On March 21, 2025, a user claimed to have accessed Oracle Cloud’s login servers, selling sensitive data, including authentication credentials. CloudSEK authenticated the data, warning the community of potential supply chain attacks. Oracle denied any breach, but CloudSEK’s investigation confirmed the exposure of real customer data linked to the compromised servers. The incident poses significant risks, including unauthorized access and supply chain vulnerabilities. Affected: Oracle Cloud, customer tenants, supply chain sector
Keypoints :
- Allegations surfaced on BreachForums regarding access to Oracle Cloud’s login servers.
- CloudSEK verified the authenticity of the data within a short time frame.
- The leaked data includes SSO & LDAP credentials and OAuth2 keys.
- Oracle publicly denied any breach despite evidence presented.
- CloudSEK issued a TLP Green report and a TLP Red report to inform Oracle.
- The investigation confirmed the legitimacy of the compromised server and affected customer domains.
- Risks include mass data exposure, credential compromise, and supply chain vulnerabilities.
- Recommendations include immediate credential rotation and comprehensive incident response measures.
MITRE Techniques :
- Credential Dumping (T1003) – Threat actor accessed sensitive data, including SSO and LDAP credentials, from Oracle Cloud services.
- Exploitation of Public-Facing Application (T1190) – The attacker exploited vulnerabilities in the login endpoint to gain unauthorized access.
- Data Encrypted for Impact (T1486) – Threat actor exhibited data encryption as a tactic to extort victims.
- Supply Chain Compromise (T1195) – The incident highlights risks associated with integrated enterprise systems that rely on third-party services.
Indicator of Compromise :
- Domain: login.us2.oraclecloud.com
- Domain: sbgtv.com
- Domain: nexinfo.com
- Domain: nucor-jfe.com
- Domain: cloudbasesolutions.com
Full Story: https://www.cloudsek.com/blog/part-2-validating-the-breach-oracle-cloud-denied-cloudseks-follow-up-analysis