Massive Oracle Cloud Data Breach Impacts Unknown Number of Clients

As many as 140,000 Oracle Cloud clients are now dealing with the possibility of a supply chain compromise, though the company has not yet confirmed the incident. Researchers with cybersecurity firm CloudSEK are confident that the data breach has taken place, however, citing a number of pieces of evidence in a “deep dive” incident report.

The attackers claim to have taken at least six million records, and have both attempted to extort Oracle and claim to be privately threatening impacted Oracle clients along the supply chain with ransom demands. Among the files that they stole are a collection of encrypted passwords that they are also attempting to crowdsource the cracking of, offering to share stolen data in return for assistance.

Oracle has yet to take ownership of data breach; CloudSEK has high confidence it took place

There is still some tension over the incident as Oracle issued a denial of the data breach to the media shortly after the CloudSEK report dropped, followed shortly by a second report from the researchers presenting what appears to be compelling evidence that the threat actors had legitimate access to an Oracle Cloud subdomain. The true test will be if a major Oracle client comes forward to confirm a follow-on data breach, but that has not happened as of yet despite the threat actors claiming they are actively extorting some unknown amount of organization.

The attackers also claim that after they breached the Oracle Cloud subdomain, they offered to explain the vulnerability to Oracle and make everything go away for a payment of 100,000 XMR. They say Oracle turned that offer down. CloudSEK reports first finding the dark web postings offering up the stolen data on March 21. The attackers say that they breached subdomain “login.us2.oraclecloud.com” and took JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys among the roughly six million files exfiltrated.

Oracle Cloud incident could prove costly and embarrassing

Oracle’s seeming reticence about admitting to the incident could very well have to do with the embarrassing circumstances of the data breach. The researchers say that the breached subdomain was hosting Oracle fusion middleware 11G. That formally went out of service in January 2022, but further research indicates that this particular instance had not actually been patched since 2014. That allowed the attackers to put a novel spin on an old vulnerability, which was also first documented in 2014 but had not had a known disclosed exploit run on it yet.

It remains unclear what Oracle knew and when they knew it. It’s also unclear how many of the 140,000 or so Oracle Cloud clients have suffered damage, but the keys the attackers claim to have raise a lot of alarm. This has serious potential to be another MOVEit or SolarWinds-scale event if a significant amount of these clients experience their own data breaches.

Though Oracle has yet to confirm the incident, the evidence is credible enough that potentially impacted organizations should assume the claims the threat actors are making are real. First steps include rotating all credentials related to Oracle Cloud services, resetting the passwords of all LDAP user accounts, and regenerating SASL/MD5 hashes (or taking the opportunity to implement a more secure method). There is also enough information out there that clients have a right to press Oracle for better answers and better transparency on the issue.