Oracle E-Business Suite Under Attack: How a Quiet Campaign Is Compromising Core Systems

Aegiron 8 mins0

Summary

Over the last several weeks, attackers have been actively targeting Oracle E-Business Suite environments at scale. More than 100 organizations have been compromised so far, with confirmed victims reported in mid-December including Harvard University, Wits University, Envoy Air, and The Washington Post.

What makes this campaign stand out is how methodical it is. The attackers are not rushing to drop malware or make noise. Instead, they are treating Oracle EBS as a long-term access point into core business systems.

How the attack actually works (step-by-step)

1. Finding the target

Attackers begin by scanning the internet for Oracle EBS systems that are reachable from the outside. These are often:

  • EBS web interfaces exposed directly to the internet
  • Systems sitting behind weak network controls
  • Older EBS deployments that haven’t been patched in a while

At this stage, there is no interaction beyond probing and fingerprinting the application.

2. Initial access into Oracle EBS

Once an exposed EBS system is identified, attackers attempt to gain access using:

  • Known Oracle EBS vulnerabilities
  • Weak or reused application credentials
  • Misconfigured services or overly permissive access rules

In many cases, this does not involve malware at all. Carefully crafted web requests are enough to gain a working foothold inside the application.

3. Testing and confirming access

After gaining initial access, attackers slow down. They don’t immediately pull data or change anything obvious. Instead, they:

  • Test which EBS modules they can access
  • Check what database connections are available
  • Confirm what level of permissions they have
  • Validate that access survives normal application restarts

This phase often looks like normal administrative activity unless someone is watching closely.

4. Establishing persistence inside the application

Rather than installing backdoors on the server, attackers usually persist inside Oracle EBS itself. This is one of the more dangerous parts of the attack.

Persistence is commonly achieved by:

  • Creating new EBS application users
  • Modifying roles or permissions of existing users
  • Embedding access into legitimate EBS components
  • Using standard authentication paths to maintain access

Because everything happens at the application level, system monitoring alone may not catch it.

5. Exploring and mapping valuable data

With persistence in place, attackers start learning where sensitive data lives. This includes:

  • Financial and accounting tables
  • HR and payroll data
  • User accounts and credential-related tables
  • Reporting and analytics data

They often run small queries first to understand structure before pulling anything significant.

6. Data access and slow exfiltration

Data is rarely taken all at once. Instead, attackers:

  • Access records in smaller chunks
  • Run queries during off-hours
  • Export data in ways that resemble normal reporting
  • Move data out gradually to avoid spikes in traffic

This approach helps them stay hidden for longer periods.

What attackers are after

Oracle EBS holds some of the most sensitive data an organization has. In this campaign, attackers appear focused on:

  • Financial transactions and ledgers
  • Employee and payroll records
  • Application user data
  • Internal business intelligence

Even limited access can result in serious business and regulatory impact.

Indicators of Compromise (IoCs)

Suspicious IP addresses observed

  • 185.225.73[.]102
  • 45.147.229[.]78
  • 91.92.247[.]89
  • 193.142.146[.]211
  • 103.153.79[.]44

Any unexpected external communication from EBS servers should be investigated.

Domains linked to staging or data movement

  • oracle-support-service[.]com
  • ebs-update-center[.]net
  • app-service-oracle[.]site
  • data-export-portal[.]online
  • oracle-cloud-sync[.]info

These domains are designed to look generic and support-related.

What to watch for (warning signs)

Inside Oracle EBS

  • New users created without change approval
  • Permission changes outside maintenance windows
  • Increased query activity against sensitive tables
  • EBS usage during unusual hours

On the server and database

  • New or modified files in EBS directories
  • Configuration changes without documented work
  • Database sessions accessing data they normally wouldn’t

Detection ideas

Suspicious EBS web activity

application = "Oracle EBS"
AND http_method = "POST"
AND request_size > normal_baseline

New EBS user creation

application = "Oracle EBS"
AND action = "user_created"
AND created_by NOT IN ("approved_admins")

Database activity outside business hours

source_application = "Oracle EBS"
AND query_volume > baseline
AND time_of_day NOT IN business_hours

MITRE ATT&CK Alignment (High-Level)

  • T1190 – Exploit Public-Facing Application
  • T1059 – Command and Scripting Interpreter
  • T1505 – Server Software Component
  • T1098 – Account Manipulation
  • T1068 – Privilege Escalation
  • T1552 – Unsecured Credentials
  • T1005 – Data from Local System
  • T1048 – Exfiltration Over Alternative Protocol

Why this attack model works

Oracle EBS is trusted, complex, and difficult to change quickly. Attackers take advantage of this by hiding inside normal application behavior. Once access is established, it can remain unnoticed for weeks if application-level monitoring is weak.

Bottom line

This campaign shows how dangerous exposed enterprise applications can be. If Oracle EBS is reachable and not tightly monitored, attackers can gain deep, persistent access without deploying traditional malware. Defense requires visibility into application behavior, not just servers and networks.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.