[Adversarial Action Advisory] - Part 2: Oracle Cloud Data Breach: Confirming the validity of the data
Part 2: Oracle Cloud Data Breach: Confirming the validity of the data
NSB Cyber is closely tracking the following threat, analysing dark web activity and collaborating with industry partners to validate the claim and assess potential exposure. We will provide updates as new information emerges. For assistance with incident response, monitoring and risk assessment, contact our team through intelligence@nsbcyber.com.
TLDR
As previously reported by NSB Cyber Intelligence Centre, a Threat Actor has recently claimed to have breached Oracle Cloud platform and exfiltrated credentials related to more than 140,000 organisations. Impacted targets include organisations from private and public sectors, and critical infrastructure across various verticals. Additional information and analysis is provided in this advisory, validating the validity of the Threat Actor’s claims with certain caveats. NSB Cyber still assess the potential impact to be of high-severity and suggests to organisations to assess their exposure to the threat and implement the following recommendations.
Targeting and Impact
On March 20, 2025, a Threat Actor, identified as "rose87168," claimed to have breached Oracle Cloud, exfiltrating over six million records. This claim was reported by multiple sources on March 21, 2025, with outreach to Oracle for comment. The data allegedly includes credentials related to more than 140,000 organisations, impacting private and public sectors, as well as critical infrastructure across various verticals. The Threat Actor has been actively attempting to sell this data on a data leak forum, escalating concerns about data exposure.
Security experts have been vocal in their criticism. Kevin Beaumont alleged in a blog post (Kevin Beaumont's Post) that Oracle is attempting to hide a serious cybersecurity incident from customers. Alon Gal, founder of Hudson Rock, provided timely updates (Alon Gal’s latest post) and evidence of conversations between Oracle support team and the Threat Actor, potentially highlighting that a compromised user account from the breach was used. There are also allegations of evidence scrubbing, with claims that Oracle used the Wayback Machine’s archive exclusion process to remove incriminating information. A text file left by rose87168, originally at Wayback Machine URL, was removed, but remains accessible at another URL (Wayback Machine URL), suggesting attempts to cover up the incident.
On what appears to be a separate incident, Oracle Health customers were also notified of potential patient data theft using stolen credentials for earlier cyber incident. A lawsuit was then filed in west Texas, seeking class action for negligence and breach of contract over both the Cloud and Health breaches. As of 31 March 2025, the class action was submitted, alleging negligence and failure to notify victims. The FBI is currently investigating both incident, as reported by Reuters on March 28, 2025.
NSB Cyber was also able to partially assess the validity of the “rose87168” claims and evidence through its Threat Actor engagement.
As NSB Cyber and independent researchers have confirmed the validity of the data, security teams are advised to review and implement recommended security controls.
Attack Vector & Overview
As mentioned in the previous advisory, the Threat Actor likely gained access to Oracle Cloud servers, thus being able to exfiltrate data from the US2 and EM2 cloud regions. The data includes encrypted SSO passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys. These credentials could facilitate access to multiple applications via a single set of login details. The attacker claimed to have exploited a vulnerability in Oracle Cloud’s login endpoint, specifically login.(region-name).oraclecloud.com. There is research highlighting the potential exploitation of CVE-2021-35587, a known vulnerability in Oracle Fusion Middleware which has a CVSS score of 9.8 and allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager.
NSB Cyber was able to assess the validity of the Threat Actor claims by receiving samples of the data from “rose87168” and consulting with impacted organisations. Both samples correspond to former employees, with sample 1 between 2014 and 2016, and sample 2 between 2016 and 2018. The data appears to be a few years old at a minimum.
Figure 1. NSB Cyber Sample 1 and Semple 2 Provided by “rose87168”
As mentioned, the data appears to be a few years old, which indicates that Oracle Cloud was breached at a certain point in time, however, may not be as current as the Threat Actor claims. Similarly, the Threat Actor uploaded a video which appears to be taken from an Oracle endpoint in 2019, which appears to be a Citrix session recording of a staff member's access in Oracle Cloud Infrastructure, according to Kevin Beaumont.
For an in-depth analysis of the included data in the leaks, organisations can refer to Trustwave SpiderLabs Threat Report.
Mitigations and Recommended Actions
To mitigate the threat posed by this potential data breach, organisations and individuals should implement the following security measures:
1. Assess Exposure: Organisations should assess their exposure by verifying if they use Oracle Cloud and if their domain name has been included on the Threat Actor’s leak file. Organisations should also evaluate their third-party and fourth-party risks, ensuring that their contractors, partners, and other interconnected entities are not relying on the compromised Oracle Cloud product.
2. Rotate Credentials: Proactively rotate all SSO and LDAP credentials, prioritising privileged accounts (e.g., Tenant Admins) and revoke all current active session tokens.
3. Implement Conditional Access Policies: Implement Conditional Access policies to ensure that only authorised users can access organisational resources under specific conditions. These policy conditions include various types, such as session-based, location-based, and device-based controls.
4. Enable Multi-Factor Authentication: Multi-factor authentication should be added to all user accounts to enhance security measures and prevent the usage of leaked credentials.
5. Audit for suspicious access: Review logs and systems for signs of unauthorised access, focusing on the affected login endpoint.
6. Monitor for Exposure: Organisations should use threat intelligence tools to monitor dark web forums for mentions of your organisation’s data or credentials. Additionally, ongoing monitoring should be conducted to detect unauthorised access, suspicious activity or compromised accounts.
7. Engage Oracle Support: Contact Oracle to verify your tenant’s exposure and request guidance on rotating tenant-specific identifiers. Additionally, engage with oracle account and tenancy managers for specific guidance regarding exposure, security measures, and additional information that may reduce risk.
8. Engage with NSB Cyber: NSB Cyber maintains the ability to acquire data sets pertaining to specific organisations. Organisations wishing to access the exposed data are recommend to communicate with the NSB Cyber Intelligence Centre.
9. Harden Security Configuration: Organisations should also implement other security best practices such as principle of least privilege access controls and implement pro-active patch management to harden their security configurations.
Prior to considering active configuration changes within your environment, please take into account current configurations and environmental security controls.
External References:
DISCLAIMER
This threat advisory is based on information gathered from open and closed sources by NSB Cyber’s analysts, and has been curated and analysed to ensure the information provided is accurate and provided without legal guarantee. Readers are advised by NSB Cyber to take into account current configurations and environmental security controls prior to considering active configuration changes within their corporate environment.