The evidence of the Oracle hack continues to pile up. Multiple confirmations now exist that the customer data is real.
So says CTO Alon Gal of security company Hudson Rock. Gal has received 10,000 records from the alleged attacker ‘rose87168’ and is working on validating this data. To verify the claim, Gal contacted Hudson Rock customers who appear in the data. He asked them to specifically confirm whether the user accounts exist, whether the tenant IDs match, whether they are production or test environments and whether the accounts have access to sensitive data.
There are now three confirmations that the data is authentic. One indicated that the sample’s users actually exist and actively host data. In addition, some accounts have access to sensitive information, which refutes the earlier assumption that these would only be test environments.
Connection with previous vulnerability
The attacker claims to have used the same RCE (Remote Code Execution) previously reported by cybersecurity company CloudSEK. CloudSEK had already confirmed that Oracle had indeed been hacked despite denials from the company itself.
In their investigation on March 21, CloudSEK discovered that the domain login.us2.oraclecloud.com had been compromised. At the time, they were already talking about the hack’s ‘profound impact’.
Consequences for Oracle customers
The confirmation that the data provides access to production environments with sensitive data makes the situation worrying. Although Oracle previously strongly denied that there had been a hack, Hudson Rock’s new findings seem to refute this claim.
Gal is calling on Oracle to provide more information or repair the situation. Organizations that use Oracle Cloud are advised to check their credentials and renew them where necessary.