Oracle Cloud has been targeted by a threat actor, compromising 6 million records and putting over 140,000 tenants across multiple regions at risk. This breach is being labelled as the largest supply chain hack of 2025.
On March 21, CloudSEK, an Indian threat intelligence firm, revealed details of the breach. CloudSEK’s XVigil tool identified a threat actor, “rose87168,” selling 6 million exfiltrated records from Oracle Cloud’s SSO and LDAP. The compromised database consists of:
- Approximately 6 million records taken from Oracle Cloud’s SSO and LDAP, including:
- JKS files,
- Encrypted SSO passwords,
- Key files,
- Enterprise manager JPS keys.
The hacker reportedly demanded payment from more than 140,000 affected companies to remove their stolen data and sought help from others to decrypt the encrypted passwords, offering rewards in exchange for assistance.
The threat actor claimed to have compromised the subdomain login.us2.oraclecloud.com, which is said to have been taken down since the breach.
The subdomain, archived on February 17, 2025, appears to have been hosting Oracle Fusion Middleware 11G, which contained a critical vulnerability (CVE-2021-35587) affecting Oracle Access Manager (OpenSSO Agent). This vulnerability was added to the CISA KEV (Known Exploited Vulnerabilities) list in December 2022.
The breach was likely facilitated by the exploitation of this vulnerability due to inadequate patch management or insecure coding practices within Oracle Fusion Middleware.
Oracle’s Response: Oracle has denied that its cloud infrastructure was breached. “There has been no breach of Oracle Cloud. The published credentials are not related to Oracle Cloud, and no Oracle Cloud customers have experienced a breach or lost data,” Oracle stated in response to the reports.
The Oracle Cloud breach highlights several critical lessons and underscores the importance of robust security practices for organizations relying on cloud services. Here are key takeaways and security measures companies should adopt to prevent similar breaches:
Lessons Learned from the Breach:
- Patch Management is Crucial: The vulnerability in Oracle Fusion Middleware (CVE-2021-35587) that was exploited was already known and added to CISA’s KEV list. However, the breach suggests that many companies had not implemented patches in time, which allowed the threat actor to exploit the weakness. This illustrates how critical it is to apply patches promptly and consistently.
- Insecure Coding and Configuration: Insecure coding practices, such as poor handling of credentials and keys, can create openings for attackers.
- The Complexity of Supply Chain Attacks: This breach shows how vulnerabilities in third-party services (like Oracle Cloud) can lead to massive security risks for organizations that depend on these services.
- Proactive Threat Intelligence: Proactive threat intelligence tools that identify suspicious activities, vulnerabilities, and potential data leaks can help mitigate the damage from such attacks before they become full-scale breaches.
- Data Exfiltration and Ransom Demands: The breach also involved ransom demands, as the attacker threatened to sell or expose sensitive data unless paid. This highlights the growing trend of cybercriminals monetizing stolen data, emphasizing the importance of data.
Security Measures to Prevent a Similar Breach:
- Regularly Apply Security Patches and Updates: Automated patch management systems should be in place to ensure that vulnerabilities are fixed as soon as patches are released
- Implement Strong Access Controls and Encryption: Sensitive data, such as passwords and keys, should always be encrypted both in transit and at rest. Organizations should also enforce strict multi-factor authentication (MFA) for accessing critical systems, particularly for administrative roles.
- Secure Software Development Lifecycle (SDLC): Developers should follow best practices for secure coding and conduct regular security audits to identify vulnerabilities early. This should include secure handling of authentication data and using modern cryptographic techniques.
- Zero Trust Security Model: Adopt a Zero Trust architecture, where no entity, whether inside or outside the network, is trusted by default.
- Continuous Monitoring and Threat Intelligence: Organizations should leverage real-time monitoring tools and threat intelligence platforms to detect suspicious activity early.
- Regular Security Audits and Penetration Testing: Periodic security audits and penetration tests should be conducted to identify vulnerabilities before cybercriminals do.
- Incident Response and Ransomware Preparedness: Companies should develop and maintain an incident response plan to respond effectively to any breach. This includes preparing for ransom demands, identifying affected data, and taking immediate action to mitigate damage.
- Third-Party Vendor Risk Assessments
Conduct rigorous audits of all third-party vendors, especially those with access to critical systems like SSO/LDAP. Use frameworks like NIST or ISO 27001 to evaluate their security posture. - Multifactor Authentication (MFA) Enforcement
Mandate MFA for all privileged accounts, particularly for cloud identity systems (e.g., SSO). Avoid relying solely on passwords, which are vulnerable to credential-stuffing attacks. - Employee Phishing and Social Engineering Training
Educate staff on identifying phishing attempts, which often precede credential theft and SSO/LDAP breaches.
Conclusion:
The Oracle Cloud breach underscores the cascading risks of supply chain vulnerabilities. Attackers are no longer targeting individual organizations but exploiting trusted third-party hubs to maximize impact. To mitigate such threats:
Prioritize identity system security (SSO/LDAP) as a crown jewel.
Assume breaches will occur—focus on rapid detection, response, and transparency.
Collaborate with threat intelligence partners like CloudSEK to stay ahead of adversarial trends.
This incident is a wake-up call: in an interconnected digital ecosystem, resilience hinges on proactive defense, cross-industry collaboration, and treating cybersecurity as a shared responsibility.
