Hackers Exploit Critical Oracle EBS Zero-Day Flaws in Sophisticated Extortion Attacks
A newly identified cyber campaign is actively targeting organizations using Oracle E-Business Suite (EBS), a widely used set of business applications. Threat actors are exploiting critical, previously unknown vulnerabilities to breach corporate networks, steal sensitive data, and extort victims for payment. This activity highlights a significant risk for any business relying on this software, demanding immediate attention and action from security teams.
At the heart of this campaign are sophisticated, financially motivated hackers who have developed custom malware specifically designed to compromise Oracle EBS environments. By leveraging zero-day vulnerabilities—flaws unknown to the vendor and without a patch—these attackers can gain initial access to a company’s most critical systems.
The Oracle EBS Attack Chain Explained
The attack begins with the exploitation of severe vulnerabilities within the Oracle EBS software. Once inside, the attackers deploy a series of custom tools to establish a foothold and escalate their privileges. The primary goal is to deploy a powerful backdoor that allows for persistent access and control over the compromised server.
From there, the threat actors focus on identifying and exfiltrating valuable information, including:
- Financial records and reports
- Customer and employee data
- Database credentials
- Intellectual property
After successfully stealing the data, the attackers launch the final phase of their operation: extortion. They contact the victim organization, prove they have the stolen data, and demand a significant payment to prevent its public release. In some cases, these actors have been observed impersonating well-known ransomware groups to increase pressure and perceived legitimacy.
A Closer Look at the Exploited Vulnerabilities
Security researchers have identified at least two major zero-day vulnerabilities being used in these attacks. The most prominent is a critical flaw tracked as CVE-2024-21087, a Remote Code Execution (RCE) vulnerability in the Web Applications Desktop Integrator component of Oracle EBS. This flaw allows an attacker to execute arbitrary code on a server without authentication, making it an extremely dangerous entry point.
Beyond this, evidence suggests the attackers have also been exploiting another, previously undiscovered zero-day vulnerability in the Oracle iSupplier portal. The use of multiple zero-days demonstrates the attackers’ high level of skill and dedication to targeting these specific enterprise environments.
Inside the Attacker’s Arsenal: The ‘SUBMARINE’ Backdoor
To maintain control over compromised systems, the attackers use a custom-built backdoor named SUBMARINE. This malware is specifically tailored to operate within the Oracle EBS ecosystem. It is a highly versatile tool capable of:
- Executing commands on the underlying server.
- Reading and writing files, allowing for data manipulation and theft.
- Establishing a persistent connection for long-term access.
- Stealing database credentials by targeting EBS-specific configuration files.
The SUBMARINE backdoor is typically deployed after an initial webshell, used for basic access, is placed on the server. Its specialized design makes it particularly effective at navigating and exploiting the complex architecture of Oracle E-Business Suite.
How to Protect Your Organization from Oracle EBS Attacks
The active exploitation of these vulnerabilities means that organizations using Oracle EBS must act swiftly to defend their networks. Waiting for an attack to happen is not an option. The following steps are critical for mitigating this threat:
Apply Patches Immediately: Oracle addressed CVE-2024-21087 in its April 2024 Critical Patch Update (CPU). It is imperative to apply these security patches without delay. Ensure all EBS instances are updated to the latest secure version.
Hunt for Indicators of Compromise (IoCs): Assume you may have already been targeted. Security teams should proactively search for signs of malicious activity, including unrecognized webshells on EBS servers, suspicious network connections, or unauthorized processes running on the system.
Enhance Network Monitoring: Increase monitoring of all network traffic to and from your Oracle EBS servers. Look for unusual data transfers or connections to unfamiliar IP addresses, which could indicate data exfiltration.
Implement Network Segmentation: Isolate your Oracle EBS environment from other parts of your network. Proper segmentation can prevent attackers from moving laterally from a compromised EBS server to other critical systems.
Review Access Controls: Enforce the principle of least privilege. Ensure that only authorized personnel have access to EBS administrative functions and that all accounts are protected with strong, unique passwords and multi-factor authentication (MFA).
The emergence of this targeted campaign is a stark reminder that even trusted enterprise software can become a gateway for determined adversaries. Proactive patching, vigilant monitoring, and a robust incident response plan are essential to defending against these advanced and financially devastating attacks.
Source: https://securityaffairs.com/183306/hacking/google-mandiant-expose-malware-and-zero-day-behind-oracle-ebs-extortion.html
