Oracle Cloud Hack: Massive Data Theft

Tech and Innovation
,
1

Concise Summary:
CloudSEK has uncovered a major data breach affecting over 140,000 Oracle Cloud tenants. The attacker, known as “rose87168,” stole 6 million records from SSO and LDAP, including sensitive information like JKS files, encrypted passwords, and key files. The attack leveraged a potential undisclosed vulnerability on the login endpoint (login.(region-name).oraclecloud.com) likely leading to unauthorized access. This sophisticated threat actor is offering decryption assistance in exchange for ransom payment.

While this attack is new, the attacker’s methods suggest high sophistication, and the exploit used a critical vulnerability in Oracle Access Manager (OpenSSO Agent), which has been added to CISA’s KEV list. It raises concerns about potential exposure across multiple tenants and emphasizes the importance of robust security measures to protect against these types of attacks.

Key Points:

  • Here are five key points extracted from the provided content:.
  • • A threat actor, “rose87168,” has been selling 6 million records exfiltrated from Oracle Cloud’s SSO and LDAP.
  • • The attacker accessed the system through an undisclosed vulnerability on the login endpoint: login.(region-name).oraclecloud.com.
  • • The attack is believed to have begun in January 2025, with the threat actor demanding ransom for data removal.
  • • Oracle Fusion Middleware, which has a critical vulnerability CVE-2021-35587, may be related to the attack’s method of access.
  • • CloudSEK assesses this threat as high severity and rates it with medium confidence due to the attacker’s sophistication.

Archive Links:
12ft: https://12ft.io/https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants
archive.org: The Biggest Supply Chain Hack Of 2025: 6M Records For Sale Exfiltrated from Oracle Cloud Affecting over 140k Tenants | CloudSEK

Original Link: https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants

User Message: The Biggest Supply Chain Hack Of 2025: 6M Records For Sale Exfiltrated from Oracle Cloud Affecting over 140k Tenants | CloudSEK

This is going to make some waves. 140K affected Oracle tenants is nothing to sneeze at.

Supply chain attacks have always been bad news, but they are are increasing in frequency and severity.

For more on bypassing paywalls, see the post on bypassing methods

2

Matrix reply from josh_c:

“The database includes:
~6 million lines of data dumped from Oracle Cloud’s SSO and LDAP that include

  • JKS files,
  • encrypted SSO passwords,
  • key files,
  • enterprise manager JPS keys.”