Cl0p Ransomware Allegedly Breaches Broadcom via Oracle E-Business Suite Zero-Day

By Ash K
Cl0p Ransomware Allegedly Breaches Broadcom via Oracle E-Business Suite Zero-Day

The Clop ransomware group has claimed responsibility for a breach involving Broadcom Inc, one of the largest semiconductor and infrastructure software companies in the world. According to the group, the intrusion was carried out through a critical vulnerability in Oracle E Business Suite that allowed attackers to gain access to internal systems and extract sensitive information. Broadcom has not yet confirmed the full details of the incident, but early indicators suggest that the intrusion may be significant.

How the Attack Was Carried Out

Early analysis points to the exploitation of a high severity flaw in Oracle E Business Suite. The vulnerability allowed unauthenticated remote code execution and gave attackers direct access to key application components. By abusing this weakness, the Clop group reportedly bypassed authentication controls, executed malicious templates and gained broad visibility across systems used for financial, procurement and resource management operations.

Attackers appear to have targeted specific endpoints within the platform that were known to process template based requests. Once the malicious templates were uploaded, the system executed them with system level privileges. This action enabled the attackers to begin exploring the internal environment and identify high value paths that could lead to data exfiltration.

Tactics and Techniques Used in the Intrusion

The Clop group is known for targeted intrusion campaigns that focus on enterprise applications and large scale data theft. The Broadcom activity reflects the same approach and analysts have observed several techniques that match the group’s traditional operations.

  • Initial Access: Direct exploitation of an unauthenticated remote code execution flaw in Oracle E Business Suite
  • Execution: Use of malicious templates designed to run system level commands once processed by the ERP application
  • Persistence: Modification of scheduled jobs and internal scripts within the ERP environment to maintain long term access
  • Privilege Escalation: Abuse of high privilege application roles and system level permissions exposed during the breach
  • Discovery: Mapping of ERP modules, internal databases and interconnected network segments
  • Lateral Movement: Use of compromised credentials and ERP workflow tokens to move into additional systems
  • Credential Access: Theft of financial system usernames, passwords and session information
  • Data Collection: Extraction of documents, transaction records and internal corporate data
  • Exfiltration: Transfer of compressed data archives to external attacker controlled locations
  • Extortion: Attempt to pressure Broadcom into negotiation by threatening to publish stolen information

Potential Impact on Broadcom and Its Ecosystem

Broadcom plays a critical role in the global semiconductor and networking supply chain. A confirmed breach involving enterprise systems used for financial planning, supply chain operations or intellectual property management would have wide implications. Stolen data could include supplier contracts, internal designs, pricing models or confidential project documentation.

The risk extends beyond Broadcom itself since the company works closely with telecommunications providers, cloud vendors and hardware manufacturers. Data exposure affecting these upstream or downstream partners could introduce operational instability or supply chain delays.

Why Enterprise Application Vulnerabilities Are High Risk

Oracle E Business Suite systems often contain highly sensitive business information and carry extensive administrative privileges. Once an attacker gains access to this environment, the impact can escalate quickly. The centralised nature of ERP platforms means that a single vulnerability can provide direct access to financial records, procurement operations, supplier communications and internal identity systems.

Organisations that run these systems without strict patching cycles, segmented networks or continuous monitoring remain at higher risk. Attackers increasingly target enterprise applications because these systems hold valuable data and often rely on older architectures that are difficult to update.

Recommendations for Organisations

Security teams are encouraged to prioritise the following steps in response to this event and similar campaigns.

  • Identify all Oracle E Business Suite instances and apply the latest security patches immediately
  • Audit external exposure and restrict public access to administrative or template processing endpoints
  • Monitor for abnormal template uploads, unusual database queries and large outbound transfers
  • Investigate scheduled jobs and custom scripts for signs of unauthorised modification
  • Implement strong segmentation to isolate ERP environments from general corporate networks
  • Review access privileges and remove unnecessary administrative roles
  • Deploy behavioural monitoring to detect suspicious ERP activity patterns

Conclusion

The alleged Clop breach of Broadcom highlights the growing threat to enterprise applications and the importance of rapid patching across complex ERP platforms. As attackers continue to exploit vulnerabilities in business critical systems, organisations must strengthen their monitoring strategies and adopt a proactive security posture. This incident serves as a reminder that large scale ransomware operations increasingly rely on strategic intrusions involving high value enterprise applications rather than broad scanning or opportunistic attacks.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.