A significant data breach occurred involving a threat actor known as “rose87168,” who sold 6 million records extracted from Oracle Cloud’s SSO and LDAP systems. The compromised data includes sensitive credentials and key files, affecting over 140,000 tenants. The actor’s activities suggest they exploited a web application vulnerability, raising severe concerns regarding Oracle Cloud’s security. Affected: Oracle Cloud, SSO, LDAP, 140,000 tenants
Keypoints :
- On March 21, 2025, CloudSEK’s XVigil discovered a data breach involving “rose87168.”
- The breach involved 6 million records from Oracle Cloud’s SSO and LDAP.
- Compromised data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys.
- The threat actor is reportedly active since January 2025 and demands payment for data removal.
- Over 140,000 tenants are affected, increasing risks of unauthorized access and corporate espionage.
- Potential exploitation of a zero-day vulnerability on Oracle WebLogic servers is suspected.
- The threat actor’s reputation is currently rated as “0,” indicating no previous attacks.
MITRE Techniques :
- T1078 – Valid Accounts: The threat actor likely used valid accounts to access Oracle Cloud services.
- T1210 – Exploitation of Remote Services: The potential exploitation of an unpatched vulnerability in Oracle WebLogic servers for access.
- T1499 – Endpoint Denial of Service: Potentially affecting the tenants through compromised login pages.
Indicator of Compromise :
- [URL] https://exposure.cloudsek.com/oracle
- [IoC Type] Threat Actor: rose87168