Executive Summary
In early 2024, Barts Health NHS Trust disclosed a data breach after Clop ransomware actors exploited a zero-day vulnerability in Oracle E-Business Suite. The attackers gained unauthorized access to internal systems, exfiltrated sensitive files from a key database, and threatened further leaks. The attack leveraged unpatched software flaws as the entry vector, allowing for rapid lateral movement and data theft before being detected. The incident disrupted operations and triggered regulatory notifications due to the sensitive nature of patient and operational information.
This breach highlights the ongoing risks posed by sophisticated ransomware groups exploiting zero-day vulnerabilities in widely used enterprise software. Attacks of this kind are increasingly common, especially in the healthcare sector, which remains a high-value target for ransomware due to legacy systems and critical service mandates.
Why This Matters Now
Attacks exploiting zero-day software vulnerabilities are accelerating, with ransomware groups targeting healthcare organizations' unpatched systems. The Barts incident demonstrates how agile threat actors can bypass traditional defenses and underscores the urgent need for timely vulnerability management, zero trust principles, and resilient incident response strategies.
Attack Path Analysis
Adversaries exploited a zero-day vulnerability in Oracle E-business Suite to gain initial access to Barts Health NHS’s environment. They escalated privileges within the compromised environment to access sensitive databases. The attackers moved laterally across systems to identify and reach data storage assets holding valuable files. Command and Control was established to maintain persistence and coordinate exfiltration activity. Sensitive data was exfiltrated from database systems using outbound network channels. The attack culminated as ransomware operators deployed data theft and extortion, disrupting NHS operations and exposing confidential records.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited a previously unknown vulnerability in Oracle E-business Suite to gain unauthorized entry.
Related CVEs
CVE-2025-61882
CVSS 9.8An unauthenticated remote code execution vulnerability in the BI Publisher Integration component of Oracle E-Business Suite's Concurrent Processing allows attackers to execute arbitrary code remotely.
Affected Products:
Oracle E-Business Suite – 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11, 12.2.12, 12.2.13, 12.2.14
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation of Remote Services
Valid Accounts
Data from Local System
Exfiltration Over C2 Channel
Data Encrypted for Impact
Impair Defenses
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
UK Data Protection Act 2018 (GDPR-aligned) – Security of Processing
Control ID: Article 32
PCI DSS 4.0 – Security of System Components
Control ID: 6.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: Section 500.03
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Inventory and Vulnerability Management
Control ID: Asset Management
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 8
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
NHS Trust ransomware breach exposes critical patient data vulnerabilities in Oracle systems, requiring enhanced zero trust segmentation and encrypted traffic controls.
Government Administration
Public sector Oracle E-business Suite vulnerabilities enable Clop ransomware attacks, demanding improved egress security and threat detection across government databases.
Computer Software/Engineering
Oracle zero-day exploits demonstrate enterprise software supply chain risks, necessitating inline IPS protection and multicloud visibility for software providers.
Financial Services
Database breach patterns threaten financial institutions using similar Oracle systems, requiring enhanced east-west traffic security and anomaly detection capabilities.
Sources
- Barts Health NHS discloses data breach after Oracle zero-day hackhttps://www.bleepingcomputer.com/news/security/barts-health-nhs-discloses-data-breach-after-oracle-zero-day-hack/Verified
- Cl0p cyberattack update | Barts Health's latest newshttps://www.bartshealth.nhs.uk/news/cl0p-cyberattack-update-18178/Verified
- Oracle E-Business Suite Zero-Day Vulnerability Exploited in Extortion Attackshttps://www.oracle.com/security-alerts/alert-cve-2025-61882.htmlVerified
- Cl0p Mass Exploiting Zero-day Vulnerability in Oracle E-Business Suitehttps://www.hipaajournal.com/cl0p-mass-exploiting-zero-day-vulnerability-oracle-e-business-suite/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Zero Trust Segmentation, robust egress policy enforcement, and deep network visibility would have greatly reduced attacker mobility, limited exfiltration paths, and enabled rapid detection of anomalous behaviors throughout the kill chain. Encrypted internal traffic and inline threat prevention would have mitigated lateral movement and data theft actions.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Early detection of exploit attempts through real-time inspection.
Control: Zero Trust Segmentation
Mitigation: Containment of privilege escalation within isolated segments.
Control: East-West Traffic Security
Mitigation: Detection and prevention of unauthorized lateral connections.
Control: Inline IPS (Suricata)
Mitigation: Detection and blocking of malicious C2 communications.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unsanctioned outbound data transfers.
Rapid anomaly alerting & response dampened operational impact.
Impact at a Glance
Affected Business Functions
- Billing
- Accounts Receivable
- Supplier Management
Estimated downtime: 7 days
Estimated loss: $500,000
Invoices containing names and addresses of individuals who paid for treatment or services, details of former staff with outstanding payments, and information about suppliers were exposed.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation and identity-based microsegmentation around all critical workloads and databases.
- • Deploy comprehensive egress filtering policies to control and monitor all outbound traffic, limiting exfiltration avenues.
- • Implement inline threat prevention (IPS) and continuous deep packet inspection for active detection of exploit and C2 activity.
- • Ensure encrypted workloads utilize robust traffic encryption (MACsec/IPsec) for all sensitive data in transit, reducing packet sniffing risk.
- • Centralize network and application layer visibility across cloud and hybrid environments to rapidly baseline activity and detect anomalies.
