[Adversarial Action Advisory] - Potential Oracle Cloud Breach: Threat Actor claims data of 140,000 organisations

Potential Oracle Cloud Breach: Threat Actor claims data of 140,000 organisations

NSB Cyber is closely tracking the following threat, analysing dark web activity and collaborating with industry partners to validate the claim and assess potential exposure. We will provide updates as new information emerges. For assistance with incident response, monitoring and risk assessment, contact our team through intelligence@nsbcyber.com.

Update - 27/03/2025: Additional information has been released regarding the potential validity of the released data and the possible initial access vector. The updates have been added below in bold.

TLDR

A threat actor has recently claimed to have breached Oracle Cloud platform and exfiltrated credentials related to more than 140,000 organisations. Impacted targets include organisations from private and public sectors, and critical infrastructure across various verticals. NSB Cyber assess the potential impact to be of high-severity and suggests to organisations to assess their exposure to the threat and implement the following recommendations.

Snapshot

On March 20th 2025, a threat actor claimed to have breached Oracle Cloud and exfiltrated more than six (6) million records. The threat actor is currently attempting to sell the data on a data leak forum. Multiple sources reported on the threat on 21 March 2025, reaching out to Oracle for further comment. This advisory is aimed at all organisations using Oracle Cloud who should review their security controls to reduce the risk.

Targeting and Impact

On 20th March 2025, a threat actor operating under the alias “rose87168” published on “BreachForums”, a data leak platform, claiming to have exfiltrated six (6) million records related to Oracle Cloud’s Single Sign-On (SSO) servers. The actor is purportedly selling these records and has offered incentives - specifically, portions of the dataset - in exchange for assistance in decrypting the compromised information (refer to Image 1).

The threat actor released multiple text files containing LDAP information, a sample database, and a list of impacted organisations. This list includes over 140,000 entities, among them 1,600 Australian internet domains.

Impacted sectors include but are not limited to, Government (state and local), Transport, Professional Services, Healthcare, Retail, Law Enforcement and other public and private organisations.

On 22 March 2025, Oracle denied the threat actor’s claims, stating that there was no access to their systems, no data was exfiltrated and the credentials were invalid for their platform. Furthermore, NSB Cyber is aware of organisations within the list of impacted organisations that have indicated they have never utilised Oracle Cloud services.

The threat actor appears to have joined the BreachForums’ community on 6 March 2025. They previously posted a leak pertaining to “DHL” (dhl.com) including full name of employees and their email addresses. This is their only other post on the platform, lending credibility to the threat actor having no notable standing in the underground community.

Accordingly, NSB Cyber Intelligence Centre assesses the threat actor to possess low-to-medium sophistication, and it is likely the actor is seeking attention and attempting to establish a reputation.

NSB Cyber further assess the potential impact of the breach to be of high-severity. It could affect third-party and even fourth-party organisations that do not directly utilise Oracle Cloud but rely on Software-as-a-Service (SaaS) providers which do.

NSB Cyber is aware of multiple sources reporting that some organisations have confirmed the validity of the data. BleepingComputer and independent researchers mentioned receiving additional data sets and have confirmed the authenticity of the information with impacted organisations. The concerned organisations acknowledged the associated LDAP names, email addresses, given names.

While NSB Cyber and other sources have yet to establish the veracity of the claims, security teams are advised to review and implement recommended security controls.

Attack Vector & Overview

According to BleepingComputer and communications with the threat actor, they likely gained access to Oracle Cloud servers more than 40 days ago, thus being able to exfiltrate data from the US2 and EM2 cloud regions.

The data reportedly includes encrypted SSO passwords, Java Keystore (JKS) files, key files and enterprise manager JPS keys. These credentials could facilitate access to multiple applications via a single set of login details.

The data set appears to contain information for TenantIDs in the format {tenant}-dev, {tenant}-test, and {tenant}, suggesting that the threat actor had access to production environments.

Allegedly, “rose87168” exploited a publicly disclosed vulnerability to gain entry to “login.(region-name).oraclecloud.com,” but refused to confirm the specific CVE identifier. These servers take care of both federated as well non-federated logins to O cloud infrastructure.

According to CloudSEK, the threat actor would have exploited CVE-2021-35587 (CVSS Score: 9.8), which allowed unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager, potentially allowing complete takeover.

As proof of access, the threat actor shared a Internet Archive URL which indicates they had successfully uploaded a .txt file of their ProtonMail email address to the “login.(region-name).oraclecloud.com” (refer to Image 2).

In a post on “X.com,” the threat actor claimed to have contacted Oracle in early March regarding the vulnerability; however, the organisation reportedly refused to pay any reward for its discovery.

The threat actor then requested payment from Oracle in exchange for details pertaining to the attack vector and exploit, but this request was also denied (refer to Images 3.1, 3.2. 3.3).

Mitigations and Recommended Actions

To mitigate the threat posed by this potential data breach, organisations and individuals should implement the following security measures:

1. Assess Exposure: Organisations should assess their exposure by verifying if they use Oracle Cloud and if their domain name has been included on the threat actor’s leak file. Organisations should also evaluate their third-party and fourth-party risks, ensuring that their contractors, partners, and other interconnected entities are not relying on the compromised Oracle Cloud product.

2. Rotate Credentials: Proactively rotate all SSO and LDAP credentials, prioritising privileged accounts (e.g., Tenant Admins) and revoke all current active session tokens.

3. Implement Conditional Access Policies: Implement Conditional Access policies to ensure that only authorised users can access organisational resources under specific conditions. These policy conditions include various types, such as session-based, location-based, and device-based controls.

4. Enable Multi-Factor Authentication: Multi-factor authentication should be added to all user accounts to enhance security measures and prevent the usage of leaked credentials.

5. Audit for suspicious access: Review logs and systems for signs of unauthorised access, focusing on the affected login endpoint.

6. Monitor for Exposure: Organisations should use threat intelligence tools to monitor dark web forums for mentions of your organisation’s data or credentials. Additionally, ongoing monitoring should be conducted to detect unauthorised access, suspicious activity or compromised accounts.

7. Engage Oracle Support: Contact Oracle to verify your tenant’s exposure and request guidance on rotating tenant-specific identifiers. Additionally, engage with oracle account and tenancy managers for specific guidance regarding exposure, security measures, and additional information that may reduce risk.

8. Harden Security Configuration: Organisations should also implement other security best practices such as principle of least privilege access controls and implement pro-active patch management to harden their security configurations.

Prior to considering active configuration changes within your environment, please take into account current configurations and environmental security controls.

External References:

• https://www.afr.com/technology/hacker-claims-oracle-breach-sending-business-and-agencies-scrambling-20250323-p5lls3

• https://www.bleepingcomputer.com/news/security/oracle-denies-data-breach-after-hacker-claims-theft-of-6-million-data-records/

• https://www.cloudsek.com/blog/the-biggest-supply-chain-hack-of-2025-6m-records-for-sale-exfiltrated-from-oracle-cloud-affecting-over-140k-tenants

• https://www.cloudsek.com/blog/part-2-validating-the-breach-oracle-cloud-denied-cloudseks-follow-up-analysis

DISCLAIMER

This threat advisory is based on information gathered from open and closed sources by NSB Cyber’s analysts, and has been curated and analysed to ensure the information provided is accurate and provided without legal guarantee. Readers are advised by NSB Cyber to take into account current configurations and environmental security controls prior to considering active configuration changes within their corporate environment.