Ethical Hacking News
A major cloud service provider has been breached by an attacker who stole sensitive data, including user credentials and hashed passwords. With multiple reports confirming the validity of the stolen data, it is clear that Oracle Cloud users are at risk. As we delve into the details of this breach, we explore the implications for security measures and the importance of ongoing threat intelligence updates.
Attackers breached Oracle's Gen 1 (Oracle Cloud Classic) servers as early as January 2025 using a 2020 Java exploit. The attackers exfiltrated data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames. Multiple companies received valid samples of stolen data, suggesting the breach may be more extensive than initially suggested by Oracle. A similar breach occurred at another Oracle subsidiary, Oracle Health (formerly Cerner), impacting multiple U.S. healthcare organizations and hospitals. The breaches highlight the importance of ongoing security monitoring and threat intelligence in protecting sensitive data from cyber threats.
Oracle has recently acknowledged to some customers that attackers have stolen old client credentials after breaching a "legacy environment" last used in 2017, according to Bloomberg. This revelation marks the latest chapter in a saga that has left many Oracle Cloud users wondering about the safety and security of their sensitive data.
The breach in question is attributed to an attacker who gained access to the company's Gen 1 (also known as Oracle Cloud Classic) servers as early as January 2025, utilizing a 2020 Java exploit to deploy a web shell and additional malware. During this malicious activity, the attackers allegedly exfiltrated data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames.
In an effort to downplay the severity of the breach, Oracle initially told clients that the published credentials were not for the Oracle Cloud, but were instead part of an older platform known as Oracle Classic. However, following the release of leaked data by a threat actor known as "rose87168" on BreachForums, which included sample database files and LDAP information, Oracle eventually confirmed to BleepingComputer that there had been no breach of Oracle Cloud.
Despite this assertion, multiple companies have since reported receiving valid samples of the stolen data, including associated LDAP display names, email addresses, given names, and other identifying information. These reports suggest that the breach may be more extensive than initially suggested by Oracle.
Furthermore, it has come to light that a similar breach occurred at another one of Oracle's subsidiaries, Oracle Health (formerly Cerner), which impacted multiple U.S. healthcare organizations and hospitals. Patient data was stolen in this incident as well, with a threat actor known as "Andrew" demanding millions of dollars in cryptocurrency not to leak or sell the stolen data.
The impact of these breaches on Oracle Cloud customers and users cannot be overstated. With sensitive data being compromised, users are left wondering about the effectiveness of their security measures and how they can better protect themselves from similar threats in the future.
In response to this breach, cybersecurity firm CybelAngel revealed that an attacker who gained access to the company's Gen 1 servers used a 2020 Java exploit to deploy a web shell and additional malware. During the detected breach in late February, the attackers allegedly exfiltrated data from the Oracle Identity Manager (IDM) database, including user emails, hashed passwords, and usernames.
Oracle Health confirmed that it had detected the breach of legacy Cerner data migration servers on February 20, 2025, and that the attackers used compromised customer credentials to hack into the servers sometime after January 22, 2025. Sources have revealed that impacted hospitals are now being extorted by a threat actor named "Andrew," who has not claimed affiliation with extortion or ransomware groups.
This incident raises questions about Oracle's handling of its legacy environments and the potential risks associated with older platforms like Oracle Cloud Classic. As cybersecurity expert Kevin Beaumont noted, "Oracle rebadged old Oracle Cloud services to be Oracle Classic. Oracle Classic has the security incident."
The breach also highlights the importance of ongoing security monitoring and threat intelligence in protecting sensitive data from cyber threats. With the rise of advanced Persistent Threats (APTs) and nation-state actors, it is more crucial than ever for organizations to stay vigilant and proactive in their cybersecurity efforts.
In conclusion, the recent breach at Oracle Cloud serves as a sobering reminder of the importance of robust security measures and regular threat intelligence updates. As individuals and organizations navigate the complex landscape of modern cybersecurity threats, they must remain vigilant and proactive in protecting themselves from similar breaches in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/Oracle-Cloud-Breach-A-Looming-Shadow-of-Uncertainty-ehn.shtml
https://www.bleepingcomputer.com/news/security/oracle-privately-confirms-cloud-breach-to-customers/
https://databreaches.net/2025/03/27/oracle-customers-confirm-data-stolen-in-alleged-cloud-breach-is-valid/
https://www.ghettoforensics.com/2013/04/java-malware-identification-and-analysis.html
https://thetechylife.com/is-malware-written-in-java/
https://www.govinfosecurity.com/cybersecurity-experts-slam-oracles-handling-big-breach-a-27915
https://www.heise.de/en/news/Data-leak-at-Oracle-Up-to-2000-German-victims-What-is-known-and-what-is-not-10336366.html
https://cybelangel.com/oracle-data-leak-breaking-news/
Published: Thu Apr 3 11:11:35 2025 by llama3.2 3B Q4_K_M
