Alleged Oracle Cloud Hack: 6 Million Records at Risk? What We Know So Far

Oracle denies breach after hacker claims to steal 6 million records

Is Oracle Cloud $ORCL ( ▲ 3.6% ) the latest victim of a major cyberattack? A hacker known as “rose87168” has claimed to have breached Oracle Cloud's login servers and stolen a massive six million customer data records. However, Oracle has responded to multiple media inquiries, denying any hack or stolen data from its cloud infrastructure. Let's dive into the details of this developing story.

The Hacker claims and demands

A previously unknown hacker using the handle “rose87168” surfaced on the cyber-crime forum BreachForums earlier this month. The hacker boasted of creating a text file on an Oracle Cloud login server and claimed that information was exfiltrated from the EM2 and US2 login servers. Samples of the stolen data were shared on BreachForums, where the hacker has been trying to sell the pilfered dataset.

According to a statement provided to BleepingComputer, they first breached Oracle's cloud infrastructure “40 days ago” after stealing data from the US2 and EM2 cloud regions.

Other stolen data includes Oracle Cloud customer security keys, encrypted Oracle Cloud SSO passwords, encrypted LDAP passwords, Enterprise Manager JPS keys, and Java KeyStore (JKS) files containing security certificates and keys. The potentially affected customers are said to number in the thousands.

BleepingComputer reports that the hacker has demanded 100,000 XMR from Oracle for information on how they breached the servers. Oracle refused to pay the ransom, asking instead for all information required to fix and patch the vulnerabilities used.

The hacker states they will “list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees' information from the list before it's sold.”

What vulnerabilities the Oracle Cloud hack may have exploited

While Oracle denies any breach, cybersecurity firm CloudSEK conducted its own investigation and offered a contrasting perspective. CloudSEK believes the threat actor may have exploited a known critical vulnerability (CVE-2021-35587) in Oracle Fusion Middleware's Oracle Access Manager, specifically its OpenSSO Agent.

This vulnerability, added to the CISA KEV catalog in December 2022, is considered critical and can be exploited over HTTP without authentication. Successful exploitation could potentially grant an intruder access to the sensitive information that is now being offered for sale. CloudSEK notes that a public exploit code exists for this vulnerability.

CloudSEK's analysis of the compromised subdomain, login.us2.oraclecloud.com, revealed that it was running Oracle Fusion Middleware 11G. Further investigation suggested that this server might not have been patched to close the CVE-2021-35587 vulnerability. The server was reportedly last updated around September 27, 2014, indicating potentially outdated software.

CloudSEK researchers stated, "Due to lack of patch management practices and/or insecure coding, the vulnerability in Oracle Fusion Middleware was exploited by the threat actor. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager".

They suggest exploiting this flaw could have provided the initial access needed to move laterally within the Oracle Cloud environment and access other systems and data.

The fact that the threat actor managed to upload a text file to an Oracle Cloud login server further fuels the speculation that some form of unauthorized access was achieved. Oracle has been contacted for clarification on this point.

Potential impact of an Oracle Cloud hack of 6 million records

If the alleged breach is indeed factual, the impact could be substantial. The exposure of six million records significantly increases the risk of unauthorized access and corporate espionage.

The compromise of JKS files containing cryptographic keys is particularly concerning as it could be used to decrypt sensitive data or gain access to other systems within affected organizations. Similarly, compromised encrypted SSO and LDAP passwords could lead to further breaches across Oracle Cloud environments.

Recommendations to mitigate risk if you are an Oracle Cloud customer

While Oracle denies the breach, CloudSEK recommends several immediate actions for potentially affected parties, including:

• Immediate credential rotation

• Thorough incident response and forensics

• Continuous threat intelligence monitoring

• Engagement with Oracle Security for verification and mitigation

• Strengthen access controls and audit any existing identity permissions and policies

The situation surrounding the alleged Oracle Cloud hack is still unfolding. While a threat actor claims to possess millions of stolen records and evidence of server access, Oracle vehemently denies any breach. The focus now shifts to further investigation and potential confirmation of the claims.

The alleged exploitation of a known vulnerability in Oracle Fusion Middleware highlights the critical importance of timely patching and robust security practices in cloud environments.

We will continue to monitor this story for further updates.

Today’s Cyber Social Wall of Shame

23andMe has filed for bankruptcy. Good riddance.

Until next time…

Rob Waters
Founder
The Breach Report + Cybersecurity Careers Blog

P.S. - Do you want to start a newsletter yourself?
You can with beehiiv. Create one today with a free trial.
Disclaimer: The Breach Report may contain affiliate links. Read our Advertising policy page.