Over the past week, Google, the FBI and numerous security firms have warned about the hackers’ “mass extortion” attempts, where they threaten execs with leaking information stolen from their companies’ Oracle databases unless a ransom is paid.

“This is a ‘stop-what-you’re-doing and patch immediately’ vulnerability,” wrote FBI cyber division assistant director Brett Leatherman. “The bad guys are likely already exploiting in the wild, and the race is on before others identify and target vulnerable systems.”

It was unclear at first whether there were actual victims or if it was Clop playing games, but experts from Google’s Mandiant cybersecurity team said over the weekend that it had determined “several”  successful breaches occurred using previously unknown and unpatched vulnerabilities, known as zero-days. The team didn’t offer specifics beyond that.

Oracle has issued a patch for the relevant vulnerabilities, which affected its E-Business Suite. “This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in remote code execution,” the company wrote in its advisory.

Per one staffer at the DHS Cybersecurity and Infrastructure Security (CISA), who is investigating the attacks, remote code execution on this scale is “not something you ever want to see.”

“Irrespective of when the patch is applied, organizations should examine whether they were already compromised,” said Charles Carmakal, Mandiant chief technology officer.

Clop was once one of the most active ransomware groups in the world, with victims including corporate giants like British Airways and Shell, but it had gone quiet over the last year and a half. 

CrowdStrike said the attacks date back to at least August 9 and warned that the mass exploitation may be coming from more than one group.

That suspicion in part came from the publication of what was then a zero-day exploit in a Telegram channel associated with different hacker crews, including prolific groups Scattered Spider and ShinyHunters. Last week, the groups threatened to release a billion records stolen not from Oracle systems, but from Salesforce databases.

Got a tip on surveillance or cybercrime? Get me on Signal at +1 929-512-7964.

Apple has removed the ICEBlock app from its store after a DOJ request, causing uproar among civil society organizations. The app was being used to warn users about ICE raids in their neighborhood.

Amazon is updating its Ring cameras to include facial recognition. It’s an optional feature, allowing users to add themselves and their contacts to the system so they know who is at the door. Privacy activists remain worried that the company’s tie-ins with police may spell more trouble than the apparently anodyne launch would suggest.

Flock had previously criticized 404’s reporting, CEO Garrett Langley telling Forbes in a magazine profile that “it was an unfortunate example of where an activist journalist had a narrative in their mind and they didn’t want to look at the facts of the story.” Flock didn’t respond to 404’s requests for comment.