Hacker linked to Oracle Cloud intrusion threatens to sell stolen data

The threat actor that claimed responsibility for an alleged data breach at Oracle Cloud is threatening to release or sell the data, according to security researchers.  

The threat actor, identified as Rose87168, posted a threat Sunday to leak stolen data and claimed Oracle is not cooperating with the hacker’s demands, according to a LinkedIn post by Alon Gal, co-founder and CTO at Hudson Rock. 

The threat actor previously took credit for the Oracle Cloud incident, claiming to have access to 6 million data records, affecting more than 140,000 tenants. 

After initially denying that a breach took place, Oracle has largely remained silent about the breach and declined to answer numerous requests to comment on the incident. Meanwhile, security researchers have revealed increasing evidence backing up claims of the data breach. 

Security researchers from CloudSEK published evidence last week that supported the threat actor’s claims of a breach. Researchers said they believed the hacker exploited a zero-day vulnerability or a misconfiguration in the OAuth2 authentication process.

The alleged breach was linked to a critical vulnerability, listed as CVE-2021-35587, a vulnerability in Oracle Access Manager product of Oracle Fusion Middleware. The vulnerability, which has a CVSS score of 9.8, allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.

The stolen data includes single sign-on credentials, Lightweight Directory Access Protocol passwords, OAuth2 keys and tenant data, according to CloudSEK.

CloudSEK researchers have been analyzing a sample provided by the hacker. 

Researchers from Trustwave SpiderLabs released a blog post last week confirming the hacker is threatening to sell stolen data and offering multiple purchase options, based on company name, hashed credentials and other criteria. 

“Based on our research and analysis, and that of other researchers, we feel that it is likely that this is a legitimate breach,” researchers from Trustwave told Cybersecurity Dive via email.