Oracle Cloud denies claims of server intrusion • The Register

Oracle has straight up denied claims by a miscreant that its public cloud providing has been compromised and data stolen.

A criminal late final week marketed on a web based cyber-crime discussion board what was alleged to be Oracle Cloud buyer safety keys and different delicate knowledge swiped from the IT big. This materials was mentioned to have been obtained by the miscreant from no less than one of many cloud supplier’s single-sign-on (SSO) login servers by exploiting a safety vulnerability.

Oracle says that is not true.

“There was no breach of Oracle Cloud,” a spokesperson informed The Register on Friday.

“The revealed credentials are usually not for the Oracle Cloud. No Oracle Cloud clients skilled a breach or misplaced any knowledge.”

In the meantime, as noted by the fellows at Bleeping, the miscreant boasted of making a textual content file on an Oracle Cloud login server, particularly login.us2.oraclecloud.com, captured here by the Web Archive’s Wayback Machine in early March, as proof that methods had been compromised.

That file accommodates merely the e-mail deal with of the particular person making an attempt to promote what’s mentioned to be the stolen Oracle Cloud knowledge. We have requested Oracle for additional clarification or an evidence. It is claimed that data was exfiltrated from the EM2 in addition to US2 login server. Samples of allegedly stolen information had been additionally shared by the would-be thief.

Trying via the Wayback Machine, we will see that the US2 server was as just lately as February 2025 operating some type of Oracle Fusion Middleware 11G.

Infosec outfit CloudSEK reckons that server could not have been patched to shut CVE-2021-35587, a recognized vital vulnerability in Fusion Middleware’s Oracle Entry Supervisor, particularly its OpenSSO Agent.

Exploiting that bug – which might be executed over HTTP with no authentication – would doubtlessly give an intruder entry to the very sort of data put up on the market this week. Public exploit code for the flaw exists.

On Thursday, what was claimed to be six million data of Oracle Cloud clients’ Java KeyStore information, which include safety certificates and keys; encrypted Oracle Cloud SSO passwords; encrypted LDAP passwords; Enterprise Supervisor JPS keys; and different data stolen from the cloud supplier went up on the market on BreachForums by a beforehand unknown netizen going by the title rose87168. The doubtless affected clients is alleged to quantity within the hundreds.

The value for this information has not been disclosed, so far as we will inform, and the vendor can be accepting zero-day exploits as fee. It is mentioned rose87168 contacted Oracle a couple of month in the past to let the database big know concerning the alleged knowledge theft, wished greater than $200 million in cryptocurrency in alternate for particulars concerning the claimed heist, and was turned down.

The miscreant has additionally requested for assist in decrypting encrypted credentials.

“The SSO passwords are encrypted, they are often decrypted with the obtainable information,” the web hoodlum claimed of their BreachForums submit. “Additionally LDAP hashed passwords might be cracked. I could not do it, but when somebody can inform me decrypt them, I can provide them a number of the knowledge as a present.”

Moreover, the would-be thief has shared a listing of the domains of the entire firms caught up within the denied safety breach, and famous that the apparently not-compromised Oracle clients can “pay a certain quantity to take away their staff’ data earlier than it is bought.” ®