On March 21, 2025, CloudSEK identified a severe breach involving Oracle Cloud, resulting in the unauthorized access and sale of 6 million records. The affected data has been attributed to a threat actor named "rose87168," who is demanding ransom while exposing sensitive records online.
"rose87168,"
The breach notably affects over 140,000 tenants, all of whom are at risk as the threat actor has offered a payment option for data removal. "Our engagement with the threat actor suggests a possible undisclosed vulnerability on login.(region-name).oraclecloud.com, leading to unauthorized access," explained a spokesperson for CloudSEK.
By the Numbers
The records leaked during this incident include sensitive files such as Java Key Store (JKS) files, encrypted Single Sign-On (SSO) passwords, key files, and enterprise manager Java Platform Security (JPS) keys. This scale of exfiltration underscores the enormity of the breach and the potential risks to organizations relying on Oracle Cloud services.
Emerging reports indicated that the hacker has been active since January 2025, using sophisticated methods typically associated with experienced cybercriminals. "While the threat actor has no prior history, their methods indicate high sophistication," noted an analyst from CloudSEK. The organization has rated the threat as high severity and is offering tools for affected parties to assess their exposure.
"While the threat actor has no prior history, their methods indicate high sophistication,"
Championship Implications
Championship Implications
Championship Implications
Delving deeper into the breach, CloudSEK's XVigil highlighted that the attacker claimed access was obtained by compromising a vulnerable login endpoint, specifically identified as login.(region-name).oraclecloud.com. This assertion points to a potential flaw in the system that may have allowed unauthorized access, raising concerns about Oracle's security measures.
"The attacker claimed to have compromised the subdomain login.us2.oraclecloud.com, which has reportedly been taken down since the breach," the analyst stated. The revelation of a vulnerable Oracle Fusion Middleware server, which has not been updated since 2014, could shed light on the mechanics of this attack. Evidence shows that a critical vulnerability, cataloged as CVE-2021-35587, is associated with this component, affecting several versions of Oracle Access Manager.
"This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful exploitation can lead to a complete takeover of Oracle Access Manager," the report warned regarding the consequences of this breach.
CloudSEK's analysis reveals that this incident is part of a broader trend of increasing vulnerabilities in cloud services that organizations must urgently address. The revelation that a significant flaw was publicly known yet not patched raises questions about Oracle's security protocols.
Upon contacting an insider source, the hacker, who goes by the alias 'rose87168,' claimed to have accessed a vulnerable version of the Oracle Cloud servers with a known public CVE that lacks a public proof of concept or exploit. This admission further highlights the ongoing risks and challenges organizations face in maintaining robust cybersecurity measures in today's landscape.
"Are you worried your organization might be affected? Check your exposure here - https://exposure.cloudsek.com/oracle," CloudSEK advised, directing concerned entities to a resource that assesses vulnerability exposure.
Impact and Legacy
This breach serves as a stark reminder of the vulnerabilities present in the increasingly interconnected world of cloud computing and the critical need for businesses to prioritize their cybersecurity strategies. As organizations continue to adapt to evolving cyber threats, proactive measures and comprehensive security assessments will be essential in mitigating the impacts of such formidable breaches going forward.
