Oracle Cloud breach has hacker selling six million records, report says

Head to the record store.

That’s the message from the threat actor rose87168, who is selling around six million records obtained from Oracle Cloud’s single sign-on (SSO) and lightweight directory access protocol (LDAP) systems.

The hack, which reportedly affected over 140,000 tenants, was discovered by CloudSEK on March 21. The cyber threat detection company said it engaged with rose87168, discovering that the hacker had been active since January.

Oracle Cloud offers a variety of cloud services to customers. It has a global reach, 50 public cloud regions in 25 countries, and counts 430,000 customers in 175 nations. That adds up to $40 billion in yearly revenue, making an attack of the scale rose87168 reported the kind of hack that could have wide-ranging effects.

Getting in. According to CloudSEK, the hacker accessed the network “by hacking the login endpoint: login.(region-name).oraclecloud.com.” Now, the attacker is not only offering the data up for payment—they’re also looking for help breaking the encryption.

“The SSO passwords are encrypted, they can be decrypted with the available files,” rose87168 wrote in a message reproduced in CloudSEK’s report. “Also LDAP hashed passwords can be cracked. (I couldn’t do it, but if someone can tell me how to decrypt them, I can give them some of the data as a gift.)”

Additionally, the hacker is offering the data to Oracle for a price. The six million lines of data include JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys, CloudSEK said.

Checking out. For companies and organizations faced with the fallout of their data being exfiltrated from the attack, CoudSEK recommends a number of steps to mitigate the damage. Those steps include credential rotation and implementation of MFA, strengthening of access management, and dark web monitoring to locate and track conversations about the data.