Particle.news
Download on the App Store
11 ARTICLES
·
12h ago

Google Says Oracle E‑Business Suite Zero‑Day Fueled Data Theft at Dozens, Likely Over 100

New analysis details a multi‑CVE exploit chain, including a zero‑day, used to steal large volumes of Oracle E‑Business Suite data.

Larry Ellison, co-founder and executive chairman of Oracle Corp., speaks during the Oracle OpenWorld 2018 conference in San Francisco, California, U.S., on Monday, Oct. 22, 2018. Ellison announced a series of updates injecting more automation and intelligence into Oracle's cloud applications. Photographer: David Paul Morris/Bloomberg
Image
Image
A critical Oracle zero-day flaw is being actively abused by hackers

Overview

  • Google Threat Intelligence Group and Mandiant reported that exploitation dates to at least August 9, with suspicious activity as early as July 10 and extortion emails beginning September 29.
  • Attackers chained multiple Oracle E‑Business Suite flaws, including CVE-2025-61882, an unauthenticated remote code execution bug now patched by Oracle in an October 4 emergency update.
  • Researchers documented sophisticated, largely fileless Java tooling—GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE—deployed via malicious templates stored in EBS databases to evade file-based detection.
  • Exposure persists despite patches, with Shadowserver finding 576 potentially vulnerable EBS instances on October 6, and U.S. agencies adding the flaw to the Known Exploited Vulnerabilities list as the FBI labeled it an emergency.
  • The extortion operation uses the Cl0p brand and shows overlaps with FIN11 activity, yet investigators have not made a definitive attribution; some ransom demands have reached seven and eight figures, with reports up to $50 million.