Oracle EBS Extortion & Nutanix Ransomware Risks

Oracle EBS zero-days are fueling a massive extortion campaign. Plus, ransomware groups Akira and Helldown pivot to virtualization.

Evangeline

Nov 22, 2025

Oracle EBS Extortion & Nutanix Ransomware Risks

Contents

Weekly Threat Analysis — Nov 14–21, 2025 (EU/Lisbon)Executive Summary 1) Notable Breaches & Attacks Oracle EBS Zero-Day Campaign (Cl0p/FIN11 cluster) — Confirmed expansion Virtualization & Backups in the crosshairs — Akira pivots to Nutanix; Helldown stays hot 2) Active Threats & Vulnerabilities KEV updates & FortiWeb urgency 3) Threat Teardown — Oracle EBS Zero-Days (CVE-2025-61882/61884)4) Sector Lens (EU Focus)5) Question of the Week 6) Actionable Tips (Do This Week)Sources (further reading)Call to Action

Weekly Threat Analysis — Nov 14–21, 2025 (EU/Lisbon)

Author: Trescudo Threat Research
Reviewed by: Derick Smith (CEO) & Marçal Santos (CISM, CDPSE)
Last updated: Nov 22, 2025

Executive Summary

The Week of the ERP Zero-Days. A coordinated extortion campaign exploiting Oracle E-Business Suite (EBS) zero-days (CVE-2025-61882/61884) kept expanding, with The Washington Post confirming impact and additional victims reported across multiple sectors (Logitech, Allianz UK, GlobalLogic). Lesson: ERP is now a frontline attack surface; treat app servers and build pipelines as Tier-1. (SecurityWeek)

Loaders & Virtualization Under Fire. Operators behind Akira continued pivoting from ESXi/Hyper-V toward Nutanix AHV via known edge vulns and backup abuse; meanwhile the Helldown ransomware family (seen since 2024) remains an active Linux/VMware risk pattern to keep on your radar. (TechRadar)

KEV Keeps Moving. CISA added new entries to the Known Exploited Vulnerabilities (KEV) catalog this week, and reporting highlighted Fortinet FortiWeb zero-days drawing accelerated patch deadlines—good board fodder to justify emergency change windows. (CISA)

1) Notable Breaches & Attacks

Oracle EBS Zero-Day Campaign (Cl0p/FIN11 cluster) — Confirmed expansion

What happened: Threat actors exploited unauthenticated RCE/unauthorized access flaws in Oracle E-Business Suite (notably CVE-2025-61882 and CVE-2025-61884) to steal HR/finance data and extort victims. The Washington Post disclosed that nearly 10,000 employees/contractors were notified. Additional victims cited include Logitech (via a third-party zero-day) and other enterprises. Oracle has rushed patches.
Why it matters: Classic “back-office” ERP is now a front-door for data extortion, often bypassing endpoint defenses. Many EU orgs run EBS for payroll/AP, making this a GEO-relevant risk.
Trescudo assessment: Severity 9/10. Treat Oracle EBS like a Tier-1 internet-adjacent asset: immediate patching, WAF hardening, and token/key rotations. (BleepingComputer)

Virtualization & Backups in the crosshairs — Akira pivots to Nutanix; Helldown stays hot

What happened: Akira added Nutanix AHV VM disks to its victim set, often entering via SonicWall CVE-2024-40766 and finishing with Veeam/backups tampering. Separate reporting (2024–2025) shows Helldown going after Linux/VMware ESXi, frequently paired with Zyxel edge device exposure.
Why it matters: EU data centers widely rely on VMware/Nutanix; backup control remains decisive for blast-radius.
Trescudo assessment: Severity 8/10. Validate edge-device patch status, restrict hypervisor UIs, and prove restore drills (RTO/RPO) weekly. (TechRadar)

2) Active Threats & Vulnerabilities

KEV updates & FortiWeb urgency

Signal: CISA KEV added fresh actively exploited items this week; in parallel, coverage flagged Fortinet FortiWeb zero-days with accelerated government patch deadlines.
Action: If it’s KEV, assume exploitation in the wild. Track KEV MTTR as a board metric and allow emergency change windows.
Trescudo assessment: Severity 7/10. Internet-facing panels and WAF/WAAP belong behind IP allow-lists and MFA. (CISA)

3) Threat Teardown — Oracle EBS Zero-Days (CVE-2025-61882/61884)

What’s new: ERP was historically “internal IT.” Cloud exposure, remote workforce, and vendor integrations have turned EBS into a prime target. Patches were released urgently in Oct–Nov 2025 following exploitation. (TechRadar)

STEM failure: Configuration & dependency governance. Unhardened app servers, stale modules, and permissive reverse proxies broadened attack paths.

TTPs seen across cases:

Unauthenticated HTTP access → RCE/unauthorized access to EBS components
Data exfil from HR/finance modules; extortion emails to executives
Back-channel pressure via listings on leak sites (Cl0p/FIN11) (Reuters)

The fix (what “good” looks like):

Patch policy: Treat EBS as Tier-1 (same patch SLA as IdP/payment).
Perimeter: No direct internet exposure for admin paths; WAF/WAAP with positive security model; geo-IP/rate limits.
Identity: FIDO2/passkeys for EBS admins; JIT access; session-token rotation post-patch.
Supply chain: SBOM for customizations; sign releases; CI/CD secrets scanning.
Restore-proof: Quarterly live restore of EBS DB/app tiers; immutable/offline copies.

4) Sector Lens (EU Focus)

Media & Publishing: The WaPo case is a cautionary tale for EU publishers with ERP HR/Payroll integrations; prioritize EBS isolation and payroll token hygiene. (BleepingComputer)
Manufacturing/Retail: Logitech’s disclosure illustrates third-party zero-day risk and brand exposure; review supplier attestations and vendor IR SLAs (1-hour notify/hourly status). (IT Pro)
Software/DevSecOps: Audit requirements.txt/pom.xml for deprecated libraries and pin versions; re-scan pipelines after Oracle patches to catch rogue changes.

5) Question of the Week

“We run Oracle EBS—how do we patch without breaking payroll?”

vCISO Answer: Treat it like payments:

Snapshot & test in a staging clone (DB + app tier).
Patch behind the WAF, not over the open internet.
Rotate tokens/secrets and force re-auth for admin roles.
Post-patch diff & integrity checks; monitor for unusual outbound volume for 7 days.
Run a mini-restore drill to prove the rollback plan.

6) Actionable Tips (Do This Week)

EBS Perimeter Check (30 min):
- Search for any internet-reachable Oracle EBS endpoints. If found, block admin paths at edge; restrict by IP; enforce MFA/passkeys.
- Apply CVE-2025-61882/61884 patches; rotate app-tier credentials. (TechRadar)
KEV Sprint (2 hours):
- Cross-check assets against CISA KEV; prioritize anything marked internet-facing.
- Document KEV MTTR and request an emergency window if change freezes are in effect. (CISA)
Virtualization Hygiene (1 hour):
- Confirm ESXi/Nutanix consoles are not exposed; enforce admin VPN + allow-lists.
- Verify backup immutability and test a small VM restore. (TechRadar)
Vendor IR Readiness (30 min):
- Ask critical suppliers for an exposure statement (Oracle/EBS status, WAF posture) and their notify cadence if compromised.

Sources (further reading)

Washington Post breach (Oracle EBS zero-days; ~10k notified): SecurityWeek; BleepingComputer; Reuters. (SecurityWeek)
Oracle EBS CVE-2025-61882/61884 patches & campaign context: TechRadar Pro (two advisories). (TechRadar)
Cl0p/FIN11 campaign expansion (Logitech, others): Check Point weekly intel; ITPro coverage of Logitech. (Check Point Research)
Akira pivots to Nutanix AHV; edge/backup abuse: TechRadar Pro. (TechRadar)
Helldown ransomware background (Linux/VMware; Zyxel exposure): SEKOIA; Dark Reading. (Sekoia.io Blog)
CISA KEV catalog & latest add: CISA alert and KEV catalog; SC Magazine on FortiWeb zero-days. (CISA)
Call to Action
- Book a 30-minute Edge Exposure Check (free): lock down internet-facing admin panels, validate KEV items, and set emergency change windows. → https://clients.trescudo.com/form1
- Follow Trescudo for live updates:
  LinkedIn: https://www.linkedin.com/company/trescudo
  X (Twitter): https://x.com/TrescudoCyber
- Learn more about our NIS2-aligned resilience programs: https://trescudo.com/assets/guides/the-trescudo-guide-to-the-nis2-directive.pdf

Prove resilience, don’t just promise it. Let’s harden your edge, patch safely from the inside, and verify restores—this week.