All news with #clop tag

🔓 Korean Air warned employees that personal information, including names and bank account numbers, was compromised after its former in-flight catering supplier, Korean Air Catering & Duty-Free (KC&D), notified the carrier it had been hacked. Local outlets report about 30,000 records were exfiltrated, and the Clop ransomware gang has claimed responsibility and posted the alleged data on its leak site. Korean Air reported the incident to authorities, is investigating the scope, and urged staff to remain vigilant for phishing and impersonation attempts.

🔒 University of Phoenix disclosed a breach affecting 3,489,274 individuals after attackers accessed its systems in August and stole sensitive personal and financial data. Investigators say the intrusion targeted the Oracle E-Business Suite, exploiting a zero-day tracked as CVE-2025-61882, active August 13–22 and detected November 21. The university is offering 12 months of credit and dark web monitoring, identity recovery and a $1m fraud reimbursement. The incident is linked to Clop and forms part of a wider campaign that has hit more than 100 organizations.

🔍 Ransomware activity in 2025 remained high, with 306 groups and 7,902 victims listed on data leak sites, according to Ransomware.live. While coordinated takedowns and anti-cybercrime actions were quieter than in 2024, both emergent collectives (Scattered Spider, Lapsus$, ShinyHunters) and established syndicates continued to generate incidents. The most prolific actors — Qilin, Akira and Clop — claimed the largest shares of victims, and the United States accounted for nearly half of the reported targets.

🔒 The University of Phoenix disclosed that the Clop ransomware gang stole personal and financial data for 3,489,274 people after exploiting a zero-day in the Oracle E-Business Suite. The university says names, contact details, dates of birth, Social Security numbers, and bank routing and account numbers were accessed. UoPX detected the intrusion after Clop posted the stolen files and is offering complimentary identity protection and a $1 million fraud reimbursement policy.

🔒 The Clop ransomware gang is actively targeting Internet-exposed Gladinet CentreStack file servers in a new extortion campaign, with incident responders reporting ransom notes on compromised systems. Gladinet has issued multiple security updates since April to address several flaws, some disclosed as zero-days. It remains unclear whether Clop is exploiting a fresh zero-day or targeting unpatched instances. Threat data shows 200+ IPs exposing CentreStack login pages and potentially at risk.

🔒 The University of Pennsylvania disclosed that attackers exploited a previously unknown Oracle E-Business Suite zero-day in August to obtain files containing personal information. In a notification filed with Maine's Attorney General, Penn said at least 1,488 individuals had data taken and warned the overall total may be larger. The university reported no evidence so far that the stolen information has been misused or published and has not publicly attributed the intrusion; the incident aligns with a broader campaign linked to the Clop ransomware group.

🔒 Dartmouth College says threat actors linked to the Clop extortion gang exploited a zero-day in Oracle E-Business Suite to steal files and leak them on a dark web site. The college reported unauthorized access between August 9 and August 12, 2025, and on October 30 identified files containing names and Social Security numbers. A filing with Maine's Attorney General lists 1,494 individuals whose data was found in reviewed files and notes that financial account information was also taken. Dartmouth has not provided details on any ransom demand or the full scope of impacted people.

🔒 Cox Enterprises says hackers accessed its network after exploiting a zero-day in Oracle E‑Business Suite, with activity occurring between Aug. 9–14 and detected on Sept. 29, 2025. The company notified 9,479 impacted individuals and is offering 12 months of credit monitoring and identity protection through IDX. The Cl0p ransomware gang has claimed responsibility and posted stolen files after Oracle issued a patch on Oct. 5. Cox did not specify the types of data exposed in the notice.

🚨 Logitech International S.A. confirmed a data breach claimed by the extortion gang Clop and disclosed the incident in a Form 8‑K filing with the U.S. SEC. The company says data was exfiltrated but that the incident has not impacted its products, business operations, or manufacturing, and that highly sensitive fields such as national ID numbers and credit card data were not stored or accessed. Logitech engaged external cybersecurity firms, attributes the intrusion to a third‑party zero‑day that was patched, and Clop has posted nearly 1.8 TB of alleged stolen data.

🔒 The Washington Post says a zero-day in Oracle E-Business Suite was used to access parts of its network, exposing personal and financial records for 9,720 employees and contractors. The intrusion occurred between July 10 and August 22, and attackers attempted extortion in late September. The activity has been tied to the Clop group exploiting CVE-2025-61884, and impacted individuals are being offered 12 months of identity protection and advised to consider credit freezes.

🔒 GlobalLogic has notified 10,471 current and former employees that their data was exposed after a zero-day in Oracle E-Business Suite (EBS) was exploited in early October 2025. The company says it patched the vulnerability after confirming data exfiltration on 9 October. Stolen records reportedly include HR and payroll details such as names, dates of birth, passport numbers, salary, bank account and routing numbers, creating a high risk of follow-on phishing and identity fraud. GlobalLogic did not confirm contact by the extortion group, while security firms link the incident to Cl0p, which has targeted dozens of organizations including Harvard and Envoy Air.

🔒 GlobalLogic is notifying 10,471 current and former employees that personal data was stolen after attackers exploited an Oracle E-Business Suite zero-day. The compromised HR information includes names, contact details, birthdates, passport and tax identifiers, salary and bank account information. The incident aligns with a wider extortion campaign linked to the Clop ransomware group exploiting CVE-2025-61882.

🔒 Envoy Air confirmed that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its leak site. The carrier said it immediately launched an investigation, contacted law enforcement, and determined that no sensitive or customer data were affected, though limited business information and commercial contact details may have been exposed. The incident is tied to an August campaign by Clop, which exploited an E-Business Suite zero‑day (CVE‑2025‑61882) and is now publishing claimed stolen files.

🔍 Google Threat Intelligence and Mandiant report the Clop (FIN11) actor likely exfiltrated a significant amount of data from Oracle E-Business Suite environments beginning as early as August 9, 2025. The group sent extortion emails to executives from September 29 and supplied legitimate file listings to substantiate claims. Attackers exploited the zero-day CVE-2025-61882 prior to an emergency patch released on October 4, 2025. Investigators advise urgent patching, hunting for malicious templates, restricting outbound EBS traffic, and performing Java memory forensics.

🔔 Google Threat Intelligence Group and Mandiant report a multi-stage zero-day campaign exploiting Oracle E-Business Suite (tracked as CVE-2025-61882, CVSS 9.8) that has impacted dozens of organizations since August 2025. The attackers combined SSRF, CRLF injection, authentication bypass and XSL template injection to achieve remote code execution and deploy multi-stage Java loaders. Observed payloads include GOLDVEIN.JAVA and a SAGEGIFT/SAGELEAF/SAGEWAVE chain; orchestration and extortion messaging bear the Cl0p signature. Oracle has released patches and investigations by GTIG and Mandiant are ongoing.

⚠️ GTIG and Mandiant tracked a large-scale extortion campaign beginning Sept. 29, 2025, in which actors claiming affiliation with the CL0P brand alleged theft from Oracle E‑Business Suite (EBS) environments. Analysis indicates exploitation of a zero-day (CVE-2025-61882) as early as Aug. 9, 2025, with suspicious activity dating back to July 10. Attackers abused UiServlet and SyncServlet flows, embedding Java payloads via XSL templates to achieve unauthenticated RCE and deploy in-memory implants. Organizations are urged to apply Oracle emergency patches, hunt for malicious templates in XDO_TEMPLATES_B/XDO_LOBS, and restrict outbound traffic to disrupt C2.

🔒 CrowdStrike reports the Clop ransomware gang has been exploiting an Oracle E-Business Suite zero-day, CVE-2025-61882, since early August to steal sensitive documents. The flaw resides in the BI Publisher Integration of Concurrent Processing and allows unauthenticated remote code execution via a single HTTP request. Oracle issued a patch and warned customers to apply updates immediately as extortion emails tied to stolen EBS data are being circulated.

🚨 CrowdStrike attributes the exploitation of Oracle E-Business Suite to Graceful Spider, also known as Cl0p, with the first observed compromise on August 9, 2025. The attacks exploit a critical pre-authentication remote code execution flaw, CVE-2025-61882 (CVSS 9.8), enabling authentication bypass and the upload of malicious XSLT templates via Oracle XML Publisher. Successful exploitation leads to outbound connections from the Java web server and remote web shell deployment for data exfiltration and persistence; CISA has added the flaw to its Known Exploited Vulnerabilities catalog and urged agencies to patch immediately.

🔴 Oracle has released an emergency patch addressing a critical zero-day remote code execution flaw, CVE-2025-61882, in the E-Business Suite BI Publisher Integration component. The vulnerability (affecting versions 12.2.3–12.2.14) is rated 9.8 on the CVSS scale and is exploitable remotely without authentication. Cl0p actors are linked to active exploitation and high-value extortion demands; Oracle published IoCs and strongly urges immediate patching and aggressive compromise hunting.

🔒 Oracle released an emergency patch to address a critical unauthenticated vulnerability in E-Business Suite (CVE-2025-61882) with a CVSS score of 9.8. The flaw allows remote code execution against the Oracle concurrent processing component over HTTP and has been actively exploited by the Cl0p group in large-scale data theft. Security firms report mass email-based distribution from hundreds of compromised accounts and recommend immediate patching and forensic checks for listed IoCs and suspicious GET/POST activity.