HQ/EMEAFind out how we can help your business
CISA is aware of public reporting regarding potential unauthorised access to a legacy Oracle cloud environment. While the scope and impact remain unconfirmed, the nature of the reported activity presents a potential risk to organisations and individuals, particularly where credential material may be exposed, reused across separate, unaffiliated systems, or embedded.
Reports stated that when credential material is embedded, it is challenging to discover and, if exposed, can enable long-term unauthorised access.
Compromising credential material, such as usernames, emails, passwords, authentication tokens, and encryption keys, can create serious security risks for enterprise environments.
Cybercriminals often exploit these credentials to escalate privileges and move laterally across networks, gaining access to sensitive systems and data.
Once obtained, stolen credentials can be used to infiltrate cloud services and identity management platforms and conduct targeted attacks like phishing or business email compromise (BEC).
They are also commonly sold or traded on underground marketplaces, where threat actors may enrich them with data from past breaches to increase their value or effectiveness in future cybercriminal activities.
CISA recommends reducing the risks associated with potential Oracle cloud credential compromise.
For organisations that suffered from the Oracle breach, reset passwords for any known affected users across enterprise services, particularly where local credentials may not be federated through enterprise identity solutions.
Moreover, these entities should review their source code, infrastructure-as-code templates, automation scripts, and configuration files for hardcoded or embedded credentials and replace them with secure authentication methods supported by centralised secret management.
In addition, they should monitor authentication logs for anomalous activity, especially involving privileged, service, or federated identity accounts, and assess whether additional credentials may be associated with any known impacted identities.
They can also enforce phishing-resistant multi-factor authentication wherever technically feasible for all user and admin accounts.
On the other hand, users immediately update any potentially affected passwords that may have been reused across different platforms or services.
Furthermore, use strong, unique passwords for each account and enable phishing-resistant MFA on services and applications that support it.
Lastly, users should remain alert against phishing attempts, including those that reference login issues, password resets, or suspicious activity notifications.
