American Airlines subsidiary Envoy caught in Clop's Oracle EBS raid
(2025/10/17)
- Reference: 1760722326
- News link: https://www.theregister.co.uk/2025/10/17/american_airlines_envoy_oracle_ebs/
- Source link:
Envoy Air, an American Airlines subsidiary, has confirmed that it was among the dozens of organizations compromised via Oracle E-Business Suite (EBS) security flaws, following claims by Clop extortionists that its parent company was one of its victims.
"We are aware of the incident involving Envoy's Oracle E-Business Suite application," an Envoy spokesperson told The Register .
"Upon learning of the matter, we immediately began an investigation and law enforcement was contacted," the statement continued. "We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised."
[1]
The breach did not touch any American Airlines IT environments or data, nor did it impact Envoy's flight or airport ground handling operations.
[2]
[3]
The spokesperson declined to comment on the criminals' extortion demand.
On Thursday, Clop added American Airlines to its leak site, claiming to have broken into its systems. In a post seen by The Register and [4]shared on social media , the extortion crew wrote: "The company doesn't care about its customers, it ignored their security!!!"
Remember MOVEit?
While the fallout from the Oracle EBS heists continues to unfold, and we don't yet know the total victim count, last week Google's chief threat analyst said his team believes that [5]"dozens" of organizations were affected, and that the intruders likely had a three-month head start on the defenders.
"Some historic Clop data extortion campaigns have had hundreds of victims," John Hultquist, chief analyst at Google Threat Intelligence Group, told The Register . "Unfortunately, large scale zero-day campaigns like this are becoming a regular feature of cybercrime."
[6]
[7]Clop is probably best known for the attack on Progress Software's MOVEit file transfer solution in 2023 that hit at least 2,773 organizations and more than 95 million individuals with major organizations such as the US Department of Energy, [8]Xerox, Nokia, Bank of America , Morgan Stanley, and [9]Amazon , among those whose data was exposed in the massive supply chain attack.
Attack timeline
The cybercrime mob's latest attempt at a similar large-scale data theft came to light in September, when criminals claiming to be affiliated with Clop began bombarding execs at numerous organizations with [10]extortion emails , claiming to have stolen sensitive data from their EBS environments.
On October 2, [11]Oracle told customers that the thieves may have exploited security holes that were patched in July 2025 and recommended that they apply the latest critical patch updates.
Two days later, Oracle pushed an [12]emergency patch for a zero-day bug in EBS, tracked as [13]CVE-2025-61882 , that Clop had already abused for data theft and extortion.
[14]Oracle rushes out another emergency E-Business Suite patch as Clop fallout widens
[15]Crims had 3-month head start on defenders in Oracle EBS invasion
[16]Clop raid on Oracle E-Business Suite started months ago, researchers warn
[17]US government hit by Russia's Clop in MOVEit mass attack
Researchers have found signs of [18]Clop rummaging through Oracle customers' EBS environments since at least August. According to Google's threat hunters, the nefarious activity began a month earlier and may have ties to the [19]Salesforce data thieves .
And if things weren't already bad enough for Big Red, earlier this week, Oracle pushed [20]another emergency patch for its EBS.
It's tracked as CVE-2025-61884, received a CVSS score of 7.5, and affects the Runtime UI component. [21]Oracle's advisory warns that the flaw can be exploited remotely without authentication and "may allow access to sensitive resources." ®
Get our [22]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aPK8dZWptpdqA3mzTLPdhAAAABM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPK8dZWptpdqA3mzTLPdhAAAABM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aPK8dZWptpdqA3mzTLPdhAAAABM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://bsky.app/profile/hackmanac.com/post/3m3dkjeuwbs2a
[5] https://www.theregister.com/2025/10/09/miscreants_head_start_oracle_ebs_invasion/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPK8dZWptpdqA3mzTLPdhAAAABM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2023/06/15/clop_broke_into_the_doe/
[8] https://www.theregister.com/2024/12/03/760k_xerox_nokia_bofa_morgan/
[9] https://www.theregister.com/2024/11/12/amazon_moveit_breach/
[10] https://www.theregister.com/2025/10/02/clop_oracle_extortion/
[11] https://www.theregister.com/2025/10/03/oracle_ebs_clop_extortion/
[12] https://www.theregister.com/2025/10/06/clop_oracle_ebs_zeroday/
[13] https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
[14] https://www.theregister.com/2025/10/14/oracle_rushes_out_another_emergency/
[15] https://www.theregister.com/2025/10/09/miscreants_head_start_oracle_ebs_invasion/
[16] https://www.theregister.com/2025/10/07/clop_oracle_ebs/
[17] https://www.theregister.com/2023/06/15/clop_broke_into_the_doe/
[18] https://www.theregister.com/2025/10/07/clop_oracle_ebs/
[19] https://www.theregister.com/2025/10/08/salesforce_refuses_to_pay_ransomware/
[20] https://www.theregister.com/2025/10/14/oracle_rushes_out_another_emergency/
[21] https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
[22] https://whitepapers.theregister.com/
"We are aware of the incident involving Envoy's Oracle E-Business Suite application," an Envoy spokesperson told The Register .
"Upon learning of the matter, we immediately began an investigation and law enforcement was contacted," the statement continued. "We have conducted a thorough review of the data at issue and have confirmed no sensitive or customer data was affected. A limited amount of business information and commercial contact details may have been compromised."
[1]
The breach did not touch any American Airlines IT environments or data, nor did it impact Envoy's flight or airport ground handling operations.
[2]
[3]
The spokesperson declined to comment on the criminals' extortion demand.
On Thursday, Clop added American Airlines to its leak site, claiming to have broken into its systems. In a post seen by The Register and [4]shared on social media , the extortion crew wrote: "The company doesn't care about its customers, it ignored their security!!!"
Remember MOVEit?
While the fallout from the Oracle EBS heists continues to unfold, and we don't yet know the total victim count, last week Google's chief threat analyst said his team believes that [5]"dozens" of organizations were affected, and that the intruders likely had a three-month head start on the defenders.
"Some historic Clop data extortion campaigns have had hundreds of victims," John Hultquist, chief analyst at Google Threat Intelligence Group, told The Register . "Unfortunately, large scale zero-day campaigns like this are becoming a regular feature of cybercrime."
[6]
[7]Clop is probably best known for the attack on Progress Software's MOVEit file transfer solution in 2023 that hit at least 2,773 organizations and more than 95 million individuals with major organizations such as the US Department of Energy, [8]Xerox, Nokia, Bank of America , Morgan Stanley, and [9]Amazon , among those whose data was exposed in the massive supply chain attack.
Attack timeline
The cybercrime mob's latest attempt at a similar large-scale data theft came to light in September, when criminals claiming to be affiliated with Clop began bombarding execs at numerous organizations with [10]extortion emails , claiming to have stolen sensitive data from their EBS environments.
On October 2, [11]Oracle told customers that the thieves may have exploited security holes that were patched in July 2025 and recommended that they apply the latest critical patch updates.
Two days later, Oracle pushed an [12]emergency patch for a zero-day bug in EBS, tracked as [13]CVE-2025-61882 , that Clop had already abused for data theft and extortion.
[14]Oracle rushes out another emergency E-Business Suite patch as Clop fallout widens
[15]Crims had 3-month head start on defenders in Oracle EBS invasion
[16]Clop raid on Oracle E-Business Suite started months ago, researchers warn
[17]US government hit by Russia's Clop in MOVEit mass attack
Researchers have found signs of [18]Clop rummaging through Oracle customers' EBS environments since at least August. According to Google's threat hunters, the nefarious activity began a month earlier and may have ties to the [19]Salesforce data thieves .
And if things weren't already bad enough for Big Red, earlier this week, Oracle pushed [20]another emergency patch for its EBS.
It's tracked as CVE-2025-61884, received a CVSS score of 7.5, and affects the Runtime UI component. [21]Oracle's advisory warns that the flaw can be exploited remotely without authentication and "may allow access to sensitive resources." ®
Get our [22]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aPK8dZWptpdqA3mzTLPdhAAAABM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPK8dZWptpdqA3mzTLPdhAAAABM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aPK8dZWptpdqA3mzTLPdhAAAABM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://bsky.app/profile/hackmanac.com/post/3m3dkjeuwbs2a
[5] https://www.theregister.com/2025/10/09/miscreants_head_start_oracle_ebs_invasion/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPK8dZWptpdqA3mzTLPdhAAAABM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2023/06/15/clop_broke_into_the_doe/
[8] https://www.theregister.com/2024/12/03/760k_xerox_nokia_bofa_morgan/
[9] https://www.theregister.com/2024/11/12/amazon_moveit_breach/
[10] https://www.theregister.com/2025/10/02/clop_oracle_extortion/
[11] https://www.theregister.com/2025/10/03/oracle_ebs_clop_extortion/
[12] https://www.theregister.com/2025/10/06/clop_oracle_ebs_zeroday/
[13] https://www.oracle.com/security-alerts/alert-cve-2025-61882.html
[14] https://www.theregister.com/2025/10/14/oracle_rushes_out_another_emergency/
[15] https://www.theregister.com/2025/10/09/miscreants_head_start_oracle_ebs_invasion/
[16] https://www.theregister.com/2025/10/07/clop_oracle_ebs/
[17] https://www.theregister.com/2023/06/15/clop_broke_into_the_doe/
[18] https://www.theregister.com/2025/10/07/clop_oracle_ebs/
[19] https://www.theregister.com/2025/10/08/salesforce_refuses_to_pay_ransomware/
[20] https://www.theregister.com/2025/10/14/oracle_rushes_out_another_emergency/
[21] https://www.oracle.com/security-alerts/alert-cve-2025-61884.html
[22] https://whitepapers.theregister.com/
Re: It's time for more disclosure
Anonymous Coward
Reminds me of an old old fire safety slogan ...
'When is a Door Not a Door ... When it's ajar !!!'
:)
It's time for more disclosure
>> the intruders likely had a three-month head start on the defenders
I feel reasonably sure that American Airlines and Envoy take computer security pretty seriously. They likely have intrusion detection systems, anti-virus with 'heuristics' as appropriate, traffic analysis, auditing, and so on. If those systems cannot detect this sort of thing then it's time to name and shame them, because they are clearly not up to the job. It hardly matters if it is a zero day exploit if it is not noticed for three months.
This isn't being nasty towards AA. It seems from reports that 'dozens' of organisations were hit. So that probably means none of the systems works reliably against a crim who knows what he is doing. We see it with F5 - a security company isn't secure.