{"id":8709,"date":"2025-11-25T10:03:55","date_gmt":"2025-11-25T10:03:55","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/11\/25\/canon-allegedly-breached-by-clop-ransomware-via-oracle-e-business-suite-0-day-hack\/"},"modified":"2025-11-25T10:03:55","modified_gmt":"2025-11-25T10:03:55","slug":"canon-allegedly-breached-by-clop-ransomware-via-oracle-e-business-suite-0-day-hack","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/11\/25\/canon-allegedly-breached-by-clop-ransomware-via-oracle-e-business-suite-0-day-hack\/","title":{"rendered":"Canon Allegedly Breached by Clop Ransomware via Oracle E-Business Suite 0-Day Hack"},"content":{"rendered":"

Canon Allegedly Breached by Clop Ransomware via Oracle E-Business Suite 0-Day Hack
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Canon has officially confirmed that it was targeted during the widespread hacking campaign exploiting a critical zero-day vulnerability in Oracle E-Business Suite (EBS)<\/a>.<\/p>\n

The attack, orchestrated by the notorious Clop ransomware gang, has impacted dozens of major organizations worldwide. The group listed Canon on its dark web leak site, publishing the company\u2019s domain alongside other alleged victims.<\/p>\n

While the listing on the leak site raised concerns about a massive data breach, Canon clarified that the impact was contained. The camera and imaging giant stated that the compromise affected only a specific environment within one of its subsidiaries.<\/p>\n

According to the company, the attackers did not encrypt the broader network or disrupt global operations, which distinguishes this incident from the devastating Maze ransomware attack Canon suffered in 2020.<\/p>\n

Canon\u2019s security team detected the intrusion and immediately isolated the affected systems. In a statement shared with SecurityWeek, the company emphasized that the breach did not spread beyond a web server operated by a Canon U.S.A., Inc. subsidiary.<\/p>\n

The rapid containment likely prevented the theft of sensitive customer data or intellectual property, which the Clop group often seeks for extortion.\u200b<\/p>\n

\u201cWe have confirmed that the incident only affected the web server, and we have already taken security measures and resumed service,\u201d Canon said. \u201cIn addition, we are continuing to investigate further to ensure that there is no other impact\u201d.\u200b<\/p>\n

The Oracle EBS Zero-Day Exploit<\/strong><\/h2>\n

The vulnerability used in this campaign is tracked as CVE-2025-61882<\/a>, a critical security flaw in Oracle E-Business Suite. This zero-day allowed unauthenticated attackers to execute arbitrary code remotely on vulnerable servers.<\/p>\n

Security researchers discovered that Clop affiliates, tracked as Graceful Spider, began exploiting this flaw as early as August 2025 to plant web shells and exfiltrate data before Oracle could issue a patch in October.\u200b<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n
Detail<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
CVE ID<\/strong><\/td>\nCVE-2025-61882<\/td>\n<\/tr>\n
CVSS Score<\/strong><\/td>\n9.8 (Critical)<\/td>\n<\/tr>\n
Affected Product<\/strong><\/td>\nOracle E-Business Suite (EBS)<\/td>\n<\/tr>\n
Affected Versions<\/strong><\/td>\n12.2.3 through 12.2.14<\/td>\n<\/tr>\n
Vulnerability Type<\/strong><\/td>\nUnauthenticated Remote Code Execution (RCE)<\/td>\n<\/tr>\n
Exploit Vector<\/strong><\/td>\nNetwork (No user interaction required)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

This incident is part of a larger \u201cmove-it-style\u201d extortion wave where Clop leveraged the zero-day to breach nearly 30 organizations. Instead of deploying encryption malware immediately, the group focused on data theft and subsequently sent extortion emails to executives starting in late September 2025<\/a>.<\/p>\n

These emails threatened to leak stolen documents unless a ransom was paid. The group\u2019s leak site currently lists domains, including Canon, suggesting these entities were successfully compromised during the automated exploitation phase.\u200b<\/p>\n

Indicators of Compromise (IoCs)<\/strong><\/p>\n

\n\n\n\n\n\n\n\n\n\n
Indicator Type<\/th>\nValue<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
IPv4 Address<\/strong><\/td>\n200.107.207.26<\/td>\nMalicious command and control (C2) IP<\/td>\n<\/tr>\n
IPv4 Address<\/strong><\/td>\n185.181.60.11<\/td>\nObserved exploitation source IP<\/td>\n<\/tr>\n
SHA256 Hash<\/strong><\/td>\n76b6d36e04e367a2334c445b51e1ecce97e4c614e88dfb4f72b104ca0f31235d<\/td>\nMalicious zip archive containing exploit tools<\/td>\n<\/tr>\n
SHA256 Hash<\/strong><\/td>\n6fd538e4a8e3493dda6f9fcdc96e814bdd14f3e2ef8aa46f0143bff34b882c1b<\/td>\nPython script used for server-side exploitation<\/td>\n<\/tr>\n
File Name<\/strong><\/td>\nFileUtils.java<\/td>\nMalicious web shell downloader<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Security teams are advised to scan their Oracle EBS environments for these indicators and apply the official patches immediately to prevent further unauthorized access.\u200b<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Canon Allegedly Breached by Clop Ransomware via Oracle E-Business Suite 0-Day Hack<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Guru Baran
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Canon Allegedly Breached by Clop Ransomware via Oracle E-Business Suite 0-Day Hack Canon has officially confirmed that it was targeted during the widespread hacking campaign exploiting a critical zero-day vulnerability in Oracle E-Business Suite (EBS). The attack, orchestrated by the notorious Clop ransomware gang, has impacted dozens of major organizations worldwide. The group listed Canon […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[701,1636,129,63],"tags":[130],"class_list":["post-8709","post","type-post","status-publish","format-standard","hentry","category-cyber-attack","category-cyber-attack-news","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8709"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8709"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8709\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8709"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8709"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8709"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}