Full Report
On March 21, 2025, CloudSEK reported that a threat actor using the alias "rose87168" is claiming to have exfiltrated over 6 million records from Oracle Cloud’s SSO and LDAP systems. According to CloudSEK’s assessment, the leaked data includes sensitive authentication materials...
Analysis Summary
# Incident Report: Oracle Cloud Data Exfiltration Claim
## Executive Summary
On March 21, 2025, CloudSEK reported claims by threat actor "rose87168" regarding the exfiltration of over 6 million records from Oracle Cloud’s SSO and LDAP systems. The alleged breach impacts over 140,000 tenants and involves sensitive authentication materials. While the attacker claims success via exploitation of an older login endpoint, Oracle has publicly denied any such breach occurred.
## Incident Details
- Discovery Date: March 21, 2025 (Date of CloudSEK report)
- Incident Date: Unknown, potentially prior to March 21, 2025
- Affected Organization: Oracle Cloud (Tenants potentially affected)
- Sector: Cloud Services/Technology
- Geography: Not explicitly stated, likely global due to Oracle Cloud infrastructure
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Prior to March 21, 2025)
- Vector: Vulnerability Exploitation (Potential 1-day vulnerability)
- Details: Attackers may have exploited an undisclosed vulnerability in an Oracle Cloud login endpoint (`login.region-name.oraclecloud.com`), possibly related to unpatched legacy Oracle Access Manager versions associated with CVE-2021-35587.
### Lateral Movement
- Details: Not explicitly detailed in the report, but access to SSO and LDAP suggests movement necessary to consolidate sensitive authentication data.
### Data Exfiltration/Impact
- Details: Threat actor claims to have exfiltrated over 6 million records, including sensitive authentication materials such as JKS files, encrypted passwords, and key files (JPS keys). The actor is offering the data for sale.
### Detection & Response
- Date/Time: March 21, 2025 (CloudSEK public report)
- Details: Incident was publicly disclosed via a threat intelligence report by CloudSEK. Oracle has denied the breach. No specific internal response actions by the organization are detailed in the provided context.
## Attack Methodology
- Initial Access: Vulnerability exploitation (potential CVE-2021-35587 or similar flaw in legacy login endpoint).
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed, but successful exfiltration suggests bypassing security controls.
- Credential Access: Accessing key files (JKS/JPS) and encrypted passwords from SSO/LDAP systems.
- Discovery: Not detailed.
- Lateral Movement: Moving within the target infrastructure to reach SSO and LDAP repositories.
- Collection: Gathering 6 million authentication-related records.
- Exfiltration: Transfer of proprietary authentication materials.
- Impact: Data theft impacting confidentiality and integrity of authentication mechanisms.
## Impact Assessment
- Financial: Unknown, but potential costs related to forensic investigation and remediation for affected tenants.
- Data Breach: Claimed exfiltration of over 6 million records, including JKS files, encrypted passwords, and key files, potentially affecting over 140,000 tenants.
- Operational: If claims are true, severe operational impact due to compromised authentication infrastructure.
- Reputational: Significant reputational damage pending verification of the claims.
## Indicators of Compromise
- Network Indicators: Target endpoints include `login.region-name.oraclecloud.com` and `login.us2.oraclecloud.com`.
- File Indicators: JKS files, JPS keys, and files allegedly uploaded by the threat actor (not specified).
- Behavioral Indicators: Threat actor alias "rose87168" attempting to sell data on the darknet.
## Response Actions
- Containment: No specific organizational containment actions documented *prior* to the public report.
- Eradication: Not applicable/Unknown, pending verification of the incident.
- Recovery: Not applicable/Unknown.
## Lessons Learned
- **Patching and Legacy Systems:** The potential attack vector highlights the critical danger of running outdated middleware/login agents (like Oracle Access Manager) that have known CVEs, even if the instance was infrequently used or appeared secure.
- **Supply Chain Visibility:** The incident underscores the need for comprehensive monitoring and auditing of vendor components within critical infrastructure.
## Recommendations
- **Immediate Vulnerability Review:** Review all login and authentication endpoints for known vulnerabilities, especially those referencing CVE-2021-35587 or similar Oracle Access Manager flaws.
- **Decommission Legacy Systems:** Immediately retire or update any middleware services identified as being severely outdated (e.g., instances last updated in 2014).
- **MFA/Zero Trust Enforcement:** Review whether the data stolen (authentication materials) would have been mitigated by strong Multi-Factor Authentication (MFA) across all tenants.