{"id":2463,"date":"2025-03-24T14:01:48","date_gmt":"2025-03-24T14:01:48","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2463"},"modified":"2025-03-24T14:01:48","modified_gmt":"2025-03-24T14:01:48","slug":"oracle-cloud-breach-may-impact-140000-enterprise-customers","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2463","title":{"rendered":"Oracle Cloud breach may impact 140,000 enterprise customers"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>A threat actor has reportedly breached Oracle Cloud infrastructure, exfiltrating six million sensitive authentication records and potentially endangering more than 140,000 enterprise customers. The attacker is now demanding ransom payments while actively marketing the stolen data on underground forums, according to threat intelligence firm CloudSEK.<\/p>\n<p>Security researchers at CloudSEK\u2019s XVigil team discovered the breach on March 21, 2025, when they identified a threat actor operating under the alias \u201crose87168\u201d selling millions of records extracted from Oracle Cloud\u2019s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems.<\/p>\n<p>The compromised data includes critical security components such as Java KeyStore (JKS) files, encrypted SSO passwords, key files, and Enterprise Manager Java Platform Security (JPS) keys \u2013 all essential elements for authentication and access control within the Oracle Cloud environment.<\/p>\n<p>According to CloudSEK\u2019s investigation, the attacker claims to have penetrated Oracle\u2019s infrastructure by exploiting a vulnerability in the company\u2019s login endpoints, specifically targeting the subdomain login.us2.oraclecloud.com. This subdomain was reportedly still operational as recently as February 17, 2025, despite running severely outdated software components.<\/p>\n<p>\u201cThe threat actor has demonstrated sophisticated capabilities by targeting a critical authentication infrastructure,\u201d <a href=\"https:\/\/www.cloudsek.com\/blog\/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants\">said CloudSEK in their report<\/a>. \u201cThey\u2019re not only selling the data but also actively recruiting assistance to decrypt the stolen passwords, suggesting an organized and persistent threat operation.\u201d<\/p>\n<p>Oracle has denied the data breach. \u201cThere has been no breach of Oracle Cloud.\u00a0The published credentials are not for the Oracle Cloud.\u00a0 No Oracle Cloud customers experienced a breach or lost any data,\u201d an Oracle spokesperson said.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Known vulnerability exploited<\/strong><\/h2>\n<p>The attack appears to leverage <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-35587\">CVE-2021-35587<\/a>, a critical vulnerability in Oracle Access Manager that was added to the Cybersecurity and Infrastructure Security Agency\u2019s (CISA) Known Exploited Vulnerabilities catalog in December 2022. This particular vulnerability is especially dangerous as it allows unauthenticated attackers with network access via HTTP to completely compromise Oracle Access Manager instances, the report added.<\/p>\n<p>Digital forensics evidence suggests the compromised server was running Oracle Fusion Middleware 11G, with components last updated in September 2014 \u2013 more than a decade ago. The significant lag in patch management created an opportunity for exploitation.<\/p>\n<p>\u201cDue to lack of patch management practices and\/or insecure coding, the vulnerability in Oracle Fusion Middleware was exploited by the threat actor,\u201d the CloudSEK report pointed out. \u201cThis easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in the takeover of Oracle Access Manager(OAM).\u201d<\/p>\n<p>CloudSEK in its report mentioned that the threat actor reportedly told an independent news source that they have exploited \u201ca vulnerable version of the Oracle Cloud servers with a public CVE that does not currently have a public PoC or exploit.\u201d<\/p>\n<p>Internet archive records, cited in the report, confirmed that the compromised subdomain was hosting Oracle Fusion Middleware 11G as recently as February 2025, contradicting standard security practices of keeping critical infrastructure updated with the latest security patches.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Business impact and risks<\/strong><\/h2>\n<p>In an alarming development, the threat actor has initiated an extortion campaign, contacting affected companies and demanding payment to remove their data from the stolen cache. This creates immediate financial pressure and complex legal and ethical decisions for victims regarding ransom payments.<\/p>\n<p>To increase pressure on both Oracle and affected organizations, the attacker has established a presence on social media platform X (formerly Twitter), following Oracle-related accounts and presumably preparing to increase public visibility of the breach if ransom demands aren\u2019t met.<\/p>\n<p>\u201cCompanies affected by the breach can contact me to publicly verify if their data originates from Oracle Cloud, and I\u2019ll remove it from my dataset slated for sale,\u201d <a href=\"https:\/\/x.com\/rose87168\/status\/1903253114733330524\">the hacker with the alias \u201crose87168\u201d wrote in an X post.<\/a><\/p>\n<p>With over 140,000 tenants potentially affected, the breach carries substantial supply chain implications, as compromised authentication mechanisms could allow attackers to pivot between connected organizations and systems. This multiplier effect dramatically increases the potential damage radius beyond the initial breach.<\/p>\n<h2 class=\"wp-block-heading\"><strong>Recommended mitigation<\/strong> steps<\/h2>\n<p>CloudSEK has outlined a comprehensive response strategy for potentially affected organizations.<\/p>\n<p>\u201cThe first priority is immediate credential rotation \u2013 resetting all passwords for LDAP user accounts, with particular attention to privileged accounts such as Tenant Administrators that could provide broad access across systems,\u201d the report suggested.<\/p>\n<p>Security teams should implement stronger authentication controls, including multi-factor authentication (MFA) and enhanced password policies. This helps mitigate the risk of credential reuse even if the stolen encrypted passwords are eventually decrypted by attackers.<\/p>\n<p>The report also added that organizations must regenerate and replace all affected certificates, including any SSO, SAML, or OIDC secrets associated with the compromised LDAP configurations. This cryptographic hygiene is essential to restore trust in the authentication mechanisms.<\/p>\n<p>\u201cThe sophistication of this attack highlights the continued challenges in securing cloud environments, particularly around authentication systems,\u201d CloudSEK said in the report. \u201cOrganizations using Oracle Cloud services should treat this as a critical security incident requiring immediate action, regardless of whether they\u2019ve been directly notified of compromise.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>A threat actor has reportedly breached Oracle Cloud infrastructure, exfiltrating six million sensitive authentication records and potentially endangering more than 140,000 enterprise customers. The attacker is now demanding ransom payments while actively marketing the stolen data on underground forums, according to threat intelligence firm CloudSEK. Security researchers at CloudSEK\u2019s XVigil team discovered the breach on [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":2464,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2463","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2463"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2463"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2463\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2464"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2463"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2463"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2463"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}