Incident Types: The types of cybersecurity incidents that have occurred include Cyber Attack, Vulnerability, Breach and Ransomware.

Detection and Response: The company detects and responds to cybersecurity incidents through an containment measures with password change recommendation, and communication strategy with customer advisory, and communication strategy with criticized for lack of transparency, and communication strategy with private letters to customers, and communication strategy with outright denial, communication strategy with potentially misleading statements, communication strategy with accusations of deleting evidence online, and remediation measures with informed clients, remediation measures with bolstered gen 1 server security, and law enforcement notified with yes (california office of the attorney general), and third party assistance with okta threat intelligence (analysis by moussa diallo), and containment measures with monitoring for suspicious domain registrations, containment measures with blocking known malicious domains, and remediation measures with implementation of phishing-resistant authentication (e.g., passkeys, fido2 webauthn), remediation measures with adaptive risk assessments for unusual access patterns, and communication strategy with customer advisories about impersonation attempts, communication strategy with industry-wide alerts, and enhanced monitoring with real-time tracking of typosquatted domains, enhanced monitoring with beaconing detection, and incident response plan activated with recommended (investigate oracle e-business suite environments), and third party assistance with mandiant (google cloud), third party assistance with gtig, and enhanced monitoring with recommended (for unusual access), and and third party assistance with mandiant (google cloud), third party assistance with google threat intelligence group (gtig), and communication strategy with public warning via cybersecurity firms (mandiant, gtig), communication strategy with media outreach (recorded future news), and and third party assistance with mandiant (google cloud), and containment measures with emergency patch release (cve-2025-61882), containment measures with advisory for customer mitigation, and remediation measures with patch application, remediation measures with investigation into potential prior compromise, and communication strategy with public advisory, communication strategy with linkedin post by oracle cso, communication strategy with mandiant technical alert, and enhanced monitoring with recommended for customers to detect prior compromise, and incident response plan activated with yes (oracle released patch and urged immediate installation), and third party assistance with google mandiant (investigation and advisory), and containment measures with patch release (cve-2025-61882), containment measures with indicators of compromise (iocs) shared with customers, and remediation measures with urgent patch installation recommended for all customers, and communication strategy with public security advisory by oracle cso rob duhart, communication strategy with linkedin post by google mandiant cto charles carmakal, and incident response plan activated with oracle security alert (urgent patching advisory), and third party assistance with crowdstrike (detection and analysis), third party assistance with mandiant (investigation), third party assistance with google threat intelligence group (gtig), and containment measures with patching cve-2025-61882, containment measures with disabling exposed ebs components, and communication strategy with oracle customer advisory, communication strategy with public disclosure of poc risks, and enhanced monitoring with recommended for oracle ebs environments, and incident response plan activated with yes (google and oracle), and third party assistance with google security researchers, and remediation measures with oracle security advisory issued, remediation measures with technical indicators shared by google for detection, and communication strategy with public advisory by oracle, communication strategy with blog post by google, communication strategy with media statements, and enhanced monitoring with recommended (google provided indicators for detection), and third party assistance with aha’s preferred cybersecurity provider program, third party assistance with microsoft (via rural health resiliency program), and and containment measures with immediate software patch installation (oracle’s e-business suite), containment measures with long-term cyber incident response planning, and remediation measures with cybersecurity assessments, remediation measures with cloud capability evaluations, remediation measures with curated cyber and ai training, remediation measures with foundational cyber certifications for it staff, and communication strategy with aha advisories with federal law enforcement input, communication strategy with public awareness campaigns (e.g., cybersecurity awareness month), and incident response plan activated with yes (oracle released emergency security alerts and patches), and third party assistance with google threat intelligence, third party assistance with mandiant, third party assistance with crowdstrike, and containment measures with emergency patching (cve-2025-61884 & cve-2025-61882), containment measures with urgent advisory for customers to apply updates, and remediation measures with patch deployment, remediation measures with mitigation guidance for unpatched systems, and communication strategy with public security advisories, communication strategy with direct customer notifications, and enhanced monitoring with recommended (oracle advised customers to monitor for exploitation attempts), and remediation measures with patch released in october 2025 security alert, and third party assistance with security researchers (the raven file), and remediation measures with oracle released patch in october 2025, and remediation measures with oracle released a security patch for the exploited vulnerability, and communication strategy with data breach notification letters mailed to impacted individuals, and communication strategy with public disclosure on official website, sec filing, notification letters to affected individuals, and communication strategy with written notice to affected individuals on dec. 22, 2025..

Common Attack Types: The most common types of attacks the company has faced is Breach.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through CVE-2021-35587, malvertising (malicious search engine ads)typosquatted domains, Compromised Email Accounts, Compromised Email AccountsPotential Exploitation of Oracle E-Business Suite Vulnerabilities, Oracle E-Business Suite Concurrent Processing Component (via HTTP), CVE-2025-61882 (Oracle E-Business Suite zero-day), CVE-2025-61882 (Oracle EBS BI Publisher), Zero-Day Vulnerability in Oracle E-Business Suite (Network-Based, No Authentication Required), Exploitation of Unpatched Vulnerability in Oracle’s E-Business Suite, Exploitation of Oracle EBS Vulnerabilities (CVE-2025-61882, CVE-2025-61884)Hacked User EmailsDefault Password Reset Mechanisms, OA_HTML/SyncServlet (Authentication Bypass) & OA_HTML/RF.jsp (XSLT Injection), Oracle E-Business Suite (EBS) SyncServlet endpoint, Phishing (duping school employees) and Oracle E-Business Suite (EBS) zero-day vulnerability (CVE-2025-61882).

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Credit Card Payment Information, , Sso Passwords, Java Keystore Files, Key Files, Jps Keys, , Jks Files, Encrypted Sso Passwords, Key Files, Jps Keys, , Electronic Health Records (Ehr), , Sensitive Customer Data, , Personal Information, Usernames, Email Addresses, Hashed Passwords, Sso Credentials, Ldap Credentials, Jks Files, Enterprise Manager Jps Keys, , Personally Identifiable Information (Pii), , Credentials (Usernames, Passwords), Pii (Email Addresses, Phone Numbers), Guest Data, Payment Information, Booking Details, , Potentially Finance, Hr, Supply Chain Data, Client Credentials (From January Incident), , Personal Information (Executives), Customer Data, Employee Hr Files, , Sensitive Corporate Documents, Potentially Pii, , Personally Identifiable Information (Pii) Of Executives, Customer Data, Employee Hr Files, Corporate Sensitive Data, , Patient Personal Data, Potentially Sensitive Healthcare Information, , Sensitive Resources, Potentially Oracle Ebs Data (As Per Extortion Claims), , Financial Records, Personal Records, Erp Data, , Corporate Internal Data, Customer Information, Financial Records, Personal Data, , Personal Information, Donor Data, Student Information, , Name, Social Security Number, Date Of Birth, Financial Account Number, Payment Card Number (Without Cvv), National Id Number, , Personal Information, Financial Information, , Names, Dates Of Birth, Social Security Numbers, Bank Account Numbers, Bank Routing Numbers and .

Incident Response Plan: The company's incident response plan is described as Recommended (investigate Oracle E-Business Suite environments), , , Yes (Oracle released patch and urged immediate installation), Oracle Security Alert (Urgent Patching Advisory), , Yes (Google and Oracle), Yes (Oracle Released Emergency Security Alerts and Patches).

Third-Party Assistance: The company involves third-party assistance in incident response through Okta Threat Intelligence (analysis by Moussa Diallo), , Mandiant (Google Cloud), GTIG, , Mandiant (Google Cloud), Google Threat Intelligence Group (GTIG), , Mandiant (Google Cloud), , Google Mandiant (investigation and advisory), , CrowdStrike (Detection and Analysis), Mandiant (Investigation), Google Threat Intelligence Group (GTIG), , Google Security Researchers, , AHA’s Preferred Cybersecurity Provider Program, Microsoft (via Rural Health Resiliency Program), , Google Threat Intelligence, Mandiant, CrowdStrike, , Security researchers (THE RAVEN FILE), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Informed clients, Bolstered Gen 1 server security, , implementation of phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn), adaptive risk assessments for unusual access patterns, , Patch Application, Investigation into Potential Prior Compromise, , Urgent patch installation recommended for all customers, , Oracle Security Advisory Issued, Technical Indicators Shared by Google for Detection, , Cybersecurity Assessments, Cloud Capability Evaluations, Curated Cyber and AI Training, Foundational Cyber Certifications for IT Staff, , Patch Deployment, Mitigation Guidance for Unpatched Systems, , Patch released in October 2025 Security Alert, , Oracle released patch in October 2025, , Oracle released a security patch for the exploited vulnerability.

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by password change recommendation, , monitoring for suspicious domain registrations, blocking known malicious domains, , emergency patch release (cve-2025-61882), advisory for customer mitigation, , patch release (cve-2025-61882), indicators of compromise (iocs) shared with customers, , patching cve-2025-61882, disabling exposed ebs components, , immediate software patch installation (oracle’s e-business suite), long-term cyber incident response planning, , emergency patching (cve-2025-61884 & cve-2025-61882), urgent advisory for customers to apply updates and .

Key Lessons Learned: The key lessons learned from past incidents are Malvertising is an effective initial access vector for targeted phishing campaigns.,MFA bypass techniques (e.g., real-time OTP capture) undermine traditional authentication methods.,Typosquatted domains and convincing phishing pages can evade user scrutiny.,Russian-speaking threat actors continue to leverage proxy infrastructure for anonymity.,Hospitality industry is a high-value target due to sensitive guest data and payment systems.Zero-day vulnerabilities in widely used enterprise software like Oracle E-Business Suite can lead to rapid, high-impact exploitation by multiple threat actors. Organizations must prioritize patch management and assume breach scenarios even after patching, given the likelihood of prior compromise during mass exploitation campaigns.Zero-day vulnerabilities in enterprise software like Oracle EBS are high-value targets for ransomware groups.,Public PoC disclosures accelerate exploitation by multiple threat actors.,Proactive patching and exposure management are critical for mitigating RCE risks.Zero-day vulnerabilities in widely used enterprise software can lead to large-scale data breaches. Proactive patch management and monitoring for unusual network activity are critical. Vendors must ensure transparent communication during ongoing incidents to avoid misinformation.The incident underscores the critical need for timely patch management, robust cybersecurity defenses, and collaboration between healthcare providers, government agencies, and private-sector partners. Under-resourced organizations, such as rural hospitals, require additional support to mitigate cyber risks effectively. A proactive, whole-of-government approach—including offensive cyber capabilities and threat intelligence sharing—is essential to disrupt adversaries before attacks occur.Critical Importance of Timely Patching for Public-Facing Applications,Risks of Zero-Day Exploitation in Enterprise Software,Need for Enhanced Monitoring of Oracle EBS Instances,Potential for Mass Extortion Campaigns Leveraging Stolen Credentials.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Monitor networks for indicators of compromise (IoCs) provided by Google., Review and Secure Default Password Reset Mechanisms, Investigate Oracle E-Business Suite environments for unusual access or compromise, Implement Multi-Factor Authentication (MFA) for Oracle EBS, Educate employees about phishing and extortion email tactics., Assess potential links to FIN11/Clop ransomware activity, Conduct regular security audits for enterprise software., Enhance logging and network segmentation for Oracle EBS environments., Review Mandiant's advisory for additional mitigation strategies., Monitor for Signs of Exploitation (e.g., Unusual Database Activity, Extortion Emails), Monitor for IoCs, including the listed IP addresses (200.107.207[.]26, 185.181.60[.]11) and exploit artifacts., Immediately apply Oracle's emergency patch for CVE-2025-61882., Segment Networks to Limit Lateral Movement, Immediately patch Oracle E-Business Suite to the latest version., Implement multi-factor authentication (MFA) for all critical systems., Engage Third-Party Threat Intelligence for Indicators of Compromise (IOCs), Monitor for high-volume extortion email campaigns from compromised accounts, Conduct forensic investigations to detect signs of prior exploitation. and Apply Oracle Security Alerts and Critical Patch Updates Immediately.

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Cyber Incident Description, and Source: California Office of the Attorney General, and Source: Okta Threat Intelligence (contributor: Moussa Diallo), and Source: BleepingComputer, and Source: Mandiant (Google Cloud) & GTIG Analysis, and Source: U.S. State Department Rewards for Justice Program (Clop)Url: https://www.state.gov/rewards-for-justice-program/, and Source: Recorded Future NewsDate Accessed: 2023-10-04, and Source: Mandiant/GTIG WarningDate Accessed: 2023-10-04, and Source: CISA Advisory (January 2023 Oracle Incident)Url: https://www.cisa.gov/, and Source: Emsisoft (MOVEit Impact Report), and Source: Oracle Security AdvisoryDate Accessed: 2025-08, and Source: Mandiant (Google Cloud) Alert on Cl0p CampaignDate Accessed: 2025-08, and Source: LinkedIn Post by Charles Carmakal (Mandiant CTO)Date Accessed: 2025-08, and Source: Oracle Security Advisory (Rob Duhart, CSO)Date Accessed: 2025-10-02, and Source: Google Mandiant (Charles Carmakal, CTO) - LinkedIn PostDate Accessed: 2025-10-02, and Source: CrowdStrike BlogDate Accessed: 2025-10-07, and Source: BleepingComputer ArticleDate Accessed: 2025-10-06, and Source: Oracle Security Alert (CVE-2025-61882)Date Accessed: 2025-10-05, and Source: watchTowr Labs (PoC Analysis)Date Accessed: 2025-05-01, and Source: U.S. State Department Reward Program, and Source: TechCrunchUrl: https://techcrunch.com/2023/10/05/google-clop-oracle-zero-day-hack/Date Accessed: 2023-10-05, and Source: Google Blog PostUrl: https://blog.google/threat-analysis-group/clop-oracle-zero-day/Date Accessed: 2023-10-05, and Source: Oracle Security AdvisoryUrl: https://www.oracle.com/security-alerts/Date Accessed: 2023-10-05, and Source: American Hospital Association (AHA) Cybersecurity and Risk WebpageUrl: https://www.aha.org/cybersecurity, and Source: FBI Warning on Oracle E-Business Suite Vulnerability, and Source: AHA and Microsoft Rural Health Resiliency Program, and Source: SecurityAffairsUrl: https://securityaffairs.co/wordpress/150000/hacking/oracle-ebs-flaw-cve-2025-61884.htmlDate Accessed: 2025-10-14, and Source: Oracle Security Alert AdvisoryDate Accessed: 2025-10-14, and Source: Google Threat Intelligence & Mandiant AnalysisDate Accessed: 2025-10-03, and Source: CrowdStrike Report on CVE-2025-61882 ExploitationDate Accessed: 2025-10-03, and Source: THE RAVEN FILE Security Researchers, and Source: Clop Ransomware Dark Web Leak Site, and Source: Oracle Security Alert (October 2025), and Source: THE RAVEN FILE (Security Research), and Source: Clop Dark Web Leak Site, and Source: Oracle Security Advisory (CVE-2025-61882), and Source: News Article, and Source: Attorney General of the Commonwealth of Massachusetts, and Source: BleepingComputer, and Source: University of Phoenix Official Website, and Source: SEC Filing (8-K), and Source: Shamis & Gentile P.A..

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Customer Advisory, Criticized For Lack Of Transparency, Private letters to customers, Outright Denial, Potentially Misleading Statements, Accusations Of Deleting Evidence Online, Customer Advisories About Impersonation Attempts, Industry-Wide Alerts, Public Warning Via Cybersecurity Firms (Mandiant, Gtig), Media Outreach (Recorded Future News), Public Advisory, Linkedin Post By Oracle Cso, Mandiant Technical Alert, Public Security Advisory By Oracle Cso Rob Duhart, Linkedin Post By Google Mandiant Cto Charles Carmakal, Oracle Customer Advisory, Public Disclosure Of Poc Risks, Public Advisory By Oracle, Blog Post By Google, Media Statements, Aha Advisories With Federal Law Enforcement Input, Public Awareness Campaigns (E.G., Cybersecurity Awareness Month), Public Security Advisories, Direct Customer Notifications, Data breach notification letters mailed to impacted individuals, Public disclosure on official website, SEC filing, notification letters to affected individuals, Written notice to affected individuals on Dec. 22 and 2025.

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Oracle urged Micros customers to change their passwords and any passwords used by Micros representatives to access their on-premise systems., Private letters to customers, Warn Customers About Impersonation Attempts, Share Indicators Of Compromise (Iocs) With Industry Peers, Avoid Clicking On Sponsored Search Ads For Hospitality Services, Verify Urls Before Entering Credentials, Report Suspicious Login Pages, , Recommended: Investigate Oracle E-Business Suite for compromise, Mandiant/Gtig Warning To Corporate Executives, Oracle and Mandiant have issued public advisories urging immediate action., Customers advised to patch and investigate potential compromise., Oracle Customers Urged To Patch Immediately, Executives Warned About Extortion Emails, Patch Installation Guidance, Iocs For Detecting Compromise, , Oracle Urgent Patching Advisory, Crowdstrike Threat Assessment, Extortion Emails From Clop To Executives, , Oracle and Google have issued advisories with technical details for detection and mitigation., Organizations using Oracle E-Business Suite advised to apply patches and monitor for suspicious activity., AHA provides timely alerts and advisories to member hospitals and health systems, incorporating input from federal law enforcement and AHA cybersecurity experts (John Riggi and Scott Gee)., Patients and the public are advised to stay informed about potential disruptions to healthcare services and to report suspicious activities. Hospitals are encouraged to communicate transparently with patients about cybersecurity measures and any impacts on care delivery., Oracle Customers Urged To Patch Immediately, Executives Warned About Extortion Emails, Apply Emergency Patches For Cve-2025-61884 And Cve-2025-61882, Monitor For Suspicious Activity, , Extortion Emails Sent To Victims Via Support@Pubstorm[.]Com, , 24 months of complimentary credit monitoring services provided to affected individuals, Notification letters mailed to affected individuals, public disclosure on website, Free identity protection services offered (credit monitoring, identity theft recovery, dark web monitoring, $1 million fraud reimbursement policy), Affected individuals notified via written notice on Dec. 22 and 2025.

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Okta Threat Intelligence (Analysis By Moussa Diallo), , Real-Time Tracking Of Typosquatted Domains, Beaconing Detection, , Mandiant (Google Cloud), Gtig, , Recommended (for unusual access), Mandiant (Google Cloud), Google Threat Intelligence Group (Gtig), , Mandiant (Google Cloud), , Recommended for customers to detect prior compromise, Google Mandiant (Investigation And Advisory), , Crowdstrike (Detection And Analysis), Mandiant (Investigation), Google Threat Intelligence Group (Gtig), , Recommended For Oracle Ebs Environments, , Google Security Researchers, , Recommended (Google Provided Indicators for Detection), Aha’S Preferred Cybersecurity Provider Program, Microsoft (Via Rural Health Resiliency Program), , Google Threat Intelligence, Mandiant, Crowdstrike, , Recommended (Oracle Advised Customers to Monitor for Exploitation Attempts), Security Researchers (The Raven File), .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Replace Sms/Email-Based Mfa With Phishing-Resistant Alternatives., Proactively Register Defensive Domains To Prevent Typosquatting., Enhance Threat Intelligence Sharing Within The Hospitality Sector., Deploy Solutions To Detect And Block Malicious Ads In Search Results., , Emergency Patch Release By Oracle., Public Disclosure And Customer Advisories., Collaboration With Mandiant For Threat Intelligence Sharing., , Patch Deployment, Customer Advisory For Ioc Monitoring, , Apply Oracle’S Security Patch For Cve-2025-61882., Implement Network Segmentation For Ebs Environments., Deploy Behavioral Detection For Rce Attempts (E.G., Crowdstrike Falcon)., Conduct Threat Hunting For Signs Of Clop Or Graceful Spider Activity., , Oracle Released Emergency Patches And Advisories, Google Shared Detection Indicators For Affected Organizations, Recommended Enhanced Monitoring For Extortion Emails And Unusual Data Access, , Mandatory Patch Management Protocols For Critical Software, Enhanced Collaboration Between Healthcare Providers, Government Agencies, And Cybersecurity Firms, Expanded Access To Cybersecurity Training And Resources For Under-Resourced Organizations, Development Of Offensive Cyber Capabilities To Disrupt Adversaries Proactively, , Oracle Released Out-Of-Band Patches, Customers Advised To Apply Patches And Monitor Systems, Enhanced Threat Intelligence Sharing (E.G., Poc Disclosure As Ioc), , Patch Deployment (October 2025), Infrastructure Monitoring For 96 Linked Ips (41 Subnets Reused From Moveit), .

Last Ransom Demanded: The amount of the last ransom demanded was Yes (extortion emails sent to executives).

Last Attacking Group: The attacking group in the last incident were an Russian Cybercrime Group, rose87168, 'rose87168', rose87168, Unauthorized Individual, Russian-speaking cybercriminalsunknown APT/group (potential initial access brokers), FIN11 (suspected)Clop Ransomware Gang (potential link), Clop (FIN11)Potentially Impersonating Clop, Cl0p Ransomware GroupScattered LAPSUS$ Hunters, Clop (hacking group linked to ransomware and extortion), Clop Ransomware GangGRACEFUL SPIDER (moderate confidence), Clop Ransomware/Extortion Gang, Sophisticated CybercriminalsNation-State Sponsored Actors, Cl0p Ransomware Group (Graceful Spider)FIN11Potential involvement of Scattered Spider, Slippy Spider (Lapsus$), ShinyHunters, Clop Ransomware Gang (Graceful Spider), Name: ['Clop Ransomware Gang', 'Graceful Spider']Origin: Russian-linkedConfirmed Victims: 1025Ransom Extracted: $500 million (since 2019)Associated Infrastructure: {'ip_addresses': 96, 'reused_ips_from_moveit': 41, 'geographic_distribution': [{'country': 'Germany', 'ip_count': 16}, {'country': 'Brazil', 'ip_count': 13}, {'country': 'Panama', 'ip_count': 12}], 'service_providers': ['Russian-based']}, Unauthorized third party, Clop ransomware gang and CL0P ransomware group.

Most Recent Incident Detected: The most recent incident detected was on 2013-07-10.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2025-12-21.

Most Significant Data Compromised: The most significant data compromised in an incident were Credit Card Payment Information, , SSO passwords, Java Keystore files, Key files, JPS keys, , JKS files, Encrypted SSO passwords, Key files, JPS keys, , Electronic Health Records (EHR), , Personal Information, usernames, email addresses, hashed passwords, SSO credentials, LDAP credentials, JKS files, Enterprise Manager JPS keys, , Names, Social Security Numbers, , guest personal information, payment data, booking system credentials, operational data, , Potentially Finance, HR, and Supply Chain Data (Oracle E-Business Suite), , Large amounts of data (exact scope undisclosed), Personal information of corporate executives, Customer data, Employee HR files, , Sensitive Documents, Potentially PII or Corporate Data, , Corporate Executive Data, Customer Data, Employee HR Files, Sensitive Corporate Data, , , Sensitive Resources, Potential Oracle E-Business Suite Data (as claimed in extortion emails), , Financial Records, Personal Records, ERP Data, , Internal Corporate Data, Customer Information, Financial Records, Personal Data, , Personal data of donors, students, and prominent individuals, Sensitive personal identifiable information, 3,489,274 records and Sensitive personally identifiable information.

Most Significant System Affected: The most significant system affected in an incident was MICROS Point-of-Sale Systems and and Legacy Servers and legacy Cerner data migration servers and Login ServersLegacy Cerner Data and Gen 1 serverslegacy systems and cloud-based property management systemsguest messaging platformsauthentication systems and Oracle E-Business Suite (potential) and Oracle E-Business Suite and and Oracle E-Business Suite and Oracle E-Business Suite (EBS) with unpatched BI Publisher Integration and Oracle E-Business Suite and and Oracle E-Business Suite (Versions 12.2.3–12.2.14)Runtime UI ComponentBI Publisher IntegrationConcurrent Processing Component and Oracle E-Business Suite (Versions 12.2.3–12.2.14)Internal Corporate Systems and Oracle E-Business Suite (EBS) ServersEnterprise Resource Planning (ERP) Systems and and and .

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was okta threat intelligence (analysis by moussa diallo), , mandiant (google cloud), gtig, , mandiant (google cloud), google threat intelligence group (gtig), , mandiant (google cloud), , google mandiant (investigation and advisory), , crowdstrike (detection and analysis), mandiant (investigation), google threat intelligence group (gtig), , google security researchers, , aha’s preferred cybersecurity provider program, microsoft (via rural health resiliency program), , google threat intelligence, mandiant, crowdstrike, , security researchers (the raven file), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Password Change Recommendation, monitoring for suspicious domain registrationsblocking known malicious domains, Emergency Patch Release (CVE-2025-61882)Advisory for Customer Mitigation, Patch release (CVE-2025-61882)Indicators of Compromise (IoCs) shared with customers, Patching CVE-2025-61882Disabling Exposed EBS Components, Immediate Software Patch Installation (Oracle’s E-Business Suite)Long-Term Cyber Incident Response Planning and Emergency Patching (CVE-2025-61884 & CVE-2025-61882)Urgent Advisory for Customers to Apply Updates.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Personal Information, JPS keys, Large amounts of data (exact scope undisclosed), Encrypted SSO passwords, guest personal information, Potentially PII or Corporate Data, Potential Oracle E-Business Suite Data (as claimed in extortion emails), Key files, email addresses, LDAP credentials, Personal Data, Sensitive personally identifiable information, Financial Records, 3,489,274 records, Employee HR Files, Customer Information, hashed passwords, Potentially Finance, HR, and Supply Chain Data (Oracle E-Business Suite), Customer Data, Employee HR files, Electronic Health Records (EHR), operational data, ERP Data, Personal data of donors, students, and prominent individuals, Personal Records, Credit Card Payment Information, Names, Internal Corporate Data, payment data, Enterprise Manager JPS keys, Sensitive personal identifiable information, Sensitive Resources, Corporate Executive Data, SSO credentials, usernames, Customer data, Sensitive Corporate Data, SSO passwords, Sensitive Documents, JKS files, booking system credentials, Java Keystore files, Personal information of corporate executives and Social Security Numbers.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 25.0M.

Highest Ransom Demanded: The highest ransom demanded in a ransomware incident was Extortion Emails Sent (Amount Unspecified).

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Potential for Mass Extortion Campaigns Leveraging Stolen Credentials.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Educate employees and customers about malvertising and phishing risks., Implement adaptive risk assessments to detect anomalous access patterns., Restrict access to property management systems with zero-trust principles., Develop and Maintain a Comprehensive Cyber Incident Response Plan, Monitor for indicators of compromise (IOCs) linked to Clop’s infrastructure (e.g., 96 IPs, support@pubstorm[.]com), Monitor networks for indicators of compromise (IoCs) provided by Google., Deploy behavioral analytics to detect beaconing and tracking scripts., Review and Secure Default Password Reset Mechanisms, Implement behavioral analysis for XSLT injection attempts, Change Passwords, Investigate Oracle E-Business Suite environments for unusual access or compromise, Participate in Free or Discounted Cybersecurity Assessments (e.g., Microsoft’s Rural Health Resiliency Program), Collaborate with threat intelligence providers (e.g., Okta) for IOCs., Restrict internet exposure of EBS applications and enforce authentication controls., Educate employees about phishing and extortion email tactics., Implement Multi-Factor Authentication (MFA) for Oracle EBS, Prepare for extortion attempts if using Oracle EBS, given Clop’s history of targeting such vulnerabilities., Assess potential links to FIN11/Clop ransomware activity, Advocate for Federal and Allied Nation Interventions to Deter Cyber Adversaries, Immediate patching of CVE-2025-61882 for Oracle EBS versions 12.2.3–12.2.14, Enhance authentication mechanisms for OA_HTML endpoints, Conduct regular security audits for enterprise software., Monitor for signs of data exfiltration, especially via BI Publisher components., Request a fraud alert or credit report from major credit bureaus, Enhance logging and network segmentation for Oracle EBS environments., Install Immediate Patches for Oracle’s E-Business Suite and Other Critical Systems, Review Mandiant's advisory for additional mitigation strategies., Install Oracle's patch for CVE-2025-61882 immediately, Seek legal help to understand rights and pursue compensation, Segment networks to limit lateral movement, Monitor for suspicious domain registrations (e.g., typosquatting)., Monitor for Signs of Exploitation (e.g., Unusual Database Activity, Extortion Emails), Monitor for IoCs, including the listed IP addresses (200.107.207[.]26, 185.181.60[.]11) and exploit artifacts., Strengthen Public-Private Partnerships to Share Threat Intelligence and Best Practices, Engage threat intelligence services (e.g., CrowdStrike, Mandiant) for proactive detection., Monitor financial statements for suspicious activity, Invest in Training and Certifications for IT Staff, Particularly in Rural Healthcare Settings, Immediately apply Oracle's emergency patch for CVE-2025-61882., Enhance security for executive personal data, Monitor systems for Indicators of Compromise (IoCs) provided by Oracle, Segment Networks to Limit Lateral Movement, Immediately patch CVE-2025-61882 in Oracle E-Business Suite environments., Adopt phishing-resistant authentication (e.g., passkeys, FIDO2 WebAuthn)., Immediately patch Oracle E-Business Suite to the latest version., Implement multi-factor authentication (MFA) for all critical systems., Plan for Clinical Continuity During Cyber Disruptions, Engage Third-Party Threat Intelligence for Indicators of Compromise (IOCs), Monitor for high-volume extortion email campaigns from compromised accounts, Sign up for free IDX identity theft protection services, Review third-party vulnerability disclosures for proactive patching, Enhance Security Measures, Conduct forensic investigations to detect signs of prior exploitation., Leverage AHA’s Cybersecurity Resources, Including Preferred Provider Programs and Advisory Services and Apply Oracle Security Alerts and Critical Patch Updates Immediately.

Most Recent Source: The most recent source of information about an incident are Google Mandiant (Charles Carmakal, CTO) - LinkedIn Post, Emsisoft (MOVEit Impact Report), Okta Threat Intelligence (contributor: Moussa Diallo), LinkedIn Post by Charles Carmakal (Mandiant CTO), THE RAVEN FILE (Security Research), watchTowr Labs (PoC Analysis), American Hospital Association (AHA) Cybersecurity and Risk Webpage, Clop Dark Web Leak Site, SecurityAffairs, BleepingComputer Article, U.S. State Department Reward Program, Oracle Security Alert (October 2025), Mandiant (Google Cloud) Alert on Cl0p Campaign, Recorded Future News, CISA Advisory (January 2023 Oracle Incident), Mandiant/GTIG Warning, Google Blog Post, Attorney General of the Commonwealth of Massachusetts, Clop Ransomware Dark Web Leak Site, Mandiant (Google Cloud) & GTIG Analysis, BleepingComputer, Oracle Security Alert Advisory, Google Threat Intelligence & Mandiant Analysis, SEC Filing (8-K), TechCrunch, University of Phoenix Official Website, Oracle Security Advisory (Rob Duhart, CSO), Oracle Security Advisory, Oracle Security Advisory (CVE-2025-61882), Cyber Incident Description, News Article, CrowdStrike Blog, Shamis & Gentile P.A., AHA and Microsoft Rural Health Resiliency Program, THE RAVEN FILE Security Researchers, Oracle Security Alert (CVE-2025-61882), California Office of the Attorney General, U.S. State Department Rewards for Justice Program (Clop), FBI Warning on Oracle E-Business Suite Vulnerability and CrowdStrike Report on CVE-2025-61882 Exploitation.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.state.gov/rewards-for-justice-program/, https://www.cisa.gov/, https://techcrunch.com/2023/10/05/google-clop-oracle-zero-day-hack/, https://blog.google/threat-analysis-group/clop-oracle-zero-day/, https://www.oracle.com/security-alerts/, https://www.aha.org/cybersecurity, https://securityaffairs.co/wordpress/150000/hacking/oracle-ebs-flaw-cve-2025-61884.html .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was warn customers about impersonation attempts, share indicators of compromise (IOCs) with industry peers, Mandiant/GTIG Warning to Corporate Executives, Oracle and Mandiant have issued public advisories urging immediate action., Oracle customers urged to patch immediately, Executives warned about extortion emails, Oracle Urgent Patching Advisory, CrowdStrike Threat Assessment, Oracle and Google have issued advisories with technical details for detection and mitigation., AHA provides timely alerts and advisories to member hospitals and health systems, incorporating input from federal law enforcement and AHA cybersecurity experts (John Riggi and Scott Gee)., Oracle Customers Urged to Patch Immediately, Executives Warned About Extortion Emails, Notification letters mailed to affected individuals, public disclosure on website, .

Most Recent Customer Advisory: The most recent customer advisory issued were an Oracle urged Micros customers to change their passwords and any passwords used by Micros representatives to access their on-premise systems., Private letters to customers, avoid clicking on sponsored search ads for hospitality servicesverify URLs before entering credentialsreport suspicious login pages, Recommended: Investigate Oracle E-Business Suite for compromise, Customers advised to patch and investigate potential compromise., Patch installation guidanceIoCs for detecting compromise, Extortion Emails from Clop to Executives, Organizations using Oracle E-Business Suite advised to apply patches and monitor for suspicious activity., Patients and the public are advised to stay informed about potential disruptions to healthcare services and to report suspicious activities. Hospitals are encouraged to communicate transparently with patients about cybersecurity measures and any impacts on care delivery., Apply Emergency Patches for CVE-2025-61884 and CVE-2025-61882Monitor for Suspicious Activity, Extortion emails sent to victims via support@pubstorm[.]com, 24 months of complimentary credit monitoring services provided to affected individuals, Free identity protection services offered (credit monitoring, identity theft recovery, dark web monitoring, $1 million fraud reimbursement policy), Affected individuals notified via written notice on Dec. 22 and 2025.

Most Recent Entry Point: The most recent entry point used by an initial access broker were an CVE-2021-35587, Oracle E-Business Suite (EBS) zero-day vulnerability (CVE-2025-61882), Exploitation of Unpatched Vulnerability in Oracle’s E-Business Suite, OA_HTML/SyncServlet (Authentication Bypass) & OA_HTML/RF.jsp (XSLT Injection), Zero-Day Vulnerability in Oracle E-Business Suite (Network-Based, No Authentication Required), CVE-2025-61882 (Oracle E-Business Suite zero-day), Phishing (duping school employees), Oracle E-Business Suite Concurrent Processing Component (via HTTP) and Compromised Email Accounts.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Likely conducted prior to August 2025 (exploitation began in August), Potentially since early August 2025 (zero-day exploitation), Since at least 2023-07-10, Potentially Began on 2025-07-10 (Prior to July Patches), Observed as early as June 2025, active exploitation from August 2025, Likely conducted prior to August 2025 (exploitation start date).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Vulnerable software version, compromised subdomain, Over-reliance on traditional MFA methods vulnerable to real-time phishing.Lack of visibility into malvertising campaigns targeting brand impersonation.Insufficient monitoring for typosquatted domains and beaconing activity., Zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite.Lack of authentication requirements for exploitation.High-volume email campaign leveraging compromised accounts (per Mandiant)., Zero-day vulnerability (CVE-2025-61882) in Oracle E-Business SuiteInsufficient proactive patching for prior vulnerabilities (July 2025 patches bypassed), Unpatched Oracle EBS vulnerability (CVE-2025-61882)Internet-exposed EBS applications without authentication safeguardsDelayed patching despite active exploitation, Unpatched Zero-Day Vulnerability in Oracle E-Business SuiteInadequate Initial Response by Oracle (Premature Claim of Patch Effectiveness)Lack of Network Segmentation or Access Controls to Limit Exploitation, Unpatched Critical Vulnerability in Oracle’s E-Business SuiteInsufficient Cybersecurity Resources in Some Healthcare Organizations (e.g., Rural Hospitals)Sophisticated and Evolving Tactics by Cybercriminals and Nation-State Actors, Unpatched Vulnerabilities in Oracle E-Business SuiteLack of Authentication for Remote ExploitationPotential Weaknesses in Default Password Reset MechanismsDelayed Patch Deployment by Some Customers, Zero-Day Exploit (CVE-2025-61882)Delayed Patch Release (exploited for months pre-patch)Reused Attack Infrastructure from MOVEit (CVE-2023-34362), Unpatched zero-day vulnerability (CVE-2025-61882) in Oracle EBSLack of pre-authentication protections for SyncServlet endpointReuse of attack infrastructure from prior campaigns (e.g., MOVEit CVE-2023-34362), Software VulnerabilityPhishing, Exploitation of zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61882).

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Replace SMS/email-based MFA with phishing-resistant alternatives.Proactively register defensive domains to prevent typosquatting.Enhance threat intelligence sharing within the hospitality sector.Deploy solutions to detect and block malicious ads in search results., Emergency patch release by Oracle.Public disclosure and customer advisories.Collaboration with Mandiant for threat intelligence sharing., Patch deploymentCustomer advisory for IoC monitoring, Apply Oracle’s security patch for CVE-2025-61882.Implement network segmentation for EBS environments.Deploy behavioral detection for RCE attempts (e.g., CrowdStrike Falcon).Conduct threat hunting for signs of Clop or GRACEFUL SPIDER activity., Oracle Released Emergency Patches and AdvisoriesGoogle Shared Detection Indicators for Affected OrganizationsRecommended Enhanced Monitoring for Extortion Emails and Unusual Data Access, Mandatory Patch Management Protocols for Critical SoftwareEnhanced Collaboration Between Healthcare Providers, Government Agencies, and Cybersecurity FirmsExpanded Access to Cybersecurity Training and Resources for Under-Resourced OrganizationsDevelopment of Offensive Cyber Capabilities to Disrupt Adversaries Proactively, Oracle Released Out-of-Band PatchesCustomers Advised to Apply Patches and Monitor SystemsEnhanced Threat Intelligence Sharing (e.g., POC Disclosure as IOC), Patch deployment (October 2025)Infrastructure monitoring for 96 linked IPs (41 subnets reused from MOVEit).