Following a threat actor's claim to be selling 6 million data records allegedly stolen from Oracle Cloud's federated SSO login servers, Oracle denies that it was compromised.
“There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data," the company noted.
This accusation follows the release of many text files yesterday by a threat actor going by the moniker rose87168, which included a sample database, LDAP details, and a list of the businesses they said were pilfered from Oracle Clouds' SSO platform.
The threat actor provided BleepingComputer with this URL as additional evidence that they were able to access Oracle Cloud servers. It displays an Internet Archive URL indicating that they submitted a.txt file to the login.us2.oraclecloud.com server that contained their ProtonMail email address.
The attackers uploaded a text file with their email address without having access to Oracle Cloud servers, as BleepingComputer explained when they got in touch with Oracle once more.
Alleged Oracle data leak
Rose87168 is currently offering the allegedly stolen data from Oracle Cloud's SSO service for an undisclosed fee or in exchange for zero-day exploits on the BreachForums hacking community.
The information, which included enterprise manager JPS keys, Java Keystore (JKS) files, and encrypted SSO passwords, was allegedly stolen during an intrusion into Oracle servers based in 'login.(region-name).oraclecloud.com'.
"The SSO passwords are encrypted, they can be decrypted with the available files. also LDAP hashed password can be cracked," rose87168 says. "I'll list the domains of all the companies in this leak. Companies can pay a specific amount to remove their employees' information from the list before it's sold.”
They've also promised to share part of the data with anyone who can help decrypt the SSO or LDAP credentials. The threat actor told BleepingComputer that they acquired access to Oracle Cloud servers about 40 days ago and claimed to have emailed the firm after exfiltrating data from the US2 and EM2 regions.
In the email conversation, rose87168 said that they asked Oracle to pay 100,000 XMR for information on how they infiltrated the systems, but the company allegedly refused to pay after requesting for "all information needed for fix and patch.”
When questioned how they breached the servers, the attackers stated that all Oracle Cloud servers are running a vulnerable version with a public CVE (flaw) that does not yet have a public PoC or exploit. However, BleepingComputer was unable to independently verify whether this was the case.
