Full Report
Oracle denies it was breached after a threat actor claimed to be selling 6 million data records allegedly stolen from the company's Oracle Cloud federated SSO login servers [...]
Analysis Summary
# Incident Report: Alleged Oracle Cloud Data Theft Claim
## Executive Summary
A threat actor, "rose87168," claimed to have stolen approximately 6 million data records from Oracle Cloud's Single Sign-On (SSO) platform, including encrypted passwords and key files. Oracle has publicly denied suffering a data breach. The attacker demonstrated access by uploading a text file to an Oracle Cloud server, but their methods for accessing the SSO platform remain unconfirmed by Oracle.
## Incident Details
- Discovery Date: Undisclosed (Claim surfaced publicly)
- Incident Date: Attacker claims access gained approximately 40 days prior to report.
- Affected Organization: Oracle (via their cloud SSO platform)
- Sector: Technology/Cloud Services
- Geography: US regions (`login.us2.oraclecloud.com` and `em2`)
## Timeline of Events
### Initial Access
- Date/Time: Approximately 40 days prior to the report.
- Vector: Claimed compromise of Oracle Cloud's SSO platform (`login.(region-name).oraclecloud.com`).
- Details: Threat actor uploaded a proof-of-concept `.txt` file containing their ProtonMail address to the `login.us2.oraclecloud.com` server, demonstrating file upload capability.
### Lateral Movement
- No specific details on internal lateral movement were provided, though access was claimed across US2 and EM2 cloud regions.
### Data Exfiltration/Impact
- Claimed theft of 6 million records, including encrypted SSO passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys.
- The threat actor began selling the alleged data (or exchanging it for zero-day exploits) on the BreachForums hacking forum.
### Detection & Response
- **Detection:** The threat actor shared evidence with BleepingComputer, who subsequently contacted Oracle.
- **Response:** Oracle publicly denied the breach. The attacker claims they emailed Oracle after data exfiltration, requesting 100,000 XMR for details on the breach methodology, which Oracle allegedly refused to pay after seeking remediation information.
## Attack Methodology
- Initial Access: Compromise of Oracle Cloud Single Sign-On (SSO) services.
- Persistence: Not explicitly detailed, but claimed access across regions for 40 days.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Claimed access to encrypted SSO passwords and crackable LDAP hashed passwords.
- Discovery: Not detailed.
- Lateral Movement: Implied movement between US2 and EM2 cloud regions.
- Collection: Theft of JKS files, key files, and user record data.
- Exfiltration: Unspecified method used after gaining access to the SSO infrastructure.
- Impact: Data theft and subsequent attempt to monetize findings/access.
## Impact Assessment
- Financial: Undisclosed; Oracle denied the breach. The actor sought 100,000 XMR ransom.
- Data Breach: Allegedly included 6 million records, encrypted SSO passwords, JKS files, and enterprise manager JPS keys.
- Operational: No confirmed operational impact, pending verification of the breach.
- Reputational: Potential reputational damage due to the public claim and evidence provided.
## Indicators of Compromise
- **Network indicators (Defanged):**
- `login.us2.oraclecloud.com` (Target of proof-of-concept activity)
- `login.(region-name).oraclecloud.com` (General targeted infrastructure)
- **File indicators:**
- Proof-of-concept `.txt` file uploaded to the server.
- Stolen assets claimed: Encrypted SSO passwords, JKS files, key files, JPS keys.
- **Behavioral indicators:**
- Unauthorized file upload activity demonstrated on cloud infrastructure.
- Data marketplace listing on BreachForums.
## Response Actions
- **Containment:** Not applicable/detailed as Oracle denied the breach and thus specific containment measures were not publicly disclosed.
- **Eradication:** Not applicable/detailed.
- **Recovery:** Not applicable/detailed.
## Lessons Learned
- The threat actor was able to upload a file to a specific Oracle Cloud server (`login.us2.oraclecloud.com`), which serves as critical evidence challenging the denial of access, even if the full scope of compromise is unverified.
- Effective communication strategies are necessary when an outside party presents evidence of a compromise versus a formal internal detection.
- The monetization strategy involved selling data or demanding ransom for zero-day information related to the breach method.
## Recommendations
- Conduct immediate, thorough forensic analysis on all SSO infrastructure components in the US2 and EM2 cloud regions to confirm or deny unauthorized file upload capabilities and credential exposure.
- Review and restrict privileged access mechanisms used for the SSO platform, ensuring multi-factor authentication (MFA) is enforced universally where applicable.
- Implement stricter monitoring and alerting on file upload capabilities on authentication and administrative endpoints.