Scribd
Upload
77 views4 pages

NCA-10.032525 - NCERT Advisory - Alleged Data Breach On Oracle Cloud

A significant security incident has been reported involving an alleged data breach on Oracle Cloud, where a cybercriminal claims to have accessed over 6 million records, including SSO credentials, and is offering the data for sale. Organizations using Oracle Cloud are urged to take immediate action to mitigate risks, including resetting passwords, enabling multi-factor authentication, and monitoring for unauthorized access. The National CERT recommends a thorough security assessment and proactive measures to prevent potential compromises and data theft.

Uploaded by

zainoorghaffar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
77 views4 pages

NCA-10.032525 - NCERT Advisory - Alleged Data Breach On Oracle Cloud

A significant security incident has been reported involving an alleged data breach on Oracle Cloud, where a cybercriminal claims to have accessed over 6 million records, including SSO credentials, and is offering the data for sale. Organizations using Oracle Cloud are urged to take immediate action to mitigate risks, including resetting passwords, enabling multi-factor authentication, and monitoring for unauthorized access. The National CERT recommends a thorough security assessment and proactive measures to prevent potential compromises and data theft.

Uploaded by

zainoorghaffar
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

NCA-10.

032525 – NCERT Advisory –


Alleged Data Breach on Oracle Cloud
Introduction
A critical security incident has been reported involving an alleged data breach on Oracle
Cloud. A cybercriminal operating under the alias "rose87168" has reportedly released
multiple text files on dark web forums containing a sample database, LDAP information,
and a list of companies allegedly affected by the breach. The threat actor claims to have
accessed Oracle Cloud servers approximately 40 days ago and is currently offering the
alleged stolen data for sale. The attack is believed to have exploited vulnerabilities related
to SSO authentication and LDAP misconfigurations, potentially exposing enterprise
environments to unauthorized access and data theft.
The threat actor has claimed access to over 6 million records, including federated SSO
login credentials of Oracle Cloud customers. Reports indicate that these credentials may
be used in credential stuffing attacks, leading to further unauthorized access across
multiple platforms. Organizations utilizing Oracle Cloud services must take immediate
actions to mitigate potential risks related to credential exposure, unauthorized access,
and data exfiltration.

Impact
Potential consequences of this alleged breach include:
1. Compromised SSO Credentials: Stolen credentials could allow unauthorized
access to enterprise applications and cloud resources.
2. Unauthorized Access: Threat actors could exploit credentials to gain control
over user accounts, access confidential data, and modify cloud configurations.
3. Data Exfiltration: Sensitive corporate and customer data may be accessed,
copied, and sold on illicit forums.
4. Credential Stuffing Attacks: Exposed credentials can be used to attempt
access across multiple platforms, increasing the risk of cascading breaches.
5. Malware Deployment: Unauthorized access could lead to the injection of
malicious payloads, ransomware, or other malware into enterprise environments.
6. Business Disruption: Organizations relying on Oracle Cloud for mission-critical
operations may experience downtime and operational disruptions due to
unauthorized activities.

Vulnerability Details
The breach reportedly involves:
• A leaked database allegedly containing SSO credentials, company names, email
addresses, and other sensitive data.
• Encrypted SSO passwords that may be decrypted using available tools or brute-
force methods.
• LDAP authentication information, which could be used to compromise access to
corporate networks and escalate privileges.
• The presence of Oracle Cloud domain credentials, potentially facilitating further
exploitation.
• Evidence suggesting the sale of stolen data and exploitation via zero-day
vulnerabilities affecting Oracle Cloud services.
• Reports of phishing attempts targeting users of affected organizations, leveraging
compromised credentials to gain further access.
While Oracle has refuted the claims of a breach, organizations should proactively
implement security measures to mitigate risks.

Affected Systems
Organizations using Oracle Cloud, particularly those employing SSO authentication and
federated login mechanisms, may be at risk. The exact list of affected entities remains
unverified, but reports suggest exposure across multiple companies. Any organization
using LDAP authentication and federated identity management in Oracle Cloud should
assume potential exposure and take precautionary measures.

Recommendations & Action Items


1. Immediate Mitigation Measures
• Reset and enforce strong, unique passwords for all SSO accounts and
privileged users.
• Enable Multi-Factor Authentication (MFA) across all critical services and
administrative accounts.
• Monitor authentication logs for unusual access patterns, unauthorized
login attempts, and location anomalies.
• Implement strict access control policies, restricting access to cloud
resources based on role and necessity.
• Disable unnecessary LDAP authentication where possible and review
identity federation configurations.
• Invalidate all existing active sessions and require reauthentication for all
users.
2. Patching and Updates
• Review Oracle Cloud security advisories and apply all recommended
security patches immediately.
• Ensure that all identity and access management (IAM) configurations
adhere to security best practices.
• Regularly update security policies to align with emerging threats and
regulatory compliance requirements.
• Apply endpoint detection and response (EDR) solutions to detect potential
exploitation attempts.
3. Hardening Security Configurations
• Conduct internal security audits and penetration testing to assess
exposure to credential-based attacks.
• Restrict access to critical cloud resources using a zero-trust security
model.
• Deploy advanced threat detection solutions and Security Information and
Event Management (SIEM) systems to identify and mitigate credential
stuffing attempts.
• Enforce least privilege principles by ensuring that users only have the
necessary permissions to perform their job functions.
4. Incident Response and Recovery
• Conduct forensic analysis on cloud logs, authentication events, and
access records to identify potential breaches.
• Revoke compromised credentials and issue new ones with enhanced
security measures, including password complexity and rotation policies.
• Restore affected systems from clean, offline backups if any compromise is
detected.
• Strengthen continuous monitoring capabilities to detect any follow-up
attack attempts or ongoing data exfiltration.
• Train employees on recognizing phishing attempts and suspicious
authentication requests to prevent further exploitation.

References
1. Cloudsek Blog: [Link]
of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-
tenants
2. NIST Security Best Practices: [Link]
3. Security Research Report on Credential Stuffing Attacks:
[Link]

Call to Action
National CERT urges all organizations using Oracle Cloud to conduct an immediate
security assessment. Organizations should enforce strong authentication mechanisms,
apply security patches, and actively monitor for any signs of unauthorized access.
Additionally, companies should implement proactive security monitoring, conduct
penetration tests, and educate employees about emerging cyber threats. Immediate
action is necessary to prevent potential compromise and mitigate the risks associated
with this alleged breach.

You might also like