A cybercriminal identified as "rose87168" has claimed responsibility for stealing six million records from Oracle Cloud servers.
The compromised data allegedly includes Java Key Store (JKS) files, encrypted Single Sign-On (SSO) passwords, hashed Lightweight Directory Access Protocol (LDAP) passwords, key files, and Enterprise Manager Java Platform Security (JPS) keys.
According to reports, the breach impacts over 140,000 tenants worldwide, raising serious concerns about cloud security.
The hacker claims to have exploited a vulnerability in Oracle Cloud’s login infrastructure, specifically targeting the endpoint login.(region-name).oraclecloud.com.
This subdomain reportedly hosted an outdated version of Oracle Fusion Middleware, which may have been vulnerable to exploitation through CVE-2021-35587—a known security flaw in Oracle Access Manager.
Stolen Data Circulates on Dark Web Forums
The stolen information is being advertised on dark web marketplaces, including Breach Forums. The threat actor “rose87168” is demanding ransom payments from affected organizations to prevent the sale or exposure of their data.
Additionally, the hacker is encouraging others to assist in decrypting the encrypted SSO and LDAP passwords, offering incentives for their efforts.
However, Oracle has denied any security breach within its cloud infrastructure. In a statement released on March 21, 2025, the company asserted that no customer data had been compromised and that the leaked credentials were not associated with its systems.
Hacker’s Activities and Security Implications
Active since January 2025, “rose87168” has exhibited advanced techniques in executing this attack. The hacker claims to have gained access approximately 40 days before making the stolen data public.
Recommended Actions for Affected Organizations
Organizations relying on Oracle Cloud are urged to take immediate security measures:
- Reset Credentials: Change all SSO, LDAP, and other related passwords while enforcing strong password policies and multi-factor authentication (MFA).
- Monitor Systems: Utilize security monitoring tools to detect unauthorized access or suspicious activity.
- Investigate the Breach: Conduct a thorough forensic investigation to identify potential vulnerabilities and mitigate risks.
- Engage with Oracle: Report the incident to Oracle and follow recommended security guidelines.
Strengthen Security: Implement strict access controls, enhanced logging mechanisms, and regular security updates.
This incident highlights the increasing sophistication of cyberattacks on cloud environments, emphasizing the need for continuous security enhancements, proactive monitoring, and timely software updates to mitigate potential threats.
Found this article interesting? Follow us on X(Twitter) and Instagram to read more exclusive content we post.
