Oracle Cloud breached, with 6 million records exfiltrated
On 21 March 2025, CloudSEK’s XVigil discovered a threat actor, "rose87168," selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys.
The attacker, active since January 2025, is incentivizing decryption assistance and demanding payment for data removal from over 140K affected tenants.
What do we know so far?
Threat Actor
rose87168 with No known prior history.
Tactics, Techniques, and Procedures (TTPs):
Initial Access:
Suspected use of an undisclosed (zero-day) vulnerability.
Vulnerability likely present in Oracle WebLogic servers used for hosting the login pages for
oraclecloud.com.Targeted the login endpoint:
login.(region-name).oraclecloud.com.
Data Exfiltration:
Dumped approximately 6 million records from Oracle Cloud’s SSO and LDAP.
Data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys.
Post-Compromise Activity:
Extortion: Demanding payment from affected tenants (over 140,000) for data removal.
Incentivizing decryption: Offering incentives for help decrypting SSO and LDAP passwords.
Social Media: Created an X (formerly Twitter) page and followed Oracle-related accounts.
Modus Operandi (MO):
Vulnerability Exploitation: Identify and exploit a vulnerability in Oracle WebLogic servers used for Oracle Cloud login pages.
Data Extraction: Gain unauthorized access to SSO and LDAP data, extracting sensitive information like passwords, keys, and JKS files.
Data Storage and Leverage: Store the exfiltrated data and use it for extortion.
Extortion and Demands: Contact affected organizations, demanding payment for the removal of their data from the compromised set.
Incentivize Further Compromise: Offer rewards for assistance in cracking encrypted passwords, potentially increasing the impact of the breach.