Clop Ransomware Hits University of Pennsylvania in Oracle EBS Supply Chain Attack
Executive Summary
In August 2023, the University of Pennsylvania became one of nearly 100 organizations targeted in a sweeping data theft and extortion campaign by the Clop ransomware group. Exploiting previously unknown vulnerabilities in Oracle E-Business Suite (EBS), attackers gained unauthorized access to sensitive university systems over several days. Personal data, including names, Social Security numbers, and financial information, was exposed for thousands of individuals, primarily detected when Clop issued extortion demands and Oracle disclosed the vulnerability late September. Patch deployment followed, with no public evidence of further data misuse.
The mass exploitation of Oracle EBS by Clop highlights a rising trend of sophisticated ransomware groups targeting widely used enterprise applications through zero-day attacks. This incident underscores renewed urgency for robust patch management, vigilant monitoring, and segmentation in response to evolving ransomware tactics and large-scale supply chain risks.
Why This Matters Now
This breach demonstrates how rapidly attackers can weaponize zero-day vulnerabilities in critical business platforms, affecting large segments across higher education, media, and commercial sectors. It calls urgent attention to supply chain and third-party software exposures, requiring all organizations to reassess risk, update vulnerability response protocols, and prioritize proactive segmentation and monitoring.
Attack Path Analysis
Clop actors exploited a zero-day vulnerability in Oracle E-Business Suite to gain initial access to university environments. Once inside, they likely escalated privileges using available defects or misconfigurations. Attackers traversed internal systems to locate sensitive data, leveraging lateral movement within the EBS cloud ecosystem. They established outbound command-and-control channels to coordinate exfiltration operations. Large volumes of sensitive personal and financial data were extracted over several days, culminating in extortion messaging and breach notification. Victims only became aware after the group issued demands, highlighting blind spots in hybrid cloud visibility and egress controls.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited an undisclosed vulnerability in Oracle E-Business Suite to gain initial unauthorized access to cloud-hosted environments.
Related CVEs
CVE-2025-61882
CVSS 9.8A critical vulnerability in Oracle E-Business Suite's BI Publisher Integration component allows unauthenticated remote code execution over HTTP.
Affected Products:
Oracle E-Business Suite – 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11, 12.2.12, 12.2.13, 12.2.14
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Obtain Capabilities: Vulnerabilities
System Information Discovery
Data from Local System
Exfiltration Over C2 Channel
Data Encrypted for Impact
Phishing: Spearphishing Attachment
Resource Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security of System Components
Control ID: 6.3.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Art. 8
CISA Zero Trust Maturity Model v2.0 – Asset Inventory and Vulnerability Management
Control ID: Pillar: Devices - Capability: Asset Management
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Higher Education/Acadamia
Universities face critical ransomware exposure through Oracle EBS vulnerabilities, compromising student/employee data with limited zero trust segmentation and threat detection capabilities.
Information Technology/IT
IT sector highly vulnerable to Clop ransomware exploiting zero-day Oracle vulnerabilities, requiring enhanced egress security and multicloud visibility for enterprise system protection.
Media Production
Media organizations like Washington Post targeted by Clop attacks on Oracle systems, needing encrypted traffic protection and anomaly detection for sensitive content data.
Automotive
Automotive companies like Cox Enterprises exposed through Oracle EBS attacks, requiring east-west traffic security and inline IPS for supplier/customer data protection.
Sources
- University of Pennsylvania joins growing pool of Oracle customers impacted by Clop attackshttps://cyberscoop.com/university-pennsylvania-oracle-e-business-suite-clop-attacks/Verified
- Oracle E-Business Suite Zero-Day Vulnerability Exploited in Widespread Extortion Campaignhttps://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitationVerified
- Oracle E-Business Suite Vulnerability Exploited In Ransomware Attackshttps://www.crn.com/news/security/2025/cisa-oracle-e-business-suite-vulnerability-exploited-in-ransomware-attacksVerified
- Oracle E-Business Suite Zero-Day Vulnerability CVE-2025-61882https://www.esentire.com/security-advisories/oracle-e-business-suite-zero-day-vulnerability-cve-2025-61882Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, and egress enforcement would have constrained the intrusion, limited lateral attacker movement, and prevented unauthorized data exfiltration. Enhanced multicloud visibility and threat detection would have accelerated detection and reduced dwell time, minimizing breach impact.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Prevents or detects unauthorized cloud entry attempts through distributed inline controls.
Control: Zero Trust Segmentation
Mitigation: Restricts movement, so escalation actions require explicit authorization tied to identity and least privilege.
Control: East-West Traffic Security
Mitigation: Detects and blocks unauthorized lateral movement between workloads and services.
Control: Threat Detection & Anomaly Response
Mitigation: Rapidly detects C2 beaconing, remote access, and suspicious traffic patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks unauthorized external data transfers and alerts on policy violations.
Accelerates breach response and scope containment, minimizing operational impact.
Impact at a Glance
Affected Business Functions
- Financial Management
- Human Resources
- Supply Chain Management
Estimated downtime: 3 days
Estimated loss: $500,000
Personal information including names, Social Security numbers, and financial account details of nearly 1,500 individuals were exposed.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation on all critical cloud workloads to prevent lateral movement and privilege abuse.
- • Deploy east-west traffic inspection and microsegmentation controls to detect and halt internal attacker pivots.
- • Implement strict egress filtering and policy enforcement to block unauthorized outbound data flows from SaaS and PaaS services.
- • Continuously monitor for anomalies and C2 activity with threat-aware baseline detection across hybrid cloud infrastructure.
- • Centralize multicloud visibility, audit, and policy management to accelerate incident detection, response, and recovery efforts.
