Hack: 6M Records for Sale Exfiltrated from Oracle Cloud Affecting 140k+ Tenants
On March 21, 2025, a prominent cybersecurity firm, CloudSEK's XVigil, discovered a significant threat actor selling millions of records exfiltrated from the Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys.
The attacker, identified as "rose87168," is incentivizing decryption assistance and demanding payment for data removal from over 140K affected tenants. Our engagement with the threat actor suggests a possible undisclosed vulnerability on the login endpoint (region-name).oraclecloud.com, leading to unauthorized access. This marks a concerning trend in the sophistication of modern attacks.
CloudSEK assesses this threat with medium confidence and rates it as High in severity. We strongly recommend that all affected tenants take immediate action to secure their accounts and protect sensitive data.
A Glimpse into the Attack Vector
The threat actor claims to have gained access by exploiting a vulnerability in Oracle Cloud's login endpoint. Specifically, they targeted the subdomain login.us2.oraclecloud.com, which has been claimed to have been taken down since the hack.
Our investigation revealed that this subdomain was hosting Oracle Fusion Middleware 11G at the time of the attack, with evidence suggesting it had not been updated since September 2014. This is concerning, given that Oracle Fusion Middleware had a critical vulnerability (CVE-2021-35587) affecting Oracle Access Manager (OpenSSO Agent), which was added to the CISA Known Exploited Vulnerabilities database in December 2022.
The Impact of CVE-2021-35587
The vulnerability in question allows an unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful exploitation can lead to a complete takeover of Oracle Access Manager, which aligns with the samples that were leaked on Breachforums.
Our analysis indicates that the threat actor exploited this easily exploitable vulnerability due to lack of patch management practices and/or insecure coding. This highlights the importance of maintaining up-to-date software and regularly applying security patches.
Protect Your Exposure
Given the high severity of this threat, we strongly advise all tenants who may have been affected by this attack to take immediate action. Check your exposure here: https://exposure.cloudsek.com/oracle
Stay vigilant and proactive in protecting your sensitive data. Regularly review your security posture, implement robust backup and recovery procedures, and ensure that all software is up-to-date with the latest security patches.
Conclusion
The recent hack of millions of records from Oracle Cloud highlights the need for organizations to prioritize security awareness and take proactive measures to protect their data. By staying informed and taking immediate action, you can reduce your risk of falling victim to similar attacks in the future.