Ethical Hacking News
Oracle Cloud has denied claims of a server intrusion and data theft, but evidence suggests that sensitive information may have been stolen from their servers. The implications for affected customers are significant, and this incident highlights the complexities surrounding cybersecurity breaches.
Oracle Cloud has denied claims of a server intrusion and data theft despite evidence suggesting otherwise. A security vulnerability (CVE-2021-35587) was exploited to gain access to sensitive information, including customer data. Six million records of Oracle Cloud customers' Java KeyStore files were allegedly stolen and put up for sale on BreachForums. The seller is demanding cryptocurrency payment, including zero-day exploits, in exchange for details about the claimed heist. Oracle has stated that there was no breach of their cloud servers and no Oracle Cloud customers experienced a breach or lost any data.
Oracle Cloud has denied claims of a server intrusion and data theft, despite evidence suggesting otherwise. In recent weeks, an online cyber-crime forum advertisement claimed that Oracle Cloud customer security keys and sensitive data had been stolen from the IT giant's single-sign-on (SSO) login servers by exploiting a security vulnerability.
The miscreant bragged about creating a text file on the Oracle Cloud login server, which was captured by the Internet Archive's Wayback Machine in early March. The file contained only the email address of the person attempting to sell what was claimed to be the stolen data.
Further investigation revealed that the US2 server may not have been patched to close CVE-2021-35587, a known critical vulnerability in Oracle Fusion Middleware's Oracle Access Manager, specifically its OpenSSO Agent. Exploiting this bug could potentially give an intruder access to the very kind of information put up for sale.
In February 2025, what was claimed to be six million records of Oracle Cloud customers' Java KeyStore files, which contain security certificates and keys; encrypted Oracle Cloud SSO passwords; encrypted LDAP passwords; Enterprise Manager JPS keys; and other information stolen from the cloud provider went up for sale on BreachForums by a previously unknown netizen going by the name rose87168. The potentially affected customers are said to number in the thousands.
The price for this information has not been disclosed, as far as can be told, and the seller is also accepting zero-day exploits as payment. It's noted that the miscreant contacted Oracle about a month ago to let the database giant know about the alleged data theft, wanted more than $200 million in cryptocurrency in exchange for details about the claimed heist, and was turned down.
The would-be thief has also asked for help in decrypting the encrypted credentials. "The SSO passwords are encrypted, they can be decrypted with the available files," the attacker claimed in their BreachForums post. "Also LDAP hashed passwords can be cracked. I couldn't do it, but if someone can tell me how to decrypt them, I can give them some of the data as a gift."
Meanwhile, Oracle has responded to these claims, stating that there has been no breach of Oracle Cloud and that no Oracle Cloud customers experienced a breach or lost any data.
This case highlights the complexities and nuances surrounding cybersecurity breaches. While it appears that Oracle Cloud's servers may have been vulnerable to exploitation, the company's response suggests that they may not have been breached in the way claimed by the miscreant.
Regardless of the exact circumstances surrounding this incident, it is clear that sensitive information has been put up for sale online. The potential impact on affected customers cannot be overstated, and it will be essential for individuals and organizations to take proactive steps to protect themselves from similar threats in the future.
Ultimately, this incident serves as a reminder of the ever-evolving nature of cybersecurity threats and the importance of staying vigilant in the face of such challenges.
Related Information:
https://www.ethicalhackingnews.com/articles/Oracle-Cloud-Security-Breach-A-Misconception-or-Reality-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2025/03/23/oracle_cloud_customers_keys_credentials/
Published: Sun Mar 23 16:32:18 2025 by llama3.2 3B Q4_K_M
