A threat actor named βrose87168β claimed to have stolen six million records from Oracle Cloud servers.
The stolen data reportedly includes Java Key Store (JKS) files, encrypted Single Sign-On (SSO) passwords, hashed Lightweight Directory Access Protocol (LDAP) passwords, key files, and Enterprise Manager Java Platform Security (JPS) keys.
The breach allegedly affects over 140,000 tenants globally and raises serious concerns about cloud security.
The hacker claims to have exploited a vulnerability in Oracle Cloudβs login infrastructure, specifically targeting the endpoint login.(region-name).oraclecloud.com.
This subdomain reportedly hosted outdated Oracle Fusion Middleware software, which may have been susceptible to exploitation via CVE-2021-35587, a known vulnerability impacting Oracle Access Manager.
Stolen Data on Dark Web ForumsThe stolen data is being advertised on dark web forums, including Breach Forums. βRose87168β is demanding ransom payments from affected organizations to prevent the sale or exposure of their data.
Additionally, the threat actor stimulates others to assist in decrypting the encrypted SSO and LDAP passwords by offering rewards.
Oracle has denied claims of a breach in its cloud infrastructure. In a statement issued on March 21, 2025, the company asserted that no customer data was compromised and that the published credentials were not linked to its systems.
Active since January 2025, βrose87168β has demonstrated sophisticated methods in orchestrating this attack. The hacker claims to have gained access approximately 40 days before advertising the stolen data online.
Organizations using Oracle Cloud are advised to take immediate action:
Reset Credentials: Change all SSO, LDAP, and associated passwords while enforcing strong password policies and multi-factor authentication (MFA).Monitor Systems: Deploy security monitoring tools to detect unauthorized access or unusual activity.Investigate Breach: Conduct forensic investigations to identify vulnerabilities and mitigate risks.Engage with Oracle: Report the incident to Oracle and seek guidance on securing systems.Strengthen Security: Implement strict access controls and enhanced logging mechanisms.This breach underscores the growing sophistication of cyberattacks targeting cloud environments. It highlights the importance of regular software updates, proactive threat monitoring, and robust security measures to mitigate risks.