HQ/EMEAFind out how we can help your business
Oracle rejects a threat actor’s claim of a data breach, which allowed it to sell millions of data records.
Reports stated that a hacker named rose97168 sells 6 million data records purportedly obtained from the company’s cloud federated SSO login servers. However, the company insisted that there has been no breach in its cloud environment, and the published credentials are not for Oracle Cloud.
The company also assured the public that no customers had experienced a breach or lost data.
The hacker included samples of the stolen Oracle database to prove the legitimacy of the alleged breach.
A threat actor known as rose87168 published files that included a sample database and a list of organisations it claimed were taken from Oracle Clouds’ SSO platform.
As additional confirmation that it had access to its cloud servers, the threat actor provided a URL to one of the inquiries. Reports show that the URL is an Internet Archive, indicating that the hacker submitted using an a.txt file with its ProtonMail email address to the login.us2.oraclecloud.com server.
In addition, rose87168 is offering the allegedly stolen data from Oracle Cloud’s SSO service for an undisclosed fee or in exchange for zero-day exploits on the BreachForums hacking community.
It claimed that the data includes encrypted SSO passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys. The threat actor also promised to share information with anyone who can help decrypt the SSO or LDAP credentials.
Furthermore, this hacker claimed to have acquired access to Oracle Cloud servers about 40 days ago and emailed the firm after exfiltrating data from the US2 and EM2 regions. Rose87168 stated that it asked Oracle to pay 100,000 XMR for information on how they infiltrated the systems.
Still, the business allegedly refused to pay after requesting all the information needed to fix and patch. When one of the inquiries questioned how the hackers breached the servers, it stated that all Oracle Cloud servers are running a vulnerable version with a public CVE (flaw) that does not yet have a public PoC or exploit.
The company advised that potentially affected parties should be cautious despite the unconfirmed compromise.
