A reported cyberattack targeting Oracle Cloud has sparked concerns about potential data exposure across numerous organizations. According to cybersecurity firm CloudSEK, 6 million records were compromised, impacting over 140,000 Oracle Cloud tenants.
The incident, allegedly orchestrated by a threat actor known as “rose87168,” involved the exploitation of vulnerabilities in Oracle’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems. The attacker has put the stolen data up for sale online and is demanding payment from affected companies for its removal.
CloudSEK’s investigation revealed that the attacker leveraged an undisclosed vulnerability in Oracle WebLogic Server to gain access to login endpoints within Oracle Cloud regions. The compromised data includes Java KeyStore (JKS) files, encrypted passwords for SSO and LDAP systems, key files, and Enterprise Manager JPS keys. The attacker targeted the endpoint “login.(region-name).oraclecloud.com” and has even created a profile on X (formerly Twitter) to possibly pressure victims.
Due to the scale and sensitivity of the breach, CloudSEK has classified the threat as “High” and recommended that organizations using Oracle Cloud take immediate actions such as resetting credentials, conducting forensic investigations, monitoring the dark web for leaked data, and implementing stricter access controls.
In response to the claims, Oracle has denied any breach of its cloud systems. However, evidence provided by the threat actor on cybercrime forums suggests otherwise. Third-party investigations have highlighted the presence of an unpatched critical vulnerability (CVE-2021-35587) in one of the affected servers running an older version of Oracle Fusion Middleware.
The attacker, who previously had no known history, has offered the stolen data in exchange for zero-day exploits or cryptocurrency. They have also sought help in decrypting the encrypted credentials, hinting at the potential usability of the information with the right tools. Additionally, the attacker has shared a list of domain names associated with the affected companies and offered to remove employee information for a fee.
The cybersecurity community is currently evaluating the authenticity and scope of the data exposure, with Oracle maintaining its stance that no breach occurred. Despite the ongoing uncertainty, the incident serves as a stark reminder of the security challenges faced by organizations in the digital age.
For more insights on cybersecurity and cloud technologies, consider attending industry events like Cyber Security & Cloud Expo hosted in various locations worldwide. Stay informed about upcoming enterprise technology events and webinars by visiting TechForge’s event page.
