Oracle Denies Breach Amid Hacker’s Claim of Access to 6 Million Records

A recent investigation by CloudSEK’s XVigil platform has uncovered a cyberattack targeting Oracle Cloud, resulting in the exfiltration of six million records and potentially affecting over 140,000 tenants. Reportedly, a threat actor, identified as ‘rose87168,’ perpetrated this attack that involved the theft of sensitive data, including JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys, which are now being sold on Breach Forums and other dark web forums.

The attacker, active since January 2025, claims to have compromised a subdomain login.us2.oraclecloud.com, which has since been taken down. This subdomain was found to be hosting Oracle Fusion Middleware 11G, as evidenced by a Wayback Machine capture from February 17, 2025. They are demanding ransom payments from affected tenants for the removal of their data and have even offered incentives for assistance in decrypting the stolen SSO and LDAP passwords.

CloudSEK’s analysis indicates that the threat actor may have compromised a vulnerable version of Oracle Cloud servers, potentially leveraging an older flaw, CVE-2021-35587, which affects Oracle Fusion Middleware (OpenSSO Agent) with the following identified as the impacted versions:

  • 11.1.2.3.0
  • 12.2.1.3.0
  • 12.2.1.4.0

This CVE, added to the CISA KEV catalogue in December 2022, allows unauthenticated attackers to compromise Oracle Access Manager, potentially leading to a complete takeover. This aligns with the type of data exfiltrated and shared by the attacker. Its exploitation could allow attackers to gain initial access to the environment and then move laterally within the Oracle Cloud environment to access other systems and data. Further investigation revealed that the Oracle Fusion Middleware server was last updated around September 27, 2014, indicating outdated software.

“Due to lack of patch management practices and/or insecure coding, the vulnerability in Oracle Fusion Middleware was exploited by the threat actor. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager,” CloudSEK researchers noted in the blog post shared exclusively with Hackread.com.

However, Oracle has issued a statement denying any breach of its cloud infrastructure. “There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data,” Oracle stated in response to the reports. This directly contradicts CloudSEK’s findings and the attacker’s claims.

Nonetheless, if it occurred the breach’s impact could be substantial as the exposure of a whopping six million records raises the risk of unauthorized access and corporate espionage. The exfiltration of JKS files is most concerning as these contain cryptographic keys, which could be used to decrypt sensitive data or gain access to other systems within the affected organizations. Moreover, the compromise of encrypted SSO and LDAP passwords could lead to further breaches across Oracle Cloud environments. The use of a zero-day vulnerability also raises concerns about the overall security of Oracle Cloud.

CloudSEK recommends immediate credential rotation, thorough incident response and forensics, continuous threat intelligence monitoring, and engagement with Oracle Security for verification and mitigation. They also advise strengthening access controls to prevent future incidents.




Source link