Source URL: https://cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants
Source: Hacker News
Title: Hack: 6M Records for Sale Exfiltrated from Oracle Cloud Affecting 140k+ Tenants
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text details a significant security incident involving a threat actor who extracted sensitive data from Oracle Cloud’s SSO and LDAP. The breach affects over 140,000 tenants and highlights potential vulnerabilities in Oracle’s infrastructure, raising concerns over data security and risk management for cloud service providers and their customers.
Detailed Description:
The reported incident underscores critical security vulnerabilities and the risks posed by sophisticated threat actors in the cloud computing space. Here are the major points for analysis:
– **Incident Overview**: On March 21, 2025, CloudSEK’s XVigil identified a threat actor named “rose87168” who has been active since January 2025. The actor has allegedly exfiltrated 6 million records from Oracle Cloud’s SSO and LDAP systems.
– **Data Compromised**: The data includes:
– Java KeyStore (JKS) files
– Encrypted SSO passwords
– Key files
– Enterprise Manager JPS keys
– **Threat Actor’s Tactics**:
– The actor is offering financial incentives for help in decrypting the stolen SSO passwords and is demanding fees from affected organizations for data removal.
– The breach potentially exploits a vulnerability in Oracle Fusion Middleware (CVE-2021-35587), emphasizing a lack of patch management and security best practices.
– **Potential Impact**:
– **Mass Data Exposure**: The compromise of sensitive authentication data exacerbates the risk of unauthorized access.
– **Credential Compromise**: If the encrypted passwords are successfully decrypted, further breaches might occur.
– **Financial and Reputational Risks**: Organizations are coerced into ransom payments, risking both their financial standing and brand reputation.
– **Zero-Day Exploitation Concerns**: Indicating a serious gap in security measures for Oracle Cloud services.
– **Mitigation Strategies**:
– Immediate resetting of all compromised passwords, especially for admin accounts, and enforcing strong password policies with MFA.
– Regeneration of SASL/MD5 hashes or transitioning to more secure authentication methods.
– Engagement with Oracle Support for remediation steps and identification of the potential supply chain attacks.
– Implementing continuous monitoring for unauthorized access attempts and conducting thorough audits of recent account activities.
– **Recommendations for Organizations**:
– Strengthening of access controls through the principle of least privilege.
– Ongoing threat intelligence monitoring, particularly for discussions related to the breached data on the dark web.
– Conducting a detailed incident response and forensics investigation to prevent further vulnerabilities.
This incident serves as a stark reminder for cloud service providers and businesses relying on such infrastructures to prioritize robust security measures and proactive threat monitoring, particularly in the face of evolving cyber threats.