CYBER INSIGHTS CYBER INSIGHTS MAR 25, 2025 MAR 25, 2025

Breakdown

On March 21, 2025, CloudSEK’s XVigil platform identified a significant security incident involving Oracle Cloud. A threat actor using the alias "Rose87168" claimed responsibility for exfiltrating six million records from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems, potentially affecting over 140,000 enterprise tenants. The threat actor, Rose87168, has published a website listing all domains affected by the security breach, offering impacted companies the opportunity to verify if their compromised data originated from Oracle Cloud in exchange for exclusion from the dataset being prepared for sale. The stolen data includes Java KeyStore (JKS) files, encrypted SSO and LDAP credentials, key files, and Enterprise Manager Java Platform Security (JPS) keys. The attacker has demanded payment for data removal and is offering incentives for assistance in decrypting the stolen credentials. This report provides structured analysis, insight beyond public reports, and highlights potential risk vectors and organizational failures contributing to the incident.

Incident Overview

The threat actor advertised the stolen dataset on cybercrime forums and claimed to have exploited Oracle Cloud’s login infrastructure by targeting the endpoint login[.]us2[.]oraclecloud[.]com. This endpoint was reportedly hosting an outdated version of Oracle Fusion Middleware and Oracle Access Manager. The breach exposed a variety of sensitive security components, including:

  • JKS Files: Contain cryptographic certificates and private keys used by Java applications to ensure secure communication and service identity.
  • Encrypted SSO Passwords: Represent federated login credentials; decryption could allow attackers to bypass authentication controls across multiple systems.
  • Encrypted LDAP Credentials: Could grant unauthorized access to directory services, user structures, and permissions mapping.
  • JPS Keys: Tied to Oracle Enterprise Manager, potentially granting access to configuration settings, policy enforcement, or back-end controls.

In addition to selling the data, the attacker is coercing affected companies to pay for the removal of their data from the dataset and has offered to trade the information in exchange for zero-day exploits. This expands the breach’s impact beyond Oracle’s environment, posing a risk to the broader threat ecosystem.

Vulnerability Exploitation and Technical Context

The compromise is believed to involve the exploitation of a known vulnerability in Oracle Access Manager, CVE-2021-35587. This flaw allows unauthenticated remote code execution over HTTP and has been flagged as critical for its ease of exploitation and potential for full system compromise. Despite Oracle patching this vulnerability in 2022, legacy systems or unpatched middleware likely enabled the threat actor to gain initial access. The attacker claimed the exploit is linked to a CVE with a publicly available proof-of-concept (PoC), suggesting the use of a private exploit or operational zero-day.

Security researchers "Jang" and "Peterjson" discovered the vulnerability, CVE-2021-35587, in Oracle Access Manager and published a detailed analysis along with a PoC in March 2022. The vulnerability allows unauthenticated remote code execution, enabling attackers to potentially take full control of affected systems.​ Since the initial disclosure, multiple PoCs have been released, and active exploitation has been observed in the wild. This raises the likelihood of similar vulnerabilities persisting across other Oracle-hosted services that may not be externally visible. Further raising concern, the attacker reportedly uploaded a text file containing contact information to the compromised Oracle endpoint and archived it, supporting claims of unauthorized access.

Oracle's Position

Oracle has publicly denied the breach, stating, "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data." This categorical denial contrasts with the evidence presented by CloudSEK and other cybersecurity researchers, who have provided substantial indications of a significant security incident. This discrepancy raises concerns about transparency and communication during cybersecurity events.​ Multiple GitHub repositories and third-party documentation confirmed the compromised endpoint as active in production environments. Leaked tenant domains align with known Oracle customers and partners, with authentication scripts referencing the login endpoint in OAuth2 flows. The Threat actor claimed to have contacted Oracle directly, offering breach details in exchange for 100,000 XMR. Allegedly, Oracle declined to pay after requesting technical remediation data. From a reputational standpoint, Oracle’s response may have prioritized brand protection over transparency. A more strategic move would have been to acknowledge a possible breach, isolate affected systems, and proactively engage customers. The lack of clarity leaves enterprise clients uncertain about their exposure level and whether mitigations are necessary.

Threat Actor Breakdown

Rose87168

  • Emergence Date: First observed in January 2025 with initial forum registration and low interaction footprint.
  • Attribution: No confirmed nation-state or group ties; behavior suggests a lone actor or small criminal syndicate focused on monetization.
  • Associated Malware: No unique tooling identified; activity points to manual exploitation and post-exfiltration operations rather than automated malware deployment.
  • Targets: Focused on cloud infrastructure and identity systems, specifically federated SSO and centralized directory services in multi-tenant environments.
  • Common Tactics: Employs extortion, credential theft, encrypted data leaks, and incentivizes crowd-sourced decryption efforts to scale impact.
  • Recent Activities: After forum engagement failed to gain traction publicly, the threat actor attempted to auction partial Oracle tenant datasets to third parties privately. Since January 2025, the threat actor has engaged in the sale of exfiltrated data, initiated crowd-sourced decryption efforts for stolen credentials, and conducted targeted extortion campaigns demanding payment for data removal. Additionally, intelligence sources observed the actor leveraging social media platforms to monitor Oracle-related entities and extend operational reach.

Recommendations

  • Immediate Credential Reset: Reset all SSO, LDAP, and associated credentials, especially for privileged accounts.
  • SSO & OAuth2 Endpoint Discovery and Decommissioning: Perform an internal scan to discover hardcoded or legacy OAuth2 and SSO endpoint references in app configurations or automation scripts, then validate, decommission, or reconfigure them based on current Oracle-approved endpoints.
  • Targeted KeyStore Validation and Rotation: Identify any application dependencies using Oracle-hosted Java KeyStores (JKS) and rotate all keys, certificates, and trust stores associated with federated authentication paths, especially those referencing legacy endpoints like login[.]us2[.]oraclecloud[.]com.
  • Comprehensive System Audit: Conduct a thorough audit of systems to identify and update any outdated or vulnerable components, particularly those related to Oracle Fusion Middleware and Oracle Access Manager.
  • Incident Response Planning: Develop and regularly update incident response plans to ensure preparedness for potential breaches. Conduct simulation exercises to test the effectiveness of these plans.​
  • Engagement with Oracle and Security Communities: Maintain open communication with Oracle and participate in cybersecurity forums to stay informed about emerging threats and vulnerabilities. Collaborate with industry peers to share insights and best practices.

Hunter Insights

The reported exposure of 6 million records poses significant threats to organizations, potentially enabling large-scale data breaches, corporate espionage, and unauthorized system access. With decrypted SSO and LDAP credentials in circulation, attackers could penetrate Oracle Cloud environments and exploit supply chain vulnerabilities by targeting connected systems throughout the network. The breach occurs amid increasing international tensions regarding cloud sovereignty and critical infrastructure protection. Nation-states seeking intelligence advantage may covertly acquire this dataset, particularly for targets of strategic interest.

In the wake of the Oracle Cloud breach, we anticipate with high confidence a cascade of secondary impacts over the next year. In the immediate term, expect widespread credential validation campaigns across other platforms and secondary exploitation targeting unprepared Oracle customers, followed by at least one major supply chain compromise and increased regulatory scrutiny within 3-6 months. Long-term implications include the evolution of threat actor Rose87168's tactics to target additional cloud providers and an accelerated industry shift toward zero trust architecture, with companies leading the adoption of identity-centric security models and the restructuring of cloud service contracts to include more robust security guarantees and breach notification requirements.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.