Oracle Cloud Breach: 6M Records Exposed, 140K Tenants at Risk

Originally published at ssojet

A Breach Forums user, “rose87168,” claimed to have stolen six million records from Oracle Cloud’s SSO and LDAP services and is offering the data for sale or in exchange for zero-day exploits. The stolen records reportedly include encrypted SSO and LDAP passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys. This breach allegedly impacts over 140,000 organizations, according to the threat actor.

Image courtesy of Arctic Wolf

The data was reportedly stolen by compromising the login.(region-name).oraclecloud.com servers. The attacker claimed that a vulnerable Oracle Cloud server affected by a publicly known CVE was exploited, although no public proof-of-concept (PoC) or exploit currently exists. Oracle has publicly denied any breach, asserting that no customers experienced data loss.

CloudSEK's analysis supports the threat actor’s claims, indicating that a compromised production SSO endpoint was indeed found. They suggest that a critical vulnerability in Oracle Fusion Middleware, specifically CVE-2021-35587, may have been leveraged. The affected server was confirmed as a legitimate production SSO endpoint for OAuth2 authentication.

Organizations listed among the 140,000 affected entities are advised to reset Oracle LDAP and SSO passwords, update their authentication methods, and rotate any associated credentials. The potential impact of the breach could extend beyond the listed organizations due to the interconnected nature of SaaS products hosted within Oracle Cloud.

References:

• Breach Forums User Claims Oracle Cloud Compromised
• CloudSEK Blog Post 1
• CloudSEK Blog Post 2

Recommended Security Measures

In light of the alleged breach, organizations should implement the following measures to secure their systems:

1. Reset/Rotate Oracle Credentials: All Oracle SSO and LDAP passwords should be reset and rotated. Strong password policies and Multi-Factor Authentication (MFA) must be enforced to enhance security.
2. Update Oracle Authentication: Organizations are encouraged to regenerate SASL/MD5 hashes for Oracle systems or migrate to a more secure authentication method.
3. Audit and Monitoring: Review logs for suspicious authentication attempts and investigate recent account activities to detect potential unauthorized access.
4. Enhanced Security Protocols: Immediately rotate all SSO, LDAP, and associated credentials. Implement strict access control policies and adopt the principle of least privilege.

Image courtesy of CloudSEK

For organizations utilizing SSO or IAM solutions, it is crucial to implement secure user management practices. SSOJet provides an API-first platform that enables directory sync, SAML, OIDC, and magic link authentication, ensuring robust security for enterprise clients.

References:

• Vulnerability Details on CVE-2021-35587
• Security Recommendations for Oracle Systems
• Cloud Security Best Practices

Impact and Threat Actor Analysis

The breach highlights significant risks, including mass data exposure, credential compromise, and potential extortion. The threat actor is reportedly coercing affected companies to pay for data removal, increasing financial and reputational risks.

The vulnerability exploited may allow an unauthenticated attacker with HTTP network access to compromise Oracle Access Manager. The threat actor’s activities raise concerns regarding Oracle Cloud security and potential future attacks.

References:

• CloudSEK Threat Actor Analysis
• Incident Response for Data Breaches
• Best Practices for Cloud Security

For organizations looking to bolster their security posture, SSOJet offers advanced solutions in single sign-on (SSO), multi-factor authentication (MFA), and user management. Explore our services or contact us at SSOJet to ensure your enterprise is secure and compliant.