Despite Oracle’s firm denial of a breach affecting its Cloud services, security experts are raising serious doubts about the company’s claims. Oracle insists that no breach occurred and that the published credentials aren’t related to Oracle Cloud. They maintain that no customers faced data loss, but these assertions clash with findings from cybersecurity firm CloudSEK, which reported that a threat actor claimed to have stolen 6 million records from Oracle Cloud.
CloudSEK’s investigation revealed that the stolen data included sensitive information such as SSO and LDAP credentials, OAuth2 keys, and tenant information, potentially affecting over 140,000 tenants. The breach reportedly stemmed from a compromised SSO endpoint, specifically identified as login.us2.oraclecloud.com, which was validated as active in Oracle’s production environment.
CloudSEK confirmed the authenticity of the leaked data, revealing real customer domain names and recent credentials that suggest fabrication is unlikely. The situation deepens with the identification of a known vulnerability in Oracle Access Manager, CVE-2021-35587, which allows unauthenticated access through HTTP. Poor patch management practices might’ve facilitated this breach, with Oracle Fusion Middleware 11G also being flagged as vulnerable. The endpoint’s confirmation as active indicates that Oracle’s claims may not align with the reality of the situation.
Public exploit code for this vulnerability exists, making it easier for attackers to exploit the system. The implications of this breach pose serious risks, including unauthorized access and potential corporate espionage. Compromised credentials could enable further attacks, raising concerns about mass data exposure and ransom demands.
Organizations affected by this breach face both financial and reputational risks, prompting immediate action to mitigate these threats, such as resetting passwords and implementing additional security measures. In light of Oracle’s denial, experts express skepticism, urging for transparency and evidence-based validation of the breach.
CloudSEK recommends that organizations reassess their Oracle Cloud security configurations, with some affected companies reportedly paying to have their stolen data removed. Calls for Oracle to provide more information or launch remediation efforts are growing louder.
To safeguard against this breach, experts advise immediate changes to SSO and LDAP credentials, alongside the implementation of multi-factor authentication (MFA) for enhanced security. Regular audits for unusual activity and monitoring of dark web forums are crucial.
Regenerating certificates linked to compromised configurations is essential, as is fostering cooperation between Oracle and cybersecurity firms to ensure a comprehensive investigation and remediation process.
