GlobalLogic's 2024 Ransomware Breach: Clop Hits Oracle E-Business Suite Customers
Executive Summary
GlobalLogic, a subsidiary of Hitachi, suffered a significant data breach after the Clop ransomware group exploited a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite. The breach, which began on July 10, 2024, went undetected for months and resulted in the theft of sensitive human resources data for nearly 10,500 current and former employees. Attackers accessed items such as names, SSNs, salary and bank details, passport information, and more, ultimately issuing extortion demands and threatening to leak the stolen data. GlobalLogic promptly initiated incident response actions, notified regulators, and applied Oracle's critical software patches to mitigate the threat after discovering the breach on October 9, 2024. This incident is part of a broader campaign targeting multiple Oracle customers, with ransom demands reaching as high as $50 million and almost 30 organizations named as victims on Clop’s data leak site.
This attack underscores the ongoing threat of ransomware groups exploiting enterprise application vulnerabilities and highlights the growing risks posed by sophisticated supply chain and zero-day attacks. Organizations relying on popular ERP software must increase vigilance and prioritize patch management, while regulators and security leaders raise concern over attackers' speed, stealth, and extortion tactics.
Why This Matters Now
This breach demonstrates the urgency of defending against supply chain attacks and ransomware group campaigns leveraging zero-day vulnerabilities in critical business platforms. With extortion tactics accelerating and regulatory scrutiny intensifying, organizations must act decisively to patch exposed systems and enhance detection of sophisticated attacker behavior.
Attack Path Analysis
Attackers exploited a zero-day vulnerability in Oracle E-Business Suite to gain unauthorized access to GlobalLogic’s HR platform. They leveraged application-level access to escalate privileges and expand their foothold. Lateral movement within the vulnerable Oracle environment allowed the attackers to reach sensitive employee data stores. Establishing command and control via covert outbound connections, the attackers prepared for data exfiltration. Large volumes of employee PII and financial data were exfiltrated over encrypted channels. The attackers then extorted GlobalLogic with threats to leak stolen data, causing business impact and reputational harm.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited an unpatched zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite to gain initial access to the HR platform.
Related CVEs
CVE-2025-61882
CVSS 9.8An easily exploitable vulnerability in Oracle E-Business Suite's Concurrent Processing component allows unauthenticated attackers to execute arbitrary code over HTTP, potentially leading to a complete system takeover.
Affected Products:
Oracle E-Business Suite – 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11, 12.2.12, 12.2.13, 12.2.14
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts
Server Software Component: Web Shell
Application Layer Protocol
Data from Local System
Exfiltration Over Web Service
Data Encrypted for Impact
Inhibit System Recovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Security of System Components and Software
Control ID: 6.3.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy, Access Controls, and Risk Assessment
Control ID: 500.03, 500.07, 500.09
DORA (EU Digital Operational Resilience Act) – ICT Risk Management and Incident Reporting
Control ID: Art. 8, Art. 10
CISA Zero Trust Maturity Model 2.0 – Zero Trust Architecture and Active Monitoring
Control ID: Identity Pillar, Devices Pillar, Continuous Monitoring
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21
GDPR – Security of Processing & Personal Data Breach Notification
Control ID: Articles 32, 33, 34
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Oracle E-Business Suite vulnerability exposed enterprise systems to Clop ransomware, threatening critical IT infrastructure and requiring immediate zero trust segmentation implementation.
Computer Software/Engineering
GlobalLogic's breach demonstrates software engineering firms' exposure to supply chain attacks, with HR data compromised affecting nearly 600 clients globally.
Airlines/Aviation
Envoy Air subsidiary impact shows aviation sector vulnerability to ransomware campaigns targeting Oracle platforms, compromising business operations and commercial data.
Human Resources/HR
Exposed employee data including SSNs, salary information, and bank details highlights HR sector's critical need for encrypted traffic and egress security.
Sources
- Hitachi subsidiary GlobalLogic impacted by Clop’s attack spree on Oracle customershttps://cyberscoop.com/globallogic-oracle-clop-attacks/Verified
- Oracle Security Alert Advisory - CVE-2025-61882https://www.oracle.com/security-alerts/alert-cve-2025-61882.htmlVerified
- NVD - CVE-2025-61882https://nvd.nist.gov/vuln/detail/CVE-2025-61882Verified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-61882Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, east-west traffic monitoring, granular egress controls, and threat detection capabilities could have significantly constrained the attacker's ability to move laterally, exfiltrate sensitive data, and execute extortion. CNSF-aligned controls enforce least-privilege access, restrict outbound communications, and provide real-time visibility into malicious behaviors.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Detection of web exploit signatures and rapid mitigation response at the point of ingress.
Control: Zero Trust Segmentation
Mitigation: Constrained privilege boundaries preventing unauthorized access across application layers.
Control: East-West Traffic Security
Mitigation: Blocked unauthorized lateral flows and triggered anomaly detection alerts.
Control: Egress Security & Policy Enforcement
Mitigation: Prevented malicious outbound C2 traffic and enabled rapid threat response.
Control: Egress Security & Policy Enforcement
Mitigation: Stopped unapproved data exfiltration over encrypted or covert channels.
Enabled rapid containment, incident response, and forensics.
Impact at a Glance
Affected Business Functions
- Human Resources
- Payroll
- Financial Management
Estimated downtime: 14 days
Estimated loss: $5,000,000
Exposure of sensitive employee data including names, addresses, phone numbers, email addresses, dates of birth, nationalities, passport information, internal employee numbers, tax identifiers such as Social Security numbers, salary information, and bank account details.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and granular identity-based access policies within critical business platforms to inhibit lateral movement.
- • Implement inline threat detection and network anomaly response for rapid mitigation of zero-day exploits and suspicious traffic flows.
- • Apply strict egress controls and FQDN-based filtering to block unauthorized data transfers and command and control activity.
- • Extend visibility across all multicloud and SaaS environments to enable proactive monitoring and rapid incident response.
- • Continuously baseline east-west and outbound traffic patterns for early detection and containment of covert exfiltration attempts.
