A recent analysis by CloudSEK’s XVigil platform has revealed a significant cyberattack on Oracle Cloud, which has resulted in the unauthorized access and exfiltration of approximately six million records, potentially compromising over 140,000 tenants. The perpetrator, known as ‘rose87168,’ is reportedly selling this sensitive data—including JKS files, encrypted single sign-on (SSO) passwords, key files, and enterprise manager JPS keys—on Breach Forums and various dark web marketplaces.
The attacker, whose activities have reportedly been traced back to January 2025, claims to have exploited a subdomain, specifically login.us2.oraclecloud.com, which has since been taken offline. This subdomain was found to host Oracle Fusion Middleware 11G, according to a record retrieved from the Wayback Machine dated February 17, 2025. The threat actor is demanding ransom payments from affected tenants for the deletion of their stolen data, even going so far as to offer incentives for assistance with decrypting the compromised SSO and Lightweight Directory Access Protocol (LDAP) passwords.
CloudSEK’s investigation suggests that the breach may stem from vulnerabilities in outdated versions of Oracle Cloud servers. Specifically, it points to the exploitation of CVE-2021-35587, a known flaw associated with Oracle Fusion Middleware (OpenSSO Agent). The vulnerable versions identified include 11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0. This flaw, which was included in the CISA KEV catalog in December 2022, allows unauthenticated attackers to compromise Oracle Access Manager, potentially facilitating a complete takeover of the environment. The nature of the exfiltrated data aligns with the capabilities this vulnerability enables, allowing for initial access followed by lateral movement within the Oracle Cloud infrastructure.
Further investigation of the Oracle Fusion Middleware server revealed that it was last updated in September 2014, highlighting a lack of appropriate patch management and the presence of outdated software susceptible to attacks. CloudSEK researchers emphasized that the easily exploitable vulnerability provided the means for the threat actor to gain unauthorized access, leveraging their ability to compromise Oracle Access Manager through unauthenticated network access.
In response to these revelations, Oracle has issued a firm denial, stating that there has been no breach of its cloud infrastructure. The company asserts that the published credentials do not belong to Oracle Cloud and affirms that no customers have suffered a breach or data loss. This official statement directly contradicts the findings of CloudSEK and the claims made by the attacker.
Should the breach be confirmed, its potential impact could be substantial, given the sheer volume of exposed records. This circumstance heightens the risk of unauthorized access and corporate espionage. The compromised JKS files are particularly alarming, as they contain cryptographic keys crucial for decrypting sensitive data and may provide gateways to other systems within the targeted organizations. Additionally, the breach of encrypted SSO and LDAP passwords could facilitate broader access to Oracle Cloud environments.
To mitigate risks, CloudSEK advises immediate actions, including the rotation of credentials, thorough incident response and forensic analysis, continuous monitoring of threat intelligence, and collaboration with Oracle Security for validation and remediation. Emphasizing the importance of robust security measures, they recommend strengthening access controls to avert future incidents.
Understanding the implications of this cyberattack highlights the importance of adopting a proactive stance toward cybersecurity. By addressing potential vulnerabilities and enhancing security protocols, organizations can better protect against future threats and safeguard their sensitive data from malicious actors.
