Executive Summary

Dartmouth College has confirmed a data breach following an extortion attack by the Clop ransomware group, which exploited a zero-day vulnerability in the Oracle E-Business Suite (EBS) platform. The breach resulted in the unauthorized exfiltration of files containing names, Social Security Numbers, and, in some cases, financial account information of at least 1,494 individuals, with the actual number of affected persons likely higher. The attack occurred between August 9 and August 12, 2025, and was publicly claimed by Clop on November 11, 2025. Dartmouth responded by securing its systems, notifying law enforcement, and offering credit monitoring to affected individuals. The incident is part of a broader campaign targeting multiple high-profile organizations using the same Oracle EBS vulnerability. All information in this summary is directly supported by the cited sources below.

Technical Information

The attack on Dartmouth College was executed by the Clop ransomware group, leveraging a critical unauthenticated remote code execution (RCE) zero-day vulnerability in Oracle E-Business Suite (EBS), specifically tracked as CVE-2025-61882. This vulnerability resides in the BI Publisher Integration component of Oracle EBS and allows attackers to execute arbitrary code remotely without authentication. The vulnerability has a CVSS score of 9.8, indicating critical risk to confidentiality, integrity, and availability. The affected Oracle EBS versions are 12.2.3 through 12.2.14, with exploitation focusing on the BI Publisher and Concurrent Processing modules.

Attackers exploited the vulnerability by sending crafted HTTP requests to endpoints such as /OA_HTML/OA.jsp?page=/oracle/apps/xdo/oa/template/webui/TemplatePreviewPG, /OA_HTML/configurator/UiServlet, and /OA_HTML/SyncServlet. The exploitation path included server-side request forgery (SSRF), XSLT injection, and direct remote code execution. In the Dartmouth incident, there is no evidence of spearphishing or user interaction; the compromise was achieved through direct exploitation of the Oracle EBS zero-day (MITRE ATT&CK T1190: Exploit Public-Facing Application).

Once inside the environment, the attackers deployed custom Java-based malware, including variants such as GOLDVEIN.JAVA and downloader components, as well as web shells like FileUtils.java and Log4jConfigQpgsubFilter.java. Persistence was maintained using the SAGE* infection chain (SAGEGIFT, SAGELEAF, SAGEWAVE), which enabled long-term access and remote command execution. The attackers also established scheduled tasks and modified application server components to evade detection and maintain access.

Indicators of compromise (IOCs) associated with this campaign include malicious IP addresses (such as 200.107.207.26, 185.181.60.11, 161.97.99.49, 162.55.17.215, and 104.194.11.200) and the domain oa[.]88tech[.]me, which was used for command and control (C2) and payload delivery. The exploit script hash aa0d3859d6633b62bccfb69017d33a8979a3be1f3f0a5a4bf6960d6c73d41121 has also been identified in related incidents.

The Clop group is known for rapid exploitation of newly disclosed vulnerabilities, smash-and-grab data theft, and extortion tactics. In this campaign, they targeted organizations with large, complex IT environments and valuable personal or financial data, particularly those using Oracle EBS. Other victims in the same campaign include Harvard University, The Washington Post, Logitech, GlobalLogic, and Envoy Air (an American Airlines subsidiary).

The technical attack chain mapped to the MITRE ATT&CK framework includes initial access via public-facing application exploitation (T1190), execution through command and scripting interpreters (T1059), persistence via web shells (T1505.003) and scheduled tasks (T1053), privilege escalation (T1068), defense evasion (T1112), discovery (T1049, T1087, T1046), collection (T1074, T1114, T1119), exfiltration over web services (T1567), command and control via application layer protocols (T1071.001), and impact through extortion (T1657) and data manipulation (T1565).

Attribution to Clop is assessed with high confidence, based on technical artifacts, campaign infrastructure, public claims, and victimology, all of which are consistent with prior Clop activity. The evidence includes direct technical artifacts (malware, web shells, exploit scripts, IOCs), pattern analysis (sector targeting, campaign timeline, TTPs), and circumstantial evidence (public extortion claims, victim notifications).

Dartmouth’s response included immediate system lockdown, notification of law enforcement, application of all available Oracle patches, and a review of vendor security practices. The college began sending notification letters to affected individuals on November 24, 2025, and is offering one year of credit monitoring to those whose Social Security Numbers were exposed.

Affected Versions & Timeline

The attack targeted Oracle E-Business Suite (EBS) versions 12.2.3 through 12.2.14, specifically exploiting the BI Publisher Integration component via CVE-2025-61882. The confirmed attack window at Dartmouth College was from August 9 to August 12, 2025, during which unauthorized actors exfiltrated sensitive files. On October 30, 2025, Dartmouth identified files containing names and Social Security Numbers. The Clop group publicly claimed responsibility and threatened to leak data on November 11, 2025. Dartmouth began sending notification letters to affected individuals on November 24, 2025, and public disclosure followed on November 25, 2025.

The broader campaign by Clop targeting Oracle EBS zero-days began in early August 2025 and has affected multiple organizations across higher education, media, technology, and aviation sectors.

Threat Activity

The Clop ransomware group, also known as GRACEFUL SPIDER, orchestrated a mass exploitation campaign targeting Oracle EBS zero-day vulnerabilities, with Dartmouth College among the confirmed victims. The group’s tactics involve exploiting critical vulnerabilities for initial access, deploying custom malware and web shells for persistence, rapidly exfiltrating sensitive data, and then extorting victims by threatening to leak the stolen information unless a ransom is paid.

In the Dartmouth incident, the attackers exfiltrated files containing names, Social Security Numbers, and financial account information. The group posted a public extortion threat on November 11, 2025, and subsequently leaked data on their dark web site. The campaign’s targeting pattern includes organizations with complex IT environments and valuable data, particularly those in higher education, media, technology, and aviation.

The technical sophistication of the attack, the use of a zero-day vulnerability, and the rapid timeline from exploitation to extortion are consistent with Clop’s known tactics, techniques, and procedures (TTPs). The group’s infrastructure, malware, and operational patterns have been confirmed by multiple independent security vendors and incident disclosures.

Mitigation & Workarounds

The most critical mitigation is the immediate application of all available security patches for Oracle E-Business Suite (EBS), particularly those addressing CVE-2025-61882. Organizations using Oracle EBS versions 12.2.3 through 12.2.14 must ensure that the BI Publisher Integration component is fully patched and that all public-facing endpoints are secured.

Continuous monitoring for indicators of compromise (IOCs), including the specific IP addresses and domains identified in this campaign, is essential. Organizations should conduct a comprehensive compromise assessment to identify any signs of infiltration, exfiltrated data, or persistence mechanisms. Validating the integrity of backups and ensuring they are isolated from production systems is critical to recovery in the event of a ransomware or extortion attack.

Employee awareness and training should be reinforced, with a focus on recognizing suspicious activity and reporting potential security incidents. Organizations should also review and strengthen their third-party risk management and vendor oversight processes, as attackers may exploit weaknesses in the supply chain.

Engagement with professional incident response teams and law enforcement is recommended for organizations that suspect or confirm compromise. Sharing threat intelligence with sector peers and participating in information sharing and analysis centers (ISACs) can help improve collective defense against similar campaigns.

References

https://www.bleepingcomputer.com/news/security/dartmouth-college-confirms-data-breach-after-clop-extortion-attack/

https://www.dexpose.io/clop-strikes-dartmouth-college-in-ransomware-attack/

https://www.theregister.com/2025/11/25/clop_dartmouth_college/

https://www.protoslabs.io/resources/deep-dive-analysis-oracle-e-business-suite-ebs-zero-day-campaign-attributed-to-cl0p-extortion-ecosystem

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks in their vendor ecosystem. Our platform enables continuous monitoring for emerging threats, supports evidence-based risk assessments, and facilitates rapid response coordination with internal and external stakeholders. For questions or further information, please contact us at ops@rescana.com.