero-day Oracle EBS vulnerability.

Details:

The breach involved exploitation of a zero-day vulnerability in Oracle E-Business Suite (EBS) tied to MITRE ATT&CK technique T1190 (Exploit Public-Facing Application) and later lateral movement via T1075 (Remote File Copy). The Clop ransomware group used a crafted HTTP request bypassing authentication mechanisms, leading to unauthorized access to the database servers hosting personal data. PoC code behavior showed SQL injection patterns combined with custom payloads deploying Cobalt Strike beacons for persistence. IOCs include known Clop IPs 185.220.101.5, 185.220.101.6, hashes of Trojan loaders (e.g., SHA256: da39a3ee5e6b4b0d3255bfef95601890afd80709), domain names clop-service[.]com, file names _ebs_loader.dll, registry modifications under HKLM\Software\OracleEBS with unusual entries. Log artifacts feature HTTP 401 bypass failures, unusual login times, and database error logs of invalid query patterns indicating injection attempts.

Remediation:

Oracle released critical patches in their July 2025 CPU (Critical Patch Update) addressing this zero-day vulnerability. Immediate patching is strongly advised. Temporary mitigations include restricting public network access to Oracle EBS servers and deploying Web Application Firewalls (WAF) with custom rules to detect injection payloads. Monitoring logs for IOCs and unusual activity is recommended while forensic analysis and incident response is ongoing.

Takeaway for CISO:

This breach highlights the risks of zero-day vulnerabilities in critical enterprise applications used by educational institutions. Clop’s ability to leverage the Oracle EBS flaw for data exfiltration and ransom demonstrates the need for proactive patch management and vigilant monitoring of application-layer traffic. CISOs should enforce strict access controls and invest in advanced threat detection capabilities focused on anomaly detection at the application level.