CL0P attack against Oracle E-Business Suite
Cohesity REDLab has released updates to the threat library in response to the active exploitation of Oracle E-Business Suite (EBS) by threat actor CL0P. Users should closely monitor anti-ransomware backup anomalies in Security Center. It is recommended to use the Threat Scan feature in tandem with anti-ransomware to scan backup data using the default threat library or custom YARA rules. Users should also run periodic file-hash scans to detect dormant malware in backup data.
Deep Dive
A financially motivated actor (using the CL0P extortion brand) has been mass-exploiting Oracle E-Business Suite (EBS) vulnerabilities and sending extortion emails to executives claiming data theft. This was first observed by Google in August and publicly described in September–October 2025. Oracle issued emergency security alerts and patches in early October 2025 (including for CVE-2025-61882 and CVE-2025-61884). The EBS flaws allow unauthenticated HTTP access to sensitive application functionality, making internet-facing EBS instances high-value targets.
The attack chain works as follows:
A. Reconnaissance & targeting: Attackers scan for internet-facing Oracle EBS instances (HTTP endpoints for /OA_HTML/*, SyncServlet, UiServlet, XDO/XSL endpoints). Attackers often enumerate EBS pages and probe known servlet endpoints.
B. Trigger SSRF/Template injection paths: The exploit chains target EBS servlet endpoints. Attackers POST crafted payloads that abuse XDO/XSL template functionality to store malicious templates in the application database (XDO_TEMPLATES_B). A high-fidelity indicator is requests that hit the TemplatePreview endpoint with TemplateCode values beginning with TMP or DEF
C. Store malicious payload in DB: The XSL template contains embedded Base64 Java payload(s) which decode and execute via Java scripting APIs or by invoking Java classes. This moves execution into the JVM process handling EBS.
D. Execute payload: Triggering TemplatePreview invokes the stored XSL and causes the Java payload to run in-process. Results can be returned inside an HTML comment which is a stealthy return channel used by these families. Observed primitives include reverse shells and staged Java loaders.
E. Post-exploit: Attackers employ first-stage downloaders as observed by Google GTI. These often masquerade as TLS handshakes or embed responses in HTML comments to evade casual inspection. Attackers used reflective loaders and web filters so subsequent requests to crafted endpoints will trigger further payloads.
F. Credential access, discovery & lateral movement: Attackers can read configuration and DB contents. They may also attempt to move laterally to connected middleware or pivot using harvested creds.
G. Data exfiltration & extortion: Attackers extracted data from EBS and staged exfiltration to attacker-controlled servers. Historically with CL0P/FIN11-style operations, actors either leak data to pressure victims, negotiate ransoms or deploy ransomware.
Threat Scans can be run on backups of extracted XSL/templates. They can be run on backups of web server directories or files extracted by network sensors. If historic logs or SIEM data is backed up, then scans can also be run on those logs.
Final Remarks
Cohesity’s Anti-Ransomware and Threat Detection feature lets you scan backups and secondary stored data for anomalous behavior, known malware signatures, indicators of compromise (IOCs), using both built-in threat feeds and custom YARA rules. This helps ensure that the data recovered from backups is clean and avoids re-infecting production after a breach. It works by integrating curated threat intelligence and anomaly detection into Cohesity data protection platform so that customers can schedule or initiate threat scans over backups, inspect snapshots for malicious or suspicious artifacts, flag or quarantine compromised backups, and then use those evaluations to guide rapid recovery and response.
References:
Start your 30-day free trial or view one of our demos.
