On March 21, 2025, cybersecurity firm CloudSEK’s XVigil uncovered a major supply chain breach involving Oracle Cloud. A threat actor known as "rose87168" is reportedly selling 6 million records stolen from Oracle’s SSO and LDAP systems. The leaked data includes: JKS files, encrypted SSO passwords, key files and enterprise Manager JPS keys.
This attacker has been active since January 2025 and is not just selling the data but also offering decryption assistance - a clear attempt to monetize the breach further. They're even demanding payments from affected organizations to remove their stolen data.
From CloudSEK engagement with the threat actor, it appears that an undisclosed vulnerability in Oracle Cloud’s login.(region-name).oraclecloud.com may have been exploited to gain unauthorized access.
While this attacker has no prior history, their techniques suggest a high level of sophistication. CloudSEK has assessed this threat with medium confidence but has rated it as High in severity due to the scale and potential impact on over 140,000 Oracle Cloud tenants.
To mitigate potential risks, we strongly recommend taking the following urgent security actions:
- Reset Passwords: Immediately change all LDAP user account passwords, prioritizing privileged accounts (e.g., Tenant Admins). Enforce strong password policies and enable Multi-Factor Authentication (MFA).
- Regenerate API Keys: Revoke and regenerate all API keys to prevent unauthorized access. Apply stricter access controls, limit key usage, and monitor API activity for any anomalies.
- Rotate SSO Certificates: Regenerate and replace all SSO/SAML/OIDC certificates to maintain secure authentication. Enforce regular certificate rotation and secure storage practices.
- Audit and Update ACLs: Review and strengthen Access Control Lists (ACLs) by restricting access to trusted IPs only. Implement geo-restrictions, IP allowlisting, and firewall rules to minimize exposure.
- Update SASL Hashes: Refresh SASL/MD5 hashes or migrate to a more secure authentication method to enhance protection.
Check your exposure here - https://exposure.cloudsek.com/oracle
For a detailed analysis, we refer to our full report here.