Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Oracle E-Business Suite. Show all posts
Oracle E-Business Suite
Clop Ransomware Clop Ransomware Gang customer data leak Data Breach Data Leak Data protection data security Oracle E-Business Suite

University of Phoenix Data Breach Exposes Records of Nearly 3.5 Million Individuals

 

The University of Phoenix has confirmed a major cybersecurity incident that exposed the financial and personal information of nearly 3.5 million current and former students, employees, faculty members, and suppliers. The breach is believed to be linked to the Clop ransomware group, a cybercriminal organization known for large-scale data theft and extortion. The incident adds to a growing number of significant cyberattacks reported in 2025. 

Clop is known for exploiting weaknesses in widely used enterprise software rather than locking systems. Instead, the group steals sensitive data and threatens to publish it unless victims pay a ransom. In this case, attackers took advantage of a previously unknown vulnerability in Oracle Corporation’s E-Business Suite software, which allowed them to access internal systems. 

The breach was discovered on November 21 after the University of Phoenix appeared on Clop’s dark web leak site. Further investigation revealed that unauthorized access may have occurred as early as August 2025. The attackers used the Oracle E-Business Suite flaw to move through university systems and reach databases containing highly sensitive financial and personal records.  

The vulnerability used in the attack became publicly known in November, after reports showed Clop-linked actors had been exploiting it since at least September. During that time, organizations began receiving extortion emails claiming financial and operational data had been stolen from Oracle EBS environments. This closely mirrors the methods used in the University of Phoenix breach. 

The stolen data includes names, contact details, dates of birth, Social Security numbers, and bank account and routing numbers. While the university has not formally named Clop as the attacker, cybersecurity experts believe the group is responsible due to its public claims and known use of Oracle EBS vulnerabilities. 

Paul Bischoff, a consumer privacy advocate at Comparitech, said the incident reflects a broader trend in which Clop has aggressively targeted flaws in enterprise software throughout the year. In response, the University of Phoenix has begun notifying affected individuals and is offering 12 months of free identity protection services, including credit monitoring, dark web surveillance, and up to $1 million in fraud reimbursement. 

The breach ranks among the largest cyber incidents of 2025. Rebecca Moody, head of data research at Comparitech, said it highlights the continued risks organizations face from third-party software vulnerabilities. Security experts say the incident underscores the need for timely patching, proactive monitoring, and stronger defenses, especially in education institutions that handle large volumes of sensitive data.
Read more »
Oracle E-Business Suite
American Airlines cyberattack Clop Ransomware Data Breach Data Leak Envoy Air data breach Oracle E-Business Suite

Envoy Air Confirms Oracle Data Breach After Clop Ransomware Group Lists American Airlines on Leak Site

 

kEnvoy Air, a regional carrier owned by American Airlines, has confirmed that data from its Oracle E-Business Suite application was compromised following claims by the Clop extortion group, which recently listed American Airlines on its data leak site.

"We are aware of the incident involving Envoy's Oracle E-Business Suite application," Envoy Air told BleepingComputer.

"Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised."

Envoy Air operates regional flights for American Airlines under the American Eagle brand. Although it functions as a separate entity, its operations are closely integrated with American’s systems for ticketing, scheduling, and passenger services.

The Clop ransomware group has begun leaking what it claims to be stolen Envoy data, posting the message: “The company doesn’t care about its customers, it ignored their security!!!” This breach is tied to a wider campaign that began in August, in which Clop targeted Oracle E-Business Suite systems and began sending extortion demands to affected companies in September.

Initially, Oracle said that attackers were exploiting vulnerabilities patched in July. However, the company later confirmed that the threat actors took advantage of a previously unknown zero-day flaw, now identified as CVE-2025-61882.

Cybersecurity firms CrowdStrike and Mandiant later reported that Clop exploited the flaw in early August to infiltrate networks and install malware. While the total number of victims remains unclear, Google’s John Hultquist told BleepingComputer that “dozens of organizations” were affected.

The extortion gang is also targeting Harvard University as part of the same operation. The university confirmed to BleepingComputer that the breach affected “a limited number of parties associated with a small administrative unit.”

Adding to the concerns, Oracle quietly patched another zero-day flaw—CVE-2025-61884—in its E-Business Suite last week, which had been actively exploited since July 2025. The exploit was reportedly leaked by the Shiny Lapsus$ Hunters group on Telegram.

American Airlines has previously faced data breaches in 2022 and 2023, which exposed employee personal data.

Who is Clop?

The Clop ransomware group, also known as TA505, Cl0p, or FIN11, has been active since 2019. It initially used a variant of the CryptoMix ransomware to infiltrate corporate networks and steal information.

Since 2020, the group has shifted its focus to exploiting zero-day vulnerabilities in file transfer and data storage platforms. Notable campaigns include:

  • 2020: Accellion FTA zero-day attack impacting nearly 100 companies
  • 2021: SolarWinds Serv-U FTP zero-day exploit
  • 2023: GoAnywhere MFT zero-day breach affecting 100+ firms
  • 2023: MOVEit Transfer campaign, their largest to date, compromising data from 2,773 organizations worldwide
  • 2024: Exploited Cleo file transfer zero-days (CVE-2024-50623 and CVE-2024-55956) for data theft and extortion

The U.S. State Department is currently offering a $10 million reward for information linking Clop’s ransomware operations to any foreign government.
Read more »
Subscribe to: Comments (Atom)