Incident Types: The types of cybersecurity incidents that have occurred include Breach, Cyber Attack, Ransomware, Vulnerability and Malware.

Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with password change recommendation, and communication strategy with customer advisory, and containment measures with password reset, and remediation measures with malware removal, and communication strategy with letter to users, and communication strategy with criticized for lack of transparency, and third party assistance with cloudsek, third party assistance with trustwave spiderlabs, and communication strategy with private letters to customers, and communication strategy with outright denial, communication strategy with potentially misleading statements, communication strategy with accusations of deleting evidence online, and remediation measures with informed clients, remediation measures with bolstered gen 1 server security, and law enforcement notified with yes (california office of the attorney general), and third party assistance with okta threat intelligence (analysis by moussa diallo), and containment measures with monitoring for suspicious domain registrations, containment measures with blocking known malicious domains, and remediation measures with implementation of phishing-resistant authentication (e.g., passkeys, fido2 webauthn), remediation measures with adaptive risk assessments for unusual access patterns, and communication strategy with customer advisories about impersonation attempts, communication strategy with industry-wide alerts, and enhanced monitoring with real-time tracking of typosquatted domains, enhanced monitoring with beaconing detection, and incident response plan activated with recommended (investigate oracle e-business suite environments), and third party assistance with mandiant (google cloud), third party assistance with gtig, and enhanced monitoring with recommended (for unusual access), and and third party assistance with mandiant (google cloud), third party assistance with google threat intelligence group (gtig), and communication strategy with public warning via cybersecurity firms (mandiant, gtig), communication strategy with media outreach (recorded future news), and incident response plan activated with yes (by affected organizations and firms like halcyon and mandiant), and third party assistance with mandiant (google’s incident response unit), third party assistance with halcyon (counter-ransomware firm), and communication strategy with public disclosure via media (techcrunch, bloomberg); anonymous reporting channel for affected executives, and and third party assistance with mandiant (google cloud), and containment measures with emergency patch release (cve-2025-61882), containment measures with advisory for customer mitigation, and remediation measures with patch application, remediation measures with investigation into potential prior compromise, and communication strategy with public advisory, communication strategy with linkedin post by oracle cso, communication strategy with mandiant technical alert, and enhanced monitoring with recommended for customers to detect prior compromise, and incident response plan activated with recommended: erp-compromise tabletop exercises within 24–48 hours, and law enforcement notified with recommended: preserve email headers/artifacts for law enforcement or threat intelligence, and containment measures with patch verification (july 2025 cpu), containment measures with rotate sso tokens, containment measures with enforce mfa on ebs admin/service accounts, containment measures with review privileged roles and recent admin logins for anomalies, and remediation measures with inventory and re-authorize third-party integrations (apis, connectors, file transfers), remediation measures with monitor interface logs for unusual spikes/failures, and communication strategy with route extortion emails via security and legal channels, communication strategy with pre-draft customer and regulator communications, and enhanced monitoring with monitor erp integration points for anomalies, and incident response plan activated with yes (oracle released patch and urged immediate installation), and third party assistance with google mandiant (investigation and advisory), and containment measures with patch release (cve-2025-61882), containment measures with indicators of compromise (iocs) shared with customers, and remediation measures with urgent patch installation recommended for all customers, and communication strategy with public security advisory by oracle cso rob duhart, communication strategy with linkedin post by google mandiant cto charles carmakal, and incident response plan activated with oracle security alert (urgent patching advisory), and third party assistance with crowdstrike (detection and analysis), third party assistance with mandiant (investigation), third party assistance with google threat intelligence group (gtig), and containment measures with patching cve-2025-61882, containment measures with disabling exposed ebs components, and communication strategy with oracle customer advisory, communication strategy with public disclosure of poc risks, and enhanced monitoring with recommended for oracle ebs environments, and incident response plan activated with yes (google and oracle), and third party assistance with google security researchers, and remediation measures with oracle security advisory issued, remediation measures with technical indicators shared by google for detection, and communication strategy with public advisory by oracle, communication strategy with blog post by google, communication strategy with media statements, and enhanced monitoring with recommended (google provided indicators for detection), and third party assistance with aha’s preferred cybersecurity provider program, third party assistance with microsoft (via rural health resiliency program), and and containment measures with immediate software patch installation (oracle’s e-business suite), containment measures with long-term cyber incident response planning, and remediation measures with cybersecurity assessments, remediation measures with cloud capability evaluations, remediation measures with curated cyber and ai training, remediation measures with foundational cyber certifications for it staff, and communication strategy with aha advisories with federal law enforcement input, communication strategy with public awareness campaigns (e.g., cybersecurity awareness month), and incident response plan activated with yes (oracle released emergency security alerts and patches), and third party assistance with google threat intelligence, third party assistance with mandiant, third party assistance with crowdstrike, and containment measures with emergency patching (cve-2025-61884 & cve-2025-61882), containment measures with urgent advisory for customers to apply updates, and remediation measures with patch deployment, remediation measures with mitigation guidance for unpatched systems, and communication strategy with public security advisories, communication strategy with direct customer notifications, and enhanced monitoring with recommended (oracle advised customers to monitor for exploitation attempts), and remediation measures with patch released in october 2025 security alert, and third party assistance with security researchers (the raven file), and remediation measures with oracle released patch in october 2025..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Troubleshooting Site, CVE-2021-35587, malvertising (malicious search engine ads)typosquatted domains, Compromised Email Accounts, Compromised Email AccountsPotential Exploitation of Oracle E-Business Suite Vulnerabilities, compromised email accountsOracle E-Business Suite web-portals, Oracle E-Business Suite Concurrent Processing Component (via HTTP), phishing/extortion emails targeting executives, CVE-2025-61882 (Oracle E-Business Suite zero-day), CVE-2025-61882 (Oracle EBS BI Publisher), Zero-Day Vulnerability in Oracle E-Business Suite (Network-Based, No Authentication Required), Exploitation of Unpatched Vulnerability in Oracle’s E-Business Suite, Exploitation of Oracle EBS Vulnerabilities (CVE-2025-61882, CVE-2025-61884)Hacked User EmailsDefault Password Reset Mechanisms, Oracle E-Business Suite zero-day exploit, OA_HTML/SyncServlet (Authentication Bypass) & OA_HTML/RF.jsp (XSLT Injection) and Oracle E-Business Suite (EBS) SyncServlet endpoint.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Credit Card Payment Information, , Payment Card Data, , Sso Passwords, Java Keystore Files, Key Files, Jps Keys, , Jks Files, Encrypted Sso Passwords, Key Files, Jps Keys, , Electronic Health Records (Ehr), , Sso Credentials, Ldap Passwords, Oauth2 Keys, , Sensitive Customer Data, , Personal Information, Usernames, Email Addresses, Hashed Passwords, Sso Credentials, Ldap Credentials, Jks Files, Enterprise Manager Jps Keys, , User Emails, Hashed Passwords, Usernames, , Personally Identifiable Information (Pii), , Credentials (Usernames, Passwords), Pii (Email Addresses, Phone Numbers), Guest Data, Payment Information, Booking Details, , Potentially Finance, Hr, Supply Chain Data, Client Credentials (From January Incident), , Customer Data, Employee Information, Human Resources Files, , Personal Information (Executives), Customer Data, Employee Hr Files, , Sensitive Corporate Documents, Potentially Pii, , Personally Identifiable Information (Pii) Of Executives, Customer Data, Employee Hr Files, Corporate Sensitive Data, , Patient Personal Data, Potentially Sensitive Healthcare Information, , Sensitive Resources, Potentially Oracle Ebs Data (As Per Extortion Claims), , Employee Data, Contractor Data, , Financial Records, Personal Records, Erp Data, , Corporate Internal Data, Customer Information, Financial Records, Personal Data and .

Incident Response Plan: The company's incident response plan is described as Recommended (investigate Oracle E-Business Suite environments), , , , recommended: ERP-compromise tabletop exercises within 24–48 hours, , Yes (Oracle released patch and urged immediate installation), Oracle Security Alert (Urgent Patching Advisory), , Yes (Google and Oracle), Yes (Oracle Released Emergency Security Alerts and Patches).

Third-Party Assistance: The company involves third-party assistance in incident response through CloudSEK, Trustwave SpiderLabs, , Okta Threat Intelligence (analysis by Moussa Diallo), , Mandiant (Google Cloud), GTIG, , Mandiant (Google Cloud), Google Threat Intelligence Group (GTIG), , Mandiant (Google’s incident response unit), Halcyon (counter-ransomware firm), , Mandiant (Google Cloud), , Google Mandiant (investigation and advisory), , CrowdStrike (Detection and Analysis), Mandiant (Investigation), Google Threat Intelligence Group (GTIG), , Google Security Researchers, , AHA’s Preferred Cybersecurity Provider Program, Microsoft (via Rural Health Resiliency Program), , Google Threat Intelligence, Mandiant, CrowdStrike, , Security researchers (THE RAVEN FILE), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Malware Removal, , Informed clients, Bolstered Gen 1 server security, , implementation of phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn), adaptive risk assessments for unusual access patterns, , Patch Application, Investigation into Potential Prior Compromise, , inventory and re-authorize third-party integrations (APIs, connectors, file transfers), monitor interface logs for unusual spikes/failures, , Urgent patch installation recommended for all customers, , Oracle Security Advisory Issued, Technical Indicators Shared by Google for Detection, , Cybersecurity Assessments, Cloud Capability Evaluations, Curated Cyber and AI Training, Foundational Cyber Certifications for IT Staff, , Patch Deployment, Mitigation Guidance for Unpatched Systems, , Patch released in October 2025 Security Alert, , Oracle released patch in October 2025, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by password change recommendation, , password reset, , monitoring for suspicious domain registrations, blocking known malicious domains, , emergency patch release (cve-2025-61882), advisory for customer mitigation, , patch verification (july 2025 cpu), rotate sso tokens, enforce mfa on ebs admin/service accounts, review privileged roles and recent admin logins for anomalies, , patch release (cve-2025-61882), indicators of compromise (iocs) shared with customers, , patching cve-2025-61882, disabling exposed ebs components, , immediate software patch installation (oracle’s e-business suite), long-term cyber incident response planning, , emergency patching (cve-2025-61884 & cve-2025-61882), urgent advisory for customers to apply updates and .

Key Lessons Learned: The key lessons learned from past incidents are The event underscores the risks of maintaining outdated systems and the importance of clear communication in the face of cybersecurity incidents.Malvertising is an effective initial access vector for targeted phishing campaigns.,MFA bypass techniques (e.g., real-time OTP capture) undermine traditional authentication methods.,Typosquatted domains and convincing phishing pages can evade user scrutiny.,Russian-speaking threat actors continue to leverage proxy infrastructure for anonymity.,Hospitality industry is a high-value target due to sensitive guest data and payment systems.Zero-day vulnerabilities in widely used enterprise software like Oracle E-Business Suite can lead to rapid, high-impact exploitation by multiple threat actors. Organizations must prioritize patch management and assume breach scenarios even after patching, given the likelihood of prior compromise during mass exploitation campaigns.Proactive patching and hardening of ERP systems are critical to mitigating extortion risks.,Executive-targeted extortion emails require coordinated legal and security responses.,Third-party integrations in ERP systems are high-risk vectors and require strict monitoring.,Tabletop exercises help identify procedural gaps before real incidents occur.Zero-day vulnerabilities in enterprise software like Oracle EBS are high-value targets for ransomware groups.,Public PoC disclosures accelerate exploitation by multiple threat actors.,Proactive patching and exposure management are critical for mitigating RCE risks.Zero-day vulnerabilities in widely used enterprise software can lead to large-scale data breaches. Proactive patch management and monitoring for unusual network activity are critical. Vendors must ensure transparent communication during ongoing incidents to avoid misinformation.The incident underscores the critical need for timely patch management, robust cybersecurity defenses, and collaboration between healthcare providers, government agencies, and private-sector partners. Under-resourced organizations, such as rural hospitals, require additional support to mitigate cyber risks effectively. A proactive, whole-of-government approach—including offensive cyber capabilities and threat intelligence sharing—is essential to disrupt adversaries before attacks occur.Critical Importance of Timely Patching for Public-Facing Applications,Risks of Zero-Day Exploitation in Enterprise Software,Need for Enhanced Monitoring of Oracle EBS Instances,Potential for Mass Extortion Campaigns Leveraging Stolen Credentials.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Investigate Oracle E-Business Suite environments for unusual access or compromise, Monitor for IoCs, including the listed IP addresses (200.107.207[.]26, 185.181.60[.]11) and exploit artifacts., Immediately patch Oracle E-Business Suite to the latest version., Enhance logging and network segmentation for Oracle EBS environments., Monitor networks for indicators of compromise (IoCs) provided by Google., Review Mandiant's advisory for additional mitigation strategies., Assess potential links to FIN11/Clop ransomware activity, Apply Oracle Security Alerts and Critical Patch Updates Immediately, Monitor for high-volume extortion email campaigns from compromised accounts, Implement Multi-Factor Authentication (MFA) for Oracle EBS, Monitor for Signs of Exploitation (e.g., Unusual Database Activity, Extortion Emails), Implement multi-factor authentication (MFA) for all critical systems., Engage Third-Party Threat Intelligence for Indicators of Compromise (IOCs), Conduct forensic investigations to detect signs of prior exploitation., Review and Secure Default Password Reset Mechanisms, Conduct regular security audits for enterprise software., Immediately apply Oracle's emergency patch for CVE-2025-61882., Educate employees about phishing and extortion email tactics. and Segment Networks to Limit Lateral Movement.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Security Researchers at CloudSEK and Trustwave SpiderLabs, and Source: Cyber Incident Description, and Source: California Office of the Attorney General, and Source: Okta Threat Intelligence (contributor: Moussa Diallo), and Source: BleepingComputer, and Source: Mandiant (Google Cloud) & GTIG Analysis, and Source: U.S. State Department Rewards for Justice Program (Clop)Url: https://www.state.gov/rewards-for-justice-program/, and Source: Recorded Future NewsDate Accessed: 2023-10-04, and Source: Mandiant/GTIG WarningDate Accessed: 2023-10-04, and Source: CISA Advisory (January 2023 Oracle Incident)Url: https://www.cisa.gov/, and Source: Emsisoft (MOVEit Impact Report), and Source: TechCrunchUrl: https://techcrunch.com, and Source: BloombergUrl: https://bloomberg.com, and Source: Oracle Security AdvisoryDate Accessed: 2025-08, and Source: Mandiant (Google Cloud) Alert on Cl0p CampaignDate Accessed: 2025-08, and Source: LinkedIn Post by Charles Carmakal (Mandiant CTO)Date Accessed: 2025-08, and Source: Google Threat Analysis Group (TAG), and Source: Oracle Security Advisory (July 2025 CPU), and Source: Reuters, and Source: Oracle Security Advisory (Rob Duhart, CSO)Date Accessed: 2025-10-02, and Source: Google Mandiant (Charles Carmakal, CTO) - LinkedIn PostDate Accessed: 2025-10-02, and Source: CrowdStrike BlogDate Accessed: 2025-10-07, and Source: BleepingComputer ArticleDate Accessed: 2025-10-06, and Source: Oracle Security Alert (CVE-2025-61882)Date Accessed: 2025-10-05, and Source: watchTowr Labs (PoC Analysis)Date Accessed: 2025-05-01, and Source: U.S. State Department Reward Program, and Source: TechCrunchUrl: https://techcrunch.com/2023/10/05/google-clop-oracle-zero-day-hack/Date Accessed: 2023-10-05, and Source: Google Blog PostUrl: https://blog.google/threat-analysis-group/clop-oracle-zero-day/Date Accessed: 2023-10-05, and Source: Oracle Security AdvisoryUrl: https://www.oracle.com/security-alerts/Date Accessed: 2023-10-05, and Source: American Hospital Association (AHA) Cybersecurity and Risk WebpageUrl: https://www.aha.org/cybersecurity, and Source: FBI Warning on Oracle E-Business Suite Vulnerability, and Source: AHA and Microsoft Rural Health Resiliency Program, and Source: SecurityAffairsUrl: https://securityaffairs.co/wordpress/150000/hacking/oracle-ebs-flaw-cve-2025-61884.htmlDate Accessed: 2025-10-14, and Source: Oracle Security Alert AdvisoryDate Accessed: 2025-10-14, and Source: Google Threat Intelligence & Mandiant AnalysisDate Accessed: 2025-10-03, and Source: CrowdStrike Report on CVE-2025-61882 ExploitationDate Accessed: 2025-10-03, and Source: CyberScoop (via The Washington Post)Date Accessed: 2025-11-14, and Source: THE RAVEN FILE Security Researchers, and Source: Clop Ransomware Dark Web Leak Site, and Source: Oracle Security Alert (October 2025), and Source: THE RAVEN FILE (Security Research), and Source: Clop Dark Web Leak Site, and Source: Oracle Security Advisory (CVE-2025-61882).

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Customer Advisory, Letter To Users, Criticized For Lack Of Transparency, Private letters to customers, Outright Denial, Potentially Misleading Statements, Accusations Of Deleting Evidence Online, Customer Advisories About Impersonation Attempts, Industry-Wide Alerts, Public Warning Via Cybersecurity Firms (Mandiant, Gtig), Media Outreach (Recorded Future News), public disclosure via media (TechCrunch, Bloomberg); anonymous reporting channel for affected executives, Public Advisory, Linkedin Post By Oracle Cso, Mandiant Technical Alert, Route Extortion Emails Via Security And Legal Channels, Pre-Draft Customer And Regulator Communications, Public Security Advisory By Oracle Cso Rob Duhart, Linkedin Post By Google Mandiant Cto Charles Carmakal, Oracle Customer Advisory, Public Disclosure Of Poc Risks, Public Advisory By Oracle, Blog Post By Google, Media Statements, Aha Advisories With Federal Law Enforcement Input, Public Awareness Campaigns (E.G., Cybersecurity Awareness Month), Public Security Advisories and Direct Customer Notifications.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Oracle urged Micros customers to change their passwords and any passwords used by Micros representatives to access their on-premise systems., Private letters to customers, Warn Customers About Impersonation Attempts, Share Indicators Of Compromise (Iocs) With Industry Peers, Avoid Clicking On Sponsored Search Ads For Hospitality Services, Verify Urls Before Entering Credentials, Report Suspicious Login Pages, , Recommended: Investigate Oracle E-Business Suite for compromise, Mandiant/Gtig Warning To Corporate Executives, executives at affected organizations advised to report extortion attempts securely, Oracle and Mandiant have issued public advisories urging immediate action., Customers advised to patch and investigate potential compromise., Cfos And Cisos Advised To Prioritize Patching And Hardening Ebs Environments, Oracle Urged Customers To Apply July 2025 Cpu And Review Security Controls, , Oracle Customers Urged To Patch Immediately, Executives Warned About Extortion Emails, Patch Installation Guidance, Iocs For Detecting Compromise, , Oracle Urgent Patching Advisory, Crowdstrike Threat Assessment, Extortion Emails From Clop To Executives, , Oracle and Google have issued advisories with technical details for detection and mitigation., Organizations using Oracle E-Business Suite advised to apply patches and monitor for suspicious activity., AHA provides timely alerts and advisories to member hospitals and health systems, incorporating input from federal law enforcement and AHA cybersecurity experts (John Riggi and Scott Gee)., Patients and the public are advised to stay informed about potential disruptions to healthcare services and to report suspicious activities. Hospitals are encouraged to communicate transparently with patients about cybersecurity measures and any impacts on care delivery., Oracle Customers Urged To Patch Immediately, Executives Warned About Extortion Emails, Apply Emergency Patches For Cve-2025-61884 And Cve-2025-61882, Monitor For Suspicious Activity, , Extortion Emails Sent To Victims Via Support@Pubstorm[.]Com and .

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Cloudsek, Trustwave Spiderlabs, , Okta Threat Intelligence (Analysis By Moussa Diallo), , Real-Time Tracking Of Typosquatted Domains, Beaconing Detection, , Mandiant (Google Cloud), Gtig, , Recommended (for unusual access), Mandiant (Google Cloud), Google Threat Intelligence Group (Gtig), , Mandiant (Google’S Incident Response Unit), Halcyon (Counter-Ransomware Firm), , Mandiant (Google Cloud), , Recommended for customers to detect prior compromise, Monitor Erp Integration Points For Anomalies, , Google Mandiant (Investigation And Advisory), , Crowdstrike (Detection And Analysis), Mandiant (Investigation), Google Threat Intelligence Group (Gtig), , Recommended For Oracle Ebs Environments, , Google Security Researchers, , Recommended (Google Provided Indicators for Detection), Aha’S Preferred Cybersecurity Provider Program, Microsoft (Via Rural Health Resiliency Program), , Google Threat Intelligence, Mandiant, Crowdstrike, , Recommended (Oracle Advised Customers to Monitor for Exploitation Attempts), Security Researchers (The Raven File), .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Password Reset, Malware Removal, , Replace Sms/Email-Based Mfa With Phishing-Resistant Alternatives., Proactively Register Defensive Domains To Prevent Typosquatting., Enhance Threat Intelligence Sharing Within The Hospitality Sector., Deploy Solutions To Detect And Block Malicious Ads In Search Results., , Emergency Patch Release By Oracle., Public Disclosure And Customer Advisories., Collaboration With Mandiant For Threat Intelligence Sharing., , Immediate Patching And Hardening Of Ebs Environments., Enhanced Monitoring Of Third-Party Integrations And Privileged Access., Proactive Tabletop Exercises To Improve Incident Response Readiness., , Patch Deployment, Customer Advisory For Ioc Monitoring, , Apply Oracle’S Security Patch For Cve-2025-61882., Implement Network Segmentation For Ebs Environments., Deploy Behavioral Detection For Rce Attempts (E.G., Crowdstrike Falcon)., Conduct Threat Hunting For Signs Of Clop Or Graceful Spider Activity., , Oracle Released Emergency Patches And Advisories, Google Shared Detection Indicators For Affected Organizations, Recommended Enhanced Monitoring For Extortion Emails And Unusual Data Access, , Mandatory Patch Management Protocols For Critical Software, Enhanced Collaboration Between Healthcare Providers, Government Agencies, And Cybersecurity Firms, Expanded Access To Cybersecurity Training And Resources For Under-Resourced Organizations, Development Of Offensive Cyber Capabilities To Disrupt Adversaries Proactively, , Oracle Released Out-Of-Band Patches, Customers Advised To Apply Patches And Monitor Systems, Enhanced Threat Intelligence Sharing (E.G., Poc Disclosure As Ioc), , Patch Deployment (October 2025), Infrastructure Monitoring For 96 Linked Ips (41 Subnets Reused From Moveit), .

Last Ransom Demanded: The amount of the last ransom demanded was $50 million (in at least one case).

Last Attacking Group: The attacking group in the last incident were an Russian Cybercrime Group, rose87168, 'rose87168', Rose87168, rose87168, Unauthorized Individual, Russian-speaking cybercriminalsunknown APT/group (potential initial access brokers), FIN11 (suspected)Clop Ransomware Gang (potential link), Clop (FIN11)Potentially Impersonating Clop, Clop ransomware gang, Cl0p Ransomware GroupScattered LAPSUS$ Hunters, Clop (hacking group linked to ransomware and extortion), Clop Ransomware GangGRACEFUL SPIDER (moderate confidence), Clop Ransomware/Extortion Gang, Sophisticated CybercriminalsNation-State Sponsored Actors, Cl0p Ransomware Group (Graceful Spider)FIN11Potential involvement of Scattered Spider, Slippy Spider (Lapsus$), ShinyHunters, Clop ransomware group, Clop Ransomware Gang (Graceful Spider), Name: ['Clop Ransomware Gang', 'Graceful Spider']Origin: Russian-linkedConfirmed Victims: 1025Ransom Extracted: $500 million (since 2019)Associated Infrastructure: {'ip_addresses': 96, 'reused_ips_from_moveit': 41, 'geographic_distribution': [{'country': 'Germany', 'ip_count': 16}, {'country': 'Brazil', 'ip_count': 13}, {'country': 'Panama', 'ip_count': 12}] and 'service_providers': ['Russian-based']}.

Most Recent Incident Detected: The most recent incident detected was on 2013-07-10.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-10.

Most Significant Data Compromised: The most significant data compromised in an incident were Credit Card Payment Information, , Payment Card Data, , SSO passwords, Java Keystore files, Key files, JPS keys, , JKS files, Encrypted SSO passwords, Key files, JPS keys, , Electronic Health Records (EHR), , SSO credentials, LDAP passwords, OAuth2 keys, , Personal Information, usernames, email addresses, hashed passwords, SSO credentials, LDAP credentials, JKS files, Enterprise Manager JPS keys, , User Emails, Hashed Passwords, Usernames, , Names, Social Security Numbers, , guest personal information, payment data, booking system credentials, operational data, , Potentially Finance, HR, and Supply Chain Data (Oracle E-Business Suite), , customer databases, employee information, human resources files, , Large amounts of data (exact scope undisclosed), Personal information of corporate executives, Customer data, Employee HR files, , Sensitive Documents, Potentially PII or Corporate Data, , Corporate Executive Data, Customer Data, Employee HR Files, Sensitive Corporate Data, , , Sensitive Resources, Potential Oracle E-Business Suite Data (as claimed in extortion emails), , , Financial Records, Personal Records, ERP Data, , Internal Corporate Data, Customer Information, Financial Records, Personal Data and .

Most Significant System Affected: The most significant system affected in an incident was MICROS Point-of-Sale Systems and MICROS Point-of-Sale Systems and and Legacy Servers and legacy Cerner data migration servers and Login ServersLegacy Cerner Data and Gen 1 serverslegacy systems and Oracle Cloud Classic Servers and cloud-based property management systemsguest messaging platformsauthentication systems and Oracle E-Business Suite (potential) and Oracle E-Business Suite and Oracle E-Business Suite web-portals and and Oracle E-Business Suite (EBS) and Oracle E-Business Suite and Oracle E-Business Suite (EBS) with unpatched BI Publisher Integration and Oracle E-Business Suite and and Oracle E-Business Suite (Versions 12.2.3–12.2.14)Runtime UI ComponentBI Publisher IntegrationConcurrent Processing Component and Oracle E-Business Suite (Versions 12.2.3–12.2.14)Internal Corporate Systems and Oracle E-Business Suite (EBS) ServersEnterprise Resource Planning (ERP) Systems.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was cloudsek, trustwave spiderlabs, , okta threat intelligence (analysis by moussa diallo), , mandiant (google cloud), gtig, , mandiant (google cloud), google threat intelligence group (gtig), , mandiant (google’s incident response unit), halcyon (counter-ransomware firm), , mandiant (google cloud), , google mandiant (investigation and advisory), , crowdstrike (detection and analysis), mandiant (investigation), google threat intelligence group (gtig), , google security researchers, , aha’s preferred cybersecurity provider program, microsoft (via rural health resiliency program), , google threat intelligence, mandiant, crowdstrike, , security researchers (the raven file), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Password Change Recommendation, Password Reset, monitoring for suspicious domain registrationsblocking known malicious domains, Emergency Patch Release (CVE-2025-61882)Advisory for Customer Mitigation, patch verification (July 2025 CPU)rotate SSO tokensenforce MFA on EBS admin/service accountsreview privileged roles and recent admin logins for anomalies, Patch release (CVE-2025-61882)Indicators of Compromise (IoCs) shared with customers, Patching CVE-2025-61882Disabling Exposed EBS Components, Immediate Software Patch Installation (Oracle’s E-Business Suite)Long-Term Cyber Incident Response Planning and Emergency Patching (CVE-2025-61884 & CVE-2025-61882)Urgent Advisory for Customers to Apply Updates.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Sensitive Corporate Data, Hashed Passwords, Personal information of corporate executives, Customer Data, Potentially Finance, HR, and Supply Chain Data (Oracle E-Business Suite), SSO credentials, Financial Records, Corporate Executive Data, LDAP credentials, Names, Personal Data, Social Security Numbers, Sensitive Resources, LDAP passwords, Encrypted SSO passwords, ERP Data, Employee HR Files, usernames, Internal Corporate Data, Enterprise Manager JPS keys, hashed passwords, Customer data, JKS files, payment data, human resources files, Potential Oracle E-Business Suite Data (as claimed in extortion emails), Key files, employee information, booking system credentials, Large amounts of data (exact scope undisclosed), JPS keys, Electronic Health Records (EHR), Usernames, email addresses, User Emails, Potentially PII or Corporate Data, Personal Records, Credit Card Payment Information, Payment Card Data, Sensitive Documents, customer databases, SSO passwords, Employee HR files, operational data, OAuth2 keys, Personal Information, guest personal information, Java Keystore files and Customer Information.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 18.0M.

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Potential for Mass Extortion Campaigns Leveraging Stolen Credentials.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Enforce MFA and rotate credentials for EBS admin/service accounts., Educate employees and customers about malvertising and phishing risks., Adopt phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn)., Restrict internet exposure of EBS applications and enforce authentication controls., Install Oracle's patch for CVE-2025-61882 immediately, Strengthen Public-Private Partnerships to Share Threat Intelligence and Best Practices, Enhance security for executive personal data, Deploy behavioral analytics to detect beaconing and tracking scripts., Monitor for suspicious domain registrations (e.g., typosquatting)., Investigate Oracle E-Business Suite environments for unusual access or compromise, Monitor for indicators of compromise (IOCs) linked to Clop’s infrastructure (e.g., 96 IPs, support@pubstorm[.]com), Monitor for IoCs, including the listed IP addresses (200.107.207[.]26, 185.181.60[.]11) and exploit artifacts., Immediately patch Oracle E-Business Suite to the latest version., Enhance logging and network segmentation for Oracle EBS environments., Participate in Free or Discounted Cybersecurity Assessments (e.g., Microsoft’s Rural Health Resiliency Program), Review third-party vulnerability disclosures for proactive patching, Collaborate with threat intelligence providers (e.g., Okta) for IOCs., Monitor networks for indicators of compromise (IoCs) provided by Google., Immediately patch CVE-2025-61882 in Oracle E-Business Suite environments., Implement adaptive risk assessments to detect anomalous access patterns., Monitor for signs of data exfiltration, especially via BI Publisher components., Segment networks to limit lateral movement, Review Mandiant's advisory for additional mitigation strategies., Monitor systems for Indicators of Compromise (IoCs) provided by Oracle, Assess potential links to FIN11/Clop ransomware activity, Apply Oracle Security Alerts and Critical Patch Updates Immediately, Monitor integration logs for anomalies or unauthorized access attempts., Monitor for high-volume extortion email campaigns from compromised accounts, Implement Multi-Factor Authentication (MFA) for Oracle EBS, Monitor for Signs of Exploitation (e.g., Unusual Database Activity, Extortion Emails), Implement multi-factor authentication (MFA) for all critical systems., Invest in Training and Certifications for IT Staff, Particularly in Rural Healthcare Settings, Prepare for extortion attempts if using Oracle EBS, given Clop’s history of targeting such vulnerabilities., Engage Third-Party Threat Intelligence for Indicators of Compromise (IOCs), Preserve extortion email artifacts for forensic analysis., Install Immediate Patches for Oracle’s E-Business Suite and Other Critical Systems, Enhance Security Measures, Conduct forensic investigations to detect signs of prior exploitation., Engage threat intelligence services (e.g., CrowdStrike, Mandiant) for proactive detection., Conduct a thorough review of privileged roles and recent logins., Inventory and re-authorize all third-party integrations with EBS., Immediate patching of CVE-2025-61882 for Oracle EBS versions 12.2.3–12.2.14, Run ERP-compromise tabletop exercises to test response readiness., Implement behavioral analysis for XSLT injection attempts, Restrict access to property management systems with zero-trust principles., Apply the July 2025 Oracle Critical Patch Update immediately., Review and Secure Default Password Reset Mechanisms, Develop and Maintain a Comprehensive Cyber Incident Response Plan, Change Passwords, Enhance authentication mechanisms for OA_HTML endpoints, Conduct regular security audits for enterprise software., Immediately apply Oracle's emergency patch for CVE-2025-61882., Leverage AHA’s Cybersecurity Resources, Including Preferred Provider Programs and Advisory Services, Advocate for Federal and Allied Nation Interventions to Deter Cyber Adversaries, Plan for Clinical Continuity During Cyber Disruptions, Educate employees about phishing and extortion email tactics. and Segment Networks to Limit Lateral Movement.

Most Recent Source: The most recent source of information about an incident are FBI Warning on Oracle E-Business Suite Vulnerability, U.S. State Department Reward Program, Oracle Security Advisory (CVE-2025-61882), SecurityAffairs, Clop Ransomware Dark Web Leak Site, Clop Dark Web Leak Site, TechCrunch, Google Threat Analysis Group (TAG), Google Mandiant (Charles Carmakal, CTO) - LinkedIn Post, Mandiant (Google Cloud) Alert on Cl0p Campaign, Okta Threat Intelligence (contributor: Moussa Diallo), CrowdStrike Report on CVE-2025-61882 Exploitation, Google Blog Post, Oracle Security Advisory, California Office of the Attorney General, THE RAVEN FILE (Security Research), LinkedIn Post by Charles Carmakal (Mandiant CTO), Oracle Security Advisory (Rob Duhart, CSO), BleepingComputer Article, Oracle Security Advisory (July 2025 CPU), Recorded Future News, Emsisoft (MOVEit Impact Report), THE RAVEN FILE Security Researchers, Oracle Security Alert (October 2025), Security Researchers at CloudSEK and Trustwave SpiderLabs, U.S. State Department Rewards for Justice Program (Clop), watchTowr Labs (PoC Analysis), CrowdStrike Blog, Oracle Security Alert (CVE-2025-61882), AHA and Microsoft Rural Health Resiliency Program, CISA Advisory (January 2023 Oracle Incident), Cyber Incident Description, Oracle Security Alert Advisory, CyberScoop (via The Washington Post), Reuters, BleepingComputer, Mandiant (Google Cloud) & GTIG Analysis, Mandiant/GTIG Warning, Google Threat Intelligence & Mandiant Analysis, Bloomberg and American Hospital Association (AHA) Cybersecurity and Risk Webpage.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.state.gov/rewards-for-justice-program/, https://www.cisa.gov/, https://techcrunch.com, https://bloomberg.com, https://techcrunch.com/2023/10/05/google-clop-oracle-zero-day-hack/, https://blog.google/threat-analysis-group/clop-oracle-zero-day/, https://www.oracle.com/security-alerts/, https://www.aha.org/cybersecurity, https://securityaffairs.co/wordpress/150000/hacking/oracle-ebs-flaw-cve-2025-61884.html .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was warn customers about impersonation attempts, share indicators of compromise (IOCs) with industry peers, Mandiant/GTIG Warning to Corporate Executives, executives at affected organizations advised to report extortion attempts securely, Oracle and Mandiant have issued public advisories urging immediate action., CFOs and CISOs advised to prioritize patching and hardening EBS environments, Oracle customers urged to patch immediately, Executives warned about extortion emails, Oracle Urgent Patching Advisory, CrowdStrike Threat Assessment, Oracle and Google have issued advisories with technical details for detection and mitigation., AHA provides timely alerts and advisories to member hospitals and health systems, incorporating input from federal law enforcement and AHA cybersecurity experts (John Riggi and Scott Gee)., Oracle Customers Urged to Patch Immediately, Executives Warned About Extortion Emails, .

Most Recent Customer Advisory: The most recent customer advisory issued were an Oracle urged Micros customers to change their passwords and any passwords used by Micros representatives to access their on-premise systems., Private letters to customers, avoid clicking on sponsored search ads for hospitality servicesverify URLs before entering credentialsreport suspicious login pages, Recommended: Investigate Oracle E-Business Suite for compromise, Customers advised to patch and investigate potential compromise., Oracle urged customers to apply July 2025 CPU and review security controls, Patch installation guidanceIoCs for detecting compromise, Extortion Emails from Clop to Executives, Organizations using Oracle E-Business Suite advised to apply patches and monitor for suspicious activity., Patients and the public are advised to stay informed about potential disruptions to healthcare services and to report suspicious activities. Hospitals are encouraged to communicate transparently with patients about cybersecurity measures and any impacts on care delivery., Apply Emergency Patches for CVE-2025-61884 and CVE-2025-61882Monitor for Suspicious Activity and Extortion emails sent to victims via support@pubstorm[.]com.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Oracle E-Business Suite Concurrent Processing Component (via HTTP), Zero-Day Vulnerability in Oracle E-Business Suite (Network-Based, No Authentication Required), Compromised Email Accounts, CVE-2021-35587, CVE-2025-61882 (Oracle E-Business Suite zero-day), OA_HTML/SyncServlet (Authentication Bypass) & OA_HTML/RF.jsp (XSLT Injection), Oracle E-Business Suite zero-day exploit and Exploitation of Unpatched Vulnerability in Oracle’s E-Business Suite.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Likely conducted prior to August 2025 (exploitation began in August), Potentially since early August 2025 (zero-day exploitation), Since at least 2023-07-10, Potentially Began on 2025-07-10 (Prior to July Patches), Observed as early as June 2025, active exploitation from August 2025, Likely conducted prior to August 2025 (exploitation start date).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Weak Password ManagementCredential Theft, Vulnerable software version, compromised subdomain, Over-reliance on traditional MFA methods vulnerable to real-time phishing.Lack of visibility into malvertising campaigns targeting brand impersonation.Insufficient monitoring for typosquatted domains and beaconing activity., exploitation of zero-day vulnerabilities in Oracle E-Business Suiteabuse of default password-reset functionalitycompromised email accounts used for phishing, Zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite.Lack of authentication requirements for exploitation.High-volume email campaign leveraging compromised accounts (per Mandiant)., Potential exploitation of unpatched vulnerabilities in Oracle EBS.Targeted phishing/extortion emails leveraging executive pressure., Zero-day vulnerability (CVE-2025-61882) in Oracle E-Business SuiteInsufficient proactive patching for prior vulnerabilities (July 2025 patches bypassed), Unpatched Oracle EBS vulnerability (CVE-2025-61882)Internet-exposed EBS applications without authentication safeguardsDelayed patching despite active exploitation, Unpatched Zero-Day Vulnerability in Oracle E-Business SuiteInadequate Initial Response by Oracle (Premature Claim of Patch Effectiveness)Lack of Network Segmentation or Access Controls to Limit Exploitation, Unpatched Critical Vulnerability in Oracle’s E-Business SuiteInsufficient Cybersecurity Resources in Some Healthcare Organizations (e.g., Rural Hospitals)Sophisticated and Evolving Tactics by Cybercriminals and Nation-State Actors, Unpatched Vulnerabilities in Oracle E-Business SuiteLack of Authentication for Remote ExploitationPotential Weaknesses in Default Password Reset MechanismsDelayed Patch Deployment by Some Customers, Zero-Day Exploit (CVE-2025-61882)Delayed Patch Release (exploited for months pre-patch)Reused Attack Infrastructure from MOVEit (CVE-2023-34362), Unpatched zero-day vulnerability (CVE-2025-61882) in Oracle EBSLack of pre-authentication protections for SyncServlet endpointReuse of attack infrastructure from prior campaigns (e.g., MOVEit CVE-2023-34362).

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Password ResetMalware Removal, Replace SMS/email-based MFA with phishing-resistant alternatives.Proactively register defensive domains to prevent typosquatting.Enhance threat intelligence sharing within the hospitality sector.Deploy solutions to detect and block malicious ads in search results., Emergency patch release by Oracle.Public disclosure and customer advisories.Collaboration with Mandiant for threat intelligence sharing., Immediate patching and hardening of EBS environments.Enhanced monitoring of third-party integrations and privileged access.Proactive tabletop exercises to improve incident response readiness., Patch deploymentCustomer advisory for IoC monitoring, Apply Oracle’s security patch for CVE-2025-61882.Implement network segmentation for EBS environments.Deploy behavioral detection for RCE attempts (e.g., CrowdStrike Falcon).Conduct threat hunting for signs of Clop or GRACEFUL SPIDER activity., Oracle Released Emergency Patches and AdvisoriesGoogle Shared Detection Indicators for Affected OrganizationsRecommended Enhanced Monitoring for Extortion Emails and Unusual Data Access, Mandatory Patch Management Protocols for Critical SoftwareEnhanced Collaboration Between Healthcare Providers, Government Agencies, and Cybersecurity FirmsExpanded Access to Cybersecurity Training and Resources for Under-Resourced OrganizationsDevelopment of Offensive Cyber Capabilities to Disrupt Adversaries Proactively, Oracle Released Out-of-Band PatchesCustomers Advised to Apply Patches and Monitor SystemsEnhanced Threat Intelligence Sharing (e.g., POC Disclosure as IOC), Patch deployment (October 2025)Infrastructure monitoring for 96 linked IPs (41 subnets reused from MOVEit).