Despite Oracle's denial of a breach in its Cloud federated SSO login servers, evidence suggests otherwise. Multiple companies have confirmed the authenticity of data samples allegedly stolen by a threat actor.

Details of the Alleged Breach

Recently, an individual identified as ‘rose87168’ claimed responsibility for breaching Oracle Cloud servers. This person is reportedly selling authentication data and encrypted passwords for 6 million users. The threat actor also indicated that stolen SSO and LDAP passwords could potentially be decrypted.

Data Released by the Threat Actor

The attacker has released several text files, including a database, LDAP data, and a list of over 140,000 domains belonging to affected companies. Some domains appear to be test domains, and there are multiple domains per company.

Oracle's Response and Contradictory Evidence

Oracle has publicly denied any breach of its Cloud services, asserting that no customer data has been compromised. However, this statement conflicts with findings from cybersecurity sources that have verified the leaked data's validity with impacted companies.

Verification of Leaked Data

Representatives from several companies, under conditions of anonymity, have confirmed the accuracy of the leaked LDAP display names, email addresses, and other identifying information. This confirmation raises questions about Oracle's denial of the breach.

Technical Insights and Vulnerability Exploitation

Cybersecurity firm Cloudsek discovered that the server in question was running Oracle Fusion Middleware 11g, which was vulnerable to CVE-2021-35587. This vulnerability could allow unauthorized access to Oracle Access Manager, potentially facilitating the breach.

The link has been copied!