🚀 CloudSEK has raised $19M Series B1 Round – Powering the Future of Predictive Cybersecurity
Read More
CloudSEK uncovers a major breach targeting Oracle Cloud, with 6 million records exfiltrated via a suspected undisclosed vulnerability. Over 140,000 tenants are impacted, as the attacker demands ransom and markets sensitive data online. Learn the full scope, risks, and how to respond. Are you worried your organization might be affected? Check your exposure here - https://exposure.cloudsek.com/oracle
Proactively monitor and defend your organization against threats from the dark web with CloudSEK XVigil.
Schedule a DemoOn 21 March 2025, CloudSEK’s XVigil discovered a threat actor, "rose87168," selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys.Â
The attacker, active since January 2025, is incentivizing decryption assistance and demanding payment for data removal from over 140K affected tenants. Our engagement with the threat actor suggests a possible undisclosed vulnerability on login.(region-name).oraclecloud.com, leading to unauthorized access. While the threat actor has no prior history, their methods indicate high sophistication, CloudSEK assesses this threat with medium confidence and rates it as High in severity.
‍
CloudSEK's XVigil discovered threat actor "rose87168" selling 6 million records extracted from Oracle Cloud's SSO and LDAP on March 21, 2025. The threat actor claims to have gained access by hacking the login endpoint: login.(region-name).oraclecloud.com.
‍
‍
‍
The threat actor claimed to have compromised the subdomain login.us2.oraclecloud.com, which has been claimed to have been taken down since the hack.
‍
The subdomain was captured on the wayback machine on 17 Feb 2025, which suggests that it was hosting Oracle fusion middleware 11G .
‍
The oracle fusion middleware server , which according to the fofa were last updated around Sat, 27 Sep 2014 . The Oracle fusion middleware had a critical vulnerability CVE-2021-35587 which affects Oracle Access Manager (OpenSSO Agent) . Which was added to CISA KEV(Known Exploited Vulnerabilities) on 2022 December.
A vulnerability exists in the Oracle Access Manager component of Oracle Fusion Middleware (OpenSSO Agent). The affected versions are:
‍
This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful exploitation can lead to a complete takeover of Oracle Access Manager.
Threat actor claimed to Bleeping Computer that they have compromised a vulnerable version of the Oracle Cloud servers with a public CVE (flaw) that does not currently have a public PoC or exploit.Â
‍
As we can see in the aforementioned screenshot, the login endpoint was last updated in 2014 as per FOFA results. Consequently, we started looking for any older CVEs with high impact affecting the technology stack. In that process, we found an older CVE affecting Oracle Fusion Middleware (CVE-2021-35587) that only has a single known public exploit.Â
‍
Due to lack of patch management practices and/or insecure coding, the vulnerability in Oracle Fusion Middleware was exploited by the threat actor. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager(OAM). This aligns with the samples that were leaked on Breachforums too.
‍
‍
‍
Mitigation
‍
‍
#Traffic Light Protocol - Wikipedia
‍
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
3
min read
CloudSEK uncovers a major breach targeting Oracle Cloud, with 6 million records exfiltrated via a suspected undisclosed vulnerability. Over 140,000 tenants are impacted, as the attacker demands ransom and markets sensitive data online. Learn the full scope, risks, and how to respond. Are you worried your organization might be affected? Check your exposure here - https://exposure.cloudsek.com/oracle
On 21 March 2025, CloudSEK’s XVigil discovered a threat actor, "rose87168," selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys.Â
The attacker, active since January 2025, is incentivizing decryption assistance and demanding payment for data removal from over 140K affected tenants. Our engagement with the threat actor suggests a possible undisclosed vulnerability on login.(region-name).oraclecloud.com, leading to unauthorized access. While the threat actor has no prior history, their methods indicate high sophistication, CloudSEK assesses this threat with medium confidence and rates it as High in severity.
‍
CloudSEK's XVigil discovered threat actor "rose87168" selling 6 million records extracted from Oracle Cloud's SSO and LDAP on March 21, 2025. The threat actor claims to have gained access by hacking the login endpoint: login.(region-name).oraclecloud.com.
‍
‍
‍
The threat actor claimed to have compromised the subdomain login.us2.oraclecloud.com, which has been claimed to have been taken down since the hack.
‍
The subdomain was captured on the wayback machine on 17 Feb 2025, which suggests that it was hosting Oracle fusion middleware 11G .
‍
The oracle fusion middleware server , which according to the fofa were last updated around Sat, 27 Sep 2014 . The Oracle fusion middleware had a critical vulnerability CVE-2021-35587 which affects Oracle Access Manager (OpenSSO Agent) . Which was added to CISA KEV(Known Exploited Vulnerabilities) on 2022 December.
A vulnerability exists in the Oracle Access Manager component of Oracle Fusion Middleware (OpenSSO Agent). The affected versions are:
‍
This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful exploitation can lead to a complete takeover of Oracle Access Manager.
Threat actor claimed to Bleeping Computer that they have compromised a vulnerable version of the Oracle Cloud servers with a public CVE (flaw) that does not currently have a public PoC or exploit.Â
‍
As we can see in the aforementioned screenshot, the login endpoint was last updated in 2014 as per FOFA results. Consequently, we started looking for any older CVEs with high impact affecting the technology stack. In that process, we found an older CVE affecting Oracle Fusion Middleware (CVE-2021-35587) that only has a single known public exploit.Â
‍
Due to lack of patch management practices and/or insecure coding, the vulnerability in Oracle Fusion Middleware was exploited by the threat actor. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in takeover of Oracle Access Manager(OAM). This aligns with the samples that were leaked on Breachforums too.
‍
‍
‍
Mitigation
‍
‍
#Traffic Light Protocol - Wikipedia
‍