A significant security breach at Oracle Cloud has been reported, with a cybercriminal claiming to have stolen approximately 6 million records from Oracle's single-sign-on (SSO) login servers. The threat actor, operating under the alias "rose87168," began advertising the allegedly stolen data on BreachForums.
According to cybersecurity firm CloudSEK, which first discovered and investigated the breach, the compromised data includes Java KeyStore files containing security certificates and keys, encrypted Oracle Cloud SSO passwords, encrypted LDAP passwords, Enterprise Manager JPS keys, and other sensitive information. The breach reportedly affects over 140,000 Oracle Cloud tenants.
However, Oracle has categorically denied these claims. "There has been no breach of Oracle Cloud," a spokesperson told The Register. "The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data."
However, CloudSEK's follow-up analysis presents evidence that challenges Oracle's denial. Their investigation confirmed that login.us2.oraclecloud was a legitimate Oracle Cloud production server handling authentication. The cybersecurity firm verified multiple domains from the attacker's list match actual Oracle Cloud customers, not test accounts.
The threat actor demonstrated access by uploading a text file to login.us2.oraclecloud containing their email address. CloudSEK believes the server was compromised by exploiting CVE-2021-35587, a critical vulnerability in Oracle Fusion Middleware's Access Manager that allows unauthenticated attackers to gain complete system control via HTTP.
According to reports, the attacker previously contacted Oracle about a month before the public disclosure, demanding over $200 million in cryptocurrency for information about the breach, which Oracle declined. Now, rose87168 is reportedly offering to remove specific companies' data for payment and is seeking assistance in decrypting the stolen credentials.
The attacker has released the list of companies' domain names claimed to be affected by this breach. There are a total of 140621 domain names in the shared text file, including the biggest names like Google, Microsoft, Apple, Amazon, Facebook, IBM, and more, followed by Accenture, Deloitte, salesforce, cisco, intel, HP, Samsung, sony, siemens, ford, Toyota, Volkswagen, nestle, coca-cola, Pepsi, Mcdonalds, Starbucks, Disney, warner bros, Netflix, jp morgan chase, bank of America, wells Fargo, Citigroup, Visa, MasterCard, Verizon, att, t-mobile, etc.
Apart from the company list file, the attacker has also released a video dumped from the Oracle server, which is a video tutorial for Exadata analysis.
Security experts recommend that potentially affected organizations immediately reset all credentials, regenerate certificates, implement multi-factor authentication, and closely monitor for unauthorized access attempts.