Ερευνητές της Google αναφέρουν ότι «τεράστιες ποσότητες δεδομένων πελατών» εκλάπησαν κατά τη διάρκεια της επιχείρησης. Το πανεπιστήμιο του Χάρβαρντ και η αεροπορική εταιρεία Envoy, ιδιοκτησία της Amer...

  kEnvoy Air, a regional carrier owned by American Airlines, has confirmed that data from its Oracle E-Business Suite application was compromised following claims by the Clop extortion group, which recently listed American Airlines on its data leak site. "We are aware of the incident involving Envoy's Oracle E-Business Suite application," Envoy Air told BleepingComputer. "Upon learning of the matter, we immediately began an investigation and law enforcement was contacted. We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised." Envoy Air operates regional flights for American Airlines under the American Eagle brand. Although it functions as a separate entity, its operations are closely integrated with American’s systems for ticketing, scheduling, and passenger services. The Clop ransomware group has begun leaking what it claims to be stolen Envoy data, posting the message: “The company doesn’t care about its customers, it ignored their security!!!” This breach is tied to a wider campaign that began in August, in which Clop targeted Oracle E-Business Suite systems and began sending extortion demands to affected companies in September. Initially, Oracle said that attackers were exploiting vulnerabilities patched in July. However, the company later confirmed that the threat actors took advantage of a previously unknown zero-day flaw, now identified as CVE-2025-61882. Cybersecurity firms CrowdStrike and Mandiant later reported that Clop exploited the flaw in early August to infiltrate networks and install malware. While the total number of victims remains unclear, Google’s John Hultquist told BleepingComputer that “dozens of organizations” were affected. The extortion gang is also targeting Harvard University as part of the same operation. The university confirmed to BleepingComputer that the breach affected “a limited number of parties associated with a small administrative unit.” Adding to the concerns, Oracle quietly patched another zero-day flaw—CVE-2025-61884—in its E-Business Suite last week, which had been actively exploited since July 2025. The exploit was reportedly leaked by the Shiny Lapsus$ Hunters group on Telegram. American Airlines has previously faced data breaches in 2022 and 2023, which exposed employee personal data. Who is Clop? The Clop ransomware group, also known as TA505, Cl0p, or FIN11, has been active since 2019. It initially used a variant of the CryptoMix ransomware to infiltrate corporate networks and steal information. Since 2020, the group has shifted its focus to exploiting zero-day vulnerabilities in file transfer and data storage platforms. Notable campaigns include: * 2020: Accellion FTA zero-day attack impacting nearly 100 companies * 2021: SolarWinds Serv-U FTP zero-day exploit * 2023: GoAnywhere MFT zero-day breach affecting 100+ firms * 2023: MOVEit Transfer campaign, their largest to date, compromising data from 2,773 organizations worldwide * 2024: Exploited Cleo file transfer zero-days (CVE-2024-50623 and CVE-2024-55956) for data theft and extortion The U.S. State Department is currently offering a $10 million reward for information linking Clop’s ransomware operations to any foreign government.

 The Clop ransomware gang has orchestrated a massive extortion campaign targeting Oracle E-Business Suite customers by exploiting a critical zero-day vulnerability tracked as CVE-2025-61882. The vulnerability, which carries a CVSS score of 9.8, affects Oracle EBS versions 12.2.3 through 12.2.14 and allows unauthenticated remote code execution without requiring credentials. Beginning September 29, 2025, Clop operatives sent high-volume extortion emails to executives at numerous organizations, claiming to have stolen sensitive data from their Oracle EBS environments. However, investigations by Google Threat Intelligence Group and Mandiant revealed that active exploitation began much earlier—as early as August 9, 2025, with suspicious activity dating back to July 10, 2025. This means attackers exploited the vulnerability weeks before Oracle released a patch on October 4, 2025. The vulnerability affects the Concurrent Processing component's BI Publisher integration within Oracle EBS, allowing attackers to execute arbitrary code and gain complete control over compromised servers. Researchers identified multiple distinct exploitation chains targeting various EBS components, including UiServlet and SyncServlet modules. The most probable attack vector involved the SyncServlet module, where attackers injected malicious XSL files into databases via the XDO Template Manager to trigger remote code execution. The campaign involved sophisticated multi-stage malware frameworks, including GOLDVEIN.JAVA downloader and the SAGE malware family. These tools closely resemble malware families deployed during Clop's previous Cleo software compromise in late 2024, strengthening attribution to the notorious cybercrime group. Attackers successfully exfiltrated significant amounts of data from impacted organizations, affecting dozens of victims according to current assessments. Clop, also known as TA505 or FIN11, has been active since 2019 and maintains a track record of exploiting zero-day vulnerabilities in enterprise platforms. The group previously targeted Accellion FTA, SolarWinds Serv-U FTP, GoAnywhere MFT, MOVEit Transfer, and Cleo file transfer systems. This latest campaign demonstrates Clop's continued focus on rapid zero-day exploitation of critical enterprise software for large-scale data extortion operations. Oracle issued an emergency security alert on October 4, 2025, urging customers to apply the patch immediately. The FBI characterized the zero-day as "an emergency putting Oracle E-Business Suite environments at risk of full compromise". CISA added CVE-2025-61882 to its Known Exploited Vulnerabilities catalog and issued urgent alerts regarding active exploitation for ransomware attacks worldwide.

Google has issued a warning after hackers claiming to be part of the Clop ransomware gang allegedly stole sensitive data from Oracle E-Business Suite and…

​Sam's Club, an American warehouse supermarket chain owned by U.S. retail giant Walmart, is investigating claims of a Clop ransomware breach.

Explore Clop ransomware's tactics and learn defensive measures to protect against sophisticated cyber extortion threats.

complete names within 48 hours if they don't comply read more about Clop ransomware is now extorting 66 Cleo data-theft victims