Update 3:45 PM: We have learned from CloudSEK that Oracle has indeed been hacked, contrary to Oracle’s claims. CloudSEK states the following:
“Our threat intelligence team has uncovered conclusive evidence validating the threat actor’s claims — including production-level exposure of Oracle Cloud SSO endpoints and real customer data in the leaked samples.”
CloudSEK’s investigation, detailed in its full report, began on March 21. It is now clear that the domain login.us2.oraclecloud.com was compromised. The company speaks of a “profound” impact for customers due to the breach.
A Techzine reader has also told us that Oracle requested a password reset from their employer, adding: “that should tell you something” . We tend to agree. It’s somewhat odd Oracle opted to deny that a breach had occurred, foregoing the caveat that no such incident had been detected. The latter offers the affected company an opportunity to not have to contradict itself.
Original article, 9:27 AM:
On Thursday evening, a hacker claimed to have stolen six million records from Oracle Cloud. Servers in both Amsterdam and Chicago may have missed a patch to prevent a breach. Oracle, however, denies that its systems have been compromised.
The alleged attacker goes by the name “rose87168.” The 6 million records are said to have exposed 140,000 tenants, with Java Key Store files, encrypted passwords, and Enterprise Manager JPS keys as the spoils of war.
Oracle refuses to pay and denies any wrongdoing
Oracle is clear about its view when asked by The Register and others. “No breach” is the verdict of the American cloud player. “The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data.”
Nevertheless, external parties are assuming a successful compromise based on their verbiage. CloudSEK speculates that the US2 server in Chicago was not patched for CVE-2021-35587, a critical vulnerability in Oracle Access Manager within Oracle Fusion Middleware. The attacker’s method of obtaining data from EM2 (in Amsterdam) is unknown, but it may have stemmed from the same issue.
A month ago, rose87168 is said to have contacted Oracle with a demand for more than 200 million dollars in crypto coins. Oracle refused to comply. This was expected, as paying cyber criminals is illegal in the US.
Dangers
Hack or no hack, resetting credentials is a highly recommended step for organizations on Oracle Cloud. rose87168 states that affected tenants can also pay to remove their credentials from the leak list, but that offers no guarantees. The hacker could very well still utilize the data or sell it to someone else, assuming this hasn’t been done in advance anyway. As mentioned above, negotiations with cybercriminals are illegal in the US, while the policy in Europe is less restrictive.
Since rose87168 shared even more evidence with BleepingComputer, it is likely that the hack did take place. The infiltration is alleged to have occurred 40 days ago. However, it remains to be seen whether organizations recognize their credentials in the data that BleepingComputer has shared with them. If not, it may be the case that fellow cybercriminals are the ‘victims’ of this ordeal. At any rate, it is very much possible organizations have already reset their credentials and prevented any ill effects.
Unknown matters
According to rose87168, the available files could crack the SSO passwords. Someone else could also extract the hashes of LDAP passwords, but the attacker himself did not succeed in doing so. The stolen data will be useful for further hacks if organizations do not take appropriate measures. In any case, the disclosure of the attack should convince them to check for compromises and renew their credentials.
We’ve seen this year already that alleged hacks can turn out to be fake. Despite claims made by the Space Bears group, for example, Atos wasn’t actually compromised by them in the end.
Also read: Atos confirms: no hack by Space Bears