Oracle has denied allegations of a cyberattack after a hacker claimed to have stolen millions of records from its servers. In mid-March, an attacker using the alias rose87168 asserted that they had obtained 6 million records from Oracle Cloud Federated SSO Login servers. A sample of the data, posted on the dark web, allegedly contained a database extract, LDAP information, and a list of companies utilizing Oracle Cloud.
Oracle, however, has firmly dismissed these claims. In a statement, the company clarified: “There was no breach of Oracle Cloud. The credentials published are not related to Oracle Cloud. No Oracle Cloud customers experienced a breach or data loss.”
Hacker Sells Alleged Data
Despite Oracle’s denial, rose87168 has put the purported archive up for sale, accepting either an undisclosed sum or zero-day exploits in exchange. The attacker claims the stolen data includes encrypted SSO passwords, Java Key Store (JKS) files, key files, and Enterprise Manager JPS keys.
“SSO passwords are encrypted, but they can be decrypted using accessible files. It is also possible to crack the hashed LDAP password. I will list the domains of all the companies affected. Organizations can pay a certain amount to remove their employees’ information before the data is sold,” the hacker stated.
Security experts warn that if the leak is genuine, the consequences could be severe. Stolen JKS files containing cryptographic keys are particularly concerning, as they could be used to decrypt sensitive data and gain unauthorized access. Additionally, compromised SSO and LDAP credentials could lead to cascading attacks on companies relying on Oracle Cloud services.
Ransom Demand and Investigation
Before listing the archive for sale, the attacker reportedly demanded 100,000 XMR (Monero cryptocurrency) from Oracle as ransom. Oracle, in response, requested full details necessary to address any security vulnerabilities. However, when the hacker failed to provide this information, negotiations collapsed, notes NIX Solutions.
To substantiate their claims, the hacker shared a URL with BleepingComputer, showing a .txt file uploaded to the Oracle Cloud server login.us2.oraclecloud.com, allegedly proving their access.
Experts speculate that if an attack did occur, it may have exploited CVE-2021-35587, a vulnerability in Oracle Access Manager within Fusion Middleware. This flaw enables unauthorized attackers to take control of systems via HTTP access.
Oracle continues to stand by its assertion that no breach has taken place. Yet, we’ll keep you updated as more information emerges.