Broadcom Breach Incident Score: Analysis & Impact (BRO3105131112625)

In this Rankiteo incident briefing, we review the Broadcom breach identified under incident ID BRO3105131112625.

The analysis begins with a detailed overview of Broadcom's information like the linkedin page: https://www.linkedin.com/company/vmware, the number of followers: 589166, the industry type: Semiconductor Manufacturing and the number of employees: 53946 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 460 and after the incident was 460 with a difference of 0 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Broadcom and their customers.

On 20 November 2023, Oracle disclosed Ransomware, Data Breach and Zero-Day Exploit issues under the banner "Cl0p Exploits Zero-Day Vulnerabilities in Oracle E-Business Suite Leading to Massive Data Breaches".

The cybercriminal group Cl0p exploited two zero-day vulnerabilities (CVE-2025-61882 and CVE-2025-21884) in Oracle’s E-Business Suite (EBS), leading to data breaches in over 100 companies, including Broadcom, Estée Lauder, Mazda, and Canon.

The disruption is felt across the environment, affecting Oracle E-Business Suite (EBS) versions 12.2.3–12.2.14, and exposing True.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like Oracle security patches (CVE-2025-61882, CVE-2025-21884), and began remediation that includes Patch application for Oracle EBS vulnerabilities, and stakeholders are being briefed through Oracle security alerts to customers and Public disclosure via media.

The case underscores how Ongoing (Cl0p’s data leak timeline suggests delayed public exposure), teams are taking away lessons such as Supplier vulnerabilities in enterprise software (e.g., Oracle EBS) can cascade into large-scale breaches across industries. Proactive patch management and supply chain risk monitoring (e.g., via SCRM platforms like Z2Data) are critical to mitigating third-party risks. Cl0p’s delayed data leak strategy highlights the importance of rapid incident response to prevent public exposure of sensitive data, and recommending next steps like Apply Oracle security patches for CVE-2025-61882 and CVE-2025-21884 immediately, Implement supply chain risk management (SCRM) tools to assess third-party vendor vulnerabilities (e.g., Z2Data) and Enhance monitoring for unauthenticated HTTP requests targeting Oracle EBS components, with advisories going out to stakeholders covering Oracle security alerts urging immediate patching and Mandiant’s analysis of Cl0p’s modus operandi.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with high confidence (100%), with evidence including exploiting a zero-day vulnerability in Oracle’s E-Business Suite (CVE-2025-61882 and CVE-2025-21884), and vulnerability in BI Publisher Integration allowing unauthenticated attackers to send crafted HTTP requests. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol (T1048) with high confidence (95%), with evidence including exfiltrated sensitive corporate and customer data, and data exfiltration such as true under ransomware details and Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating cl0p’s extortion tactics included warnings of public disclosure on their blog, torrent leaks. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with moderate to high confidence (85%), with evidence including type such as Ransomware, and ransomware strain such as Cl0p (Clop) and Data Destruction (T1485) with moderate to high confidence (70%), supported by evidence indicating threatening to leak or sell exfiltrated data if unpaid. Under the Persistence tactic, the analysis identified Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (80%), supported by evidence indicating vulnerability in Runtime UI of Oracle Configurator allowing unauthorized access to critical/sensitive data. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information (T1027) with moderate to high confidence (85%), with evidence including crafted HTTP requests for full system compromise, and unauthenticated HTTP requests targeting critical components (BI Publisher, Configurator UI). Under the Credential Access tactic, the analysis identified Brute Force (T1110) with moderate to high confidence (75%), supported by evidence indicating unauthenticated attackers to send crafted HTTP requests for full system compromise. Under the Lateral Movement tactic, the analysis identified Remote Services (T1021) with moderate to high confidence (70%), with evidence including full system compromise via Oracle EBS vulnerabilities, and potential system compromise under operational impact. Under the Command and Control tactic, the analysis identified Application Layer Protocol (T1071) with high confidence (90%), with evidence including unauthenticated HTTP requests for C2 communication, and crafted HTTP requests in CVE descriptions. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.