CISA warns of potential data breaches caused by legacy Oracle Cloud leak

Federal cybersecurity officials on Wednesday warned of the potential fallout of a data breach impacting Oracle.

For weeks, Oracle privately warned customers of a January incident where hackers stole information and accessed client credentials held on legacy Oracle systems. 

BleepingComputer and Bloomberg reported throughout March and April that Oracle customers were told privately of multiple security incidents, even though the company avoided publicly addressing the issue. The company claimed in one email to customers that Oracle Cloud Infrastructure (OCI) was not breached but a hacker “did access and publish user names from two obsolete servers that were never a part of OCI.” The FBI and CrowdStrike are investigating the incident, according to the letter Oracle sent to customers.

The incident came into public view when the alleged hacker behind the incident took to social media to boast of the theft and offer the stolen documents for sale on cybercriminal forums. 

CloudSEK, CybelAngel and several other cybersecurity firms confirmed the threat actor, known as “rose87168,” was selling 6 million records extracted from Oracle Cloud’s Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) systems, impacting over 140,000 tenants across multiple regions and industries.

CloudSEK and others examined the data breach and found encrypted passwords, key files and other sensitive information. The hacker, according to CloudSEK, was seen soliciting help from other hackers to decrypt the stolen credentials and threatening Oracle customers — pledging to remove their data for a fee. 

On Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) said that while the scope of the incident remains unconfirmed, the “nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate, unaffiliated systems, or embedded.”

“When credential material is embedded, it is difficult to discover and can enable long-term unauthorized access if exposed,” CISA said. 

“The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risk to enterprise environments.”

The agency added that threat actors often weaponize these kinds of credentials to escalate their privileges and move around networks; access cloud and identity management systems; conduct phishing and business email compromise campaigns; resell access to stolen credentials; and enrich previously stolen data for targeted intrusions. 

CISA urged organizations to reset all passwords for any affected services, review source code for any potential issues, monitor authentication logs for anomalous activity, and report any incidents to authorities. 

Oracle did not respond to requests for comment about the notice from CISA.

At least three Oracle Cloud customers confirmed to news outlets that their information was in the leaked data set.