Mastodawn

Kevin Beaumont Oct 6, 2025

Cl0p ransomware extortion gang have a zero day in Oracle E-Business Suite (component: BI Publisher Integration) - which they’ve been exploiting since last month to steal data.

https://www.bleepingcomputer.com/news/security/oracle-patches-ebs-zero-day-exploited-in-clop-data-theft-attacks/

Oracle patches EBS zero-day exploited in Clop data theft attacks

Oracle is warning about a critical E-Business Suite zero-day vulnerability tracked as CVE-2025-61882 that allows attackers to perform unauthenticated remote code execution, with the flaw actively exploited in Clop data theft attacks.

BleepingComputer

Kevin Beaumont Oct 6, 2025

A few days ago Oracle, via the media, blamed their own customers for not installing a July security update.. then when the media coverage stopped, quietly released a new security update for the actual exploited vulnerability. 🥴

Kevin Beaumont Oct 6, 2025

The details for the Oracle hack are as embarrassing as you'd imagine..

../

https://labs.watchtowr.com/well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882well-well-well-its-another-day-oracle-e-business-suite-pre-auth-rce-chain-cve-2025-61882/

Here's the original Oracle explanation - before the post mysteriously disappeared (even from Internet Archive etc).

Kevin Beaumont Oct 7

The craziest part of the Oracle story is they got the exploit chain via... LAPSUS$.

Before Oracle had an advisory, on Telegram LAPSUS$ posted a working zero day exploit - dated May 2025.

Yes, the teenagers at LAPSUS$ know more about Oracle's security vulnerabilities than Oracle.

-rw-r----- 1 root root 3713 Jun 15 18:19 exp.py
-rw-r--r-- 1 root root 2749 Oct 3 14:54 readme.md
-rw-r----- 1 root root 2651 May 16 10:07 server.py

Kevin Beaumont Oct 7

Having large corporations pay hundreds of millions of US dollars in Bitcoin to teenagers to cover up their data breaches is fucking stupid by the way, as said teens then spend the bitcoin on exploits* - we're in a race to the bottom to arm teens with rocket launchers.

* one of the LAPSUS kids also allegedly ordered pizza to his nans house with bitcoin

APTs aren't nation states anymore, they're Advanced Persistent Teenagers as covering up breaches has lowered the bar. Global gov inaction.

Dr. Christopher Kunz Oct 7

@GossiTheDog LAPSUS$? More like LAPSUS₿.

Neil Craig Oct 7

@GossiTheDog > * one of the LAPSUS kids also allegedly ordered pizza to his nans house with bitcoin

That's the most 2025 sentence I have ever read

@GossiTheDog
"Advanced Persistent Teenagers"
you made my day. 😂

@GossiTheDog Its even more funny they don't even buy exploits that often (rather sell them) its a brain-race between the old capitalists and young bored digital-native teenagers xD check out stuff like darknetdiaries podcast (especially the xbox underground episodes for example) for more fun in that department ;)
Edit: and we don't "arm" teenagers. the old gov officials are just fighting with rocks and sticks against tanks ;) Tho your right with providing them with alot of cash does not help the problem.

@GossiTheDog btw. it gets quite obvious cause the most incredible hacks where the ones done by teenagers. without anything criminal before the hack that made them publicly immortal, so no cash but time and knowledge. or a skill to just RTFM xD

Pope Bob the Unsane Oct 11

@snornik it really is wild what access a teenager has to the world, these days. I mean, I poked around and did things way back when, but there was so much less to exploit.

@bobdobberson @GossiTheDog
What in what days did you poke around? 2000 was basically a free for all deathmatch xD

Pope Bob the Unsane Oct 11

@snornik I missed out on that, I was keeping my nose clean in those days, and avoiding tempting knowledge that might get me behind bars.

@bobdobberson @GossiTheDog
I do get that... but modem times, pre DSL routers. no firewalls. remote exploits of win95 win98 xp. so many weak servers. its was hilarious. got better tho, way way better. still it was way more wild what you could do early 2k. than now.

@bobdobberson @GossiTheDog
but the attack surface changed. back then it was fun, but not much damage. but the data hoarding makes it way more valuable today thats for sure! and thats not the kids fault! if companies wouldn't hoard massive databank's to monetize them. kids wouldn't have a harder but way more valuable surface.

Pope Bob the Unsane Oct 11

@snornik no doubt, however there were far fewer things on 'the net' to begin with.

And yeah, you get to the point near the end there; smaller attack surface, not as much infrastructure to get into, possible to get in through someone's modem, but modem -> net -> modem was painfully slow.

I also think there's more of an enticing cat-n-mouse challenge these days, as security has changed and learned a lot since the modem days. hell, we used to use rsh, or telnet.

@bobdobberson @GossiTheDog check out kevin mitnick's books.. back then was much much more to capture but different stuff like military, secret services etc. yeah security has changed but companies didn't. the vulnerable systems got less but are now much more valuable if you get one. it got much worse in that department. cause of data hoarding about millions on a single server. or a "cloud" or rather the whole cloud nonsense. catch one capture all is today's markup

@bobdobberson @GossiTheDog
in 2k even if there was a interesting server. it was not a catch-all with a single takeover.

@bobdobberson @GossiTheDog also telnet was not inertly insecure. if there wasnt a exploit out in the wild. they were just unencrypted. ftp was truly a easier and much more valuable target (and also unencrypted), not only by common exploits out in the wild but also cause of the files.. there is always a work/profit balance. 2k was easier but way less profit. the profit margins of a takeover are in my humble opinion the problem nowadays. ransomware would not exist if there would be not enough to demand a ransom about.

Pope Bob the Unsane Oct 11

@snornik getting access to a router rsh or telnet was going through got access to passwords. *shrug*

FTP holds a soft spot in my heart as I once caught an MP3 release crew in a honey-pot and hosted for them for a while. They were some interesting folks.

@bobdobberson @GossiTheDog
i am taking before routers existed *shrug* yeah open telnet on a router .... got damn i never have bought such a thing. btw. hosting a mp3 release group is punishable way harder than accessing a company. copyright is just sick

@bobdobberson @GossiTheDog
just FYI. to copy and sell a movie in germany is punished harder than pedophilia -.- for who knows what shitty reason. okay sry i know the reason cause money is worth more than a life.

Pope Bob the Unsane Oct 11

@snornik I feel that. It's really a shame that we've allowed corporations to have such control over things.

@bobdobberson @GossiTheDog
to come back to the original topic: at least there are the teens to put them into perspective xD I'm proud sometimes. those who didn't got it 40 years ago will never. but 15 year olds can punish them like its a joke today.

Pope Bob the Unsane Oct 11

@snornik I think it's a shame that the fallout from all of these exploits and hacks tends to affect the people, not the corporations.

@bobdobberson @GossiTheDog nah it does affect them it costs either alot of cash or loss of trust, corporate identity and customers. problem is alot of companies dont care, dont realise data hoarding is dangerous. fuck every privacy right of all humans. dont patch and don't spend any money on professionals until its to late. not the fault of the kids.

@bobdobberson @GossiTheDog
cause most of the bosses have problems of operating a phone and dont know shit bout any tech after 1945. even if their born 1980!
if FAX is a mystery for you just get out of society for the best for all.

Pope Bob the Unsane Oct 11

@snornik cronyism and the way business operates are definitely problems.

They eat the financial costs, insurance pays for some of it, the consumers pay for the rest. The stock-holders don't feel it, because if they did, they would roll heads.

Sure the company's name gets dragged through the mud, but it's another company tomorrow, and it's just commonplace, and people blame the hackers.

Pope Bob the Unsane Oct 11

@snornik Kevin Mitnick also got caught. ;)

Security is difficult and security costs money and companies are cheap.

That they do spend any money on security is probably what keeps it fun for the kids. It's a cat-n-mouse game these days.

Back in the day, you could probably sit on a mil server for months and do loud port-scans without raising any eyebrows.

Bernard Quatermass Oct 7

@GossiTheDog Acne-ed, shirely ?

BrianKrebs Oct 7

@GossiTheDog I'm using a screenshot of your post in a story today. Thanks!

peter honeyman Oct 8

@briankrebs @GossiTheDog

omg path canonicalization is one of the first things we fixed in honey danber uucp … in 1983

Steve Bellovin Oct 8

@peterhoneyman @briankrebs @GossiTheDog It’s amazing how often that bug still shows up.

Jef Poskanzer Oct 8

@SteveBellovin @peterhoneyman I wonder what would break if you just unlinked .. from the top dir of a subtree you didn't want people to get out of. And also disallowed filenames beginning with /. Poor person's chroot.

Steve Bellovin Oct 8

@jef @peterhoneyman The latter, I think, doesn't help—the whole point of ../ is that it lets you navigate up the tree without an explicit /.
The former—well, it would certainly break fsck and equivalent, and I suspect would have other bad side-effects—the restricted subtree has to be navigable by code that updates the legitimate content. Given that effectively all major platforms have good sandboxing today, I'm not sure that playing games with the file system is the best approach—but it doesn't hurt to think about it more!

Steve Bellovin Oct 8

@jef @peterhoneyman On further thought, making it appear that .. from the subtree root pointed to itself could be done by a nested file system or some such, as a way to implement part of the sandbox. That nested file system would not be in place for content updates, checking the file system, etc., so those objections wouldn't apply. This nested file system (or systems) could implement other aspects of protection—for example, chroot() is restricted to root because of the risks of, e.g., creating a bogus /etc/passwd, and you still have to worry about mknod and more.

BrianKrebs Oct 7

@GossiTheDog Also, last night I received a booby-trapped email that mentioned lapsuss scattered hunters and threatened physical violence unless demands were met. Visiting the link (I didn't) launches a Windows screenshot file that loads a commercial trojan/backdoor. Mandiant confirmed several other researchers and security firms got similar messages around the same time. More details in a story just published, here: https://krebsonsecurity.com/2025/10/shinyhunters-wage-broad-corporate-extortion-spree/

ShinyHunters Wage Broad Corporate Extortion Spree – Krebs on Security

Matt Palmer Oct 7

@briankrebs I recall an old story about journalism (might have been a Mark Twain bit) where the editor said that if you didn't get a death threat now and then, you weren't doing your job. So, congratulations, I guess?

@womble @briankrebs Jeah...

@ennolenze nowadays tells them "get in line, take a number" as he stopped counting at like 512...

BrianKrebs Oct 7

@GossiTheDog https://krebsonsecurity.com/wp-content/uploads/2025/10/sh-malwareemail.png

@briankrebs @GossiTheDog I guess they either are cosplaying or something else.

Cuz last time I checked Arion Kurtaj was still in the Loony Slammer...

BrianKrebs Oct 7

@kkarhan @GossiTheDog yeah but some Com members have been known to run hits and scams with phones smuggled into jail. To wit, this guy Robert Lewis Barr:

https://news.stv.tv/west-central/pair-accused-of-planning-robberies-to-steal-17m-in-cryptocurrency

Pair accused of planning robberies to steal £17m in cryptocurrency

The men are alleged to have conspired to steal the digital cash valued at in excess of £17m, including while in prison.

STV News

@briankrebs @GossiTheDog yeah, but Kurtaj isn't in a normal slammer, but like loony bin.

BrianKrebs Oct 7

@GossiTheDog Also, I feel compelled to expand on your reference to rocket launchers to note that one of the Com members who was closely involved in a broad range of telecom breaches very much did attempt to purchase a rocket launcher. His attempts to purchase a Stinger missile were foiled when Turkish authorities put him in prison.

"In several online chats in late 2023 on Discord, IRDev lamented being lured into a law enforcement sting operation after trying to buy a rocket launcher online. A person close to the investigation confirmed that at the beginning of 2023, IRDev began making earnest inquiries about how to purchase a Stinger, an American-made portable weapon that operates as an infrared surface-to-air missile."

"Sources told KrebsOnSecurity Binns’ repeated efforts to purchase the projectile earned him multiple visits from the Turkish authorities, who were justifiably curious why he kept seeking to acquire such a powerful weapon."

https://krebsonsecurity.com/2024/11/canadian-man-arrested-in-snowflake-data-extortions/

Canadian Man Arrested in Snowflake Data Extortions – Krebs on Security

groff 🇺🇦Oct 7

@briankrebs Typo "the British foot retailer Co-op Group"

BrianKrebs Oct 7

@geoffl yeah i'm currently locked out of making changes atm b/c of some ongoing thing with Duo authentication. I go through push 2FA, it says success logging you in, then it fails to an error page that says failed or expired two factor authentication.

Renée Burton Oct 8

@briankrebs they are English speakers.. do they always write in Broken Title Text and misspell their own moniker?

VessOnSecurity Oct 8

@briankrebs @GossiTheDog Ah, what is a Windows screenshot file?

xyhhx 🔻Oct 8

@GossiTheDog you know what good for nan

@GossiTheDog I might have managed to sneak this in to a talk I gave tonight 😅

@GossiTheDog OFC they do.

Kurtaj was a fucking genius!

He violated the 0th rule: "Don't get caught!"

Dr. Christopher Kunz Oct 7

@GossiTheDog I cannot stress enough how deceptive this tactic is.

First, Oracle gaslight their own customers into "if something happens, it's because you haven't patched". Then, after downloading a zero-day off Telegram finding out that they have been pwned by Scattered Lapsus$ Hunters, they quitely edit out the previous content.

And this is not some anonymous marketing writer, but the Chief Security Officer for one of the biggest corporations on the globe.

1/2

Łukasz Bromirski

@christopherkunz @GossiTheDog it wouldn't be their first, right?

Dr. Christopher Kunz Oct 7

@mr0vka @GossiTheDog Certainly not, hence my ire. Not much longer than half a year ago, Oracle Classic Cloud "lost" data in an incident that had me look on web.archive.org and despair at Oracle's wordsmithing: https://heise.de/-10336366 I think this is a system, not a one-off occurrence.

Data leak at Oracle: Up to 2000 German victims? What is known and what is not

Data from the "Oracle Classic" cloud is for sale on the darknet. Analysts agree: the data is genuine. But some pieces of the puzzle are still missing.

heise online

Dr. Christopher Kunz Oct 7

@GossiTheDog The timeline checks out: The exploit was posted on TG on October 3, early afternoon. It was also first uploaded to VT on October 3. After Oracle woke up to the news on October 4, they quickly assessed the damage and pivoted their narrative to "discovered during our investigation". aka "downloaded from telegram".

This fits a repetitive pattern of what I would diplomatically call "unethical disclosure practice". If you update your publications, AT LEAST mark the edits.

2/2

Martin Seeger Oct 7

@christopherkunz One should create a dictionary for compromised enterprises. Something like:

Discovered during our investigation: someone showed us a telegram chat
Deep technical analysis: We actually for once looked into a log file
Due to unforeseen circumstances: Our unpatched system had a vulnerability
Together with technical specialists: We hired everyone who picked up the phone
We immediately informed the authorities and customer: we kept back the information as legally possible
Your security is important to us: CEO bonus comes first

Dr. Christopher Kunz Oct 7

@masek @GossiTheDog . We informed the appropriate authorities: We ghosted DPOs and consumer orgs but called the FBI to help us decrypt the files. We NDAed everyone who can hold a pen.

@masek @christopherkunz @GossiTheDog
There our two types of companies, one which got hacked and the other who didn't know they got hacked.
John Chambers

Martin Seeger Oct 7

@christopherkunz Forgot:

Technically sophisticated attack: We left the credential in an open S3 bucket
Criminal energy: bored teenager
Sophisticated security infrastructure: We have somewhere a firewall we last patched three years ago
Started our incident response process: ran around flapping our arms