A threat actor known as “rose87168” claims to have breached Oracle Cloud’s authentication systems, allegedly exfiltrating six million records impacting over 140,000 tenants. The stolen data reportedly includes JKS files, encrypted SSO and LDAP passwords and JPS keys, with the attacker demanding payment for data removal. While Oracle denies any breach, evidence suggests the possible exploitation of CVE-2021-35587, a vulnerability in Oracle Access Manager, raising concerns about cloud security and authentication risks. Organizations are urged to review security measures, rotate credentials and apply patches to vulnerable systems.

‍

Technical Description

On March 21, 2025, reports surfaced of a major security breach allegedly involving Oracle Cloud’s authentication systems. A threat actor using the alias “rose87168” claimed to have exfiltrated approximately six million records, affecting over 140,000 Oracle Cloud tenants.

The stolen data purportedly includes Java Key Store (JKS) files, encrypted Single Sign-On (SSO) and Lightweight Directory Access Protocol (LDAP) passwords and Java Platform Security (JPS) keys—critical components for enterprise security. The attacker has been actively promoting the compromised data on underground forums, demanding payments from affected organizations for its removal.

While Oracle has officially denied any breach, stating that no customer data was compromised, the claims and the nature of the exposed files have raised concerns within the cybersecurity community.

‍

Alleged Breach Details:

The threat actor initially disclosed the breach on a dark web forum, claiming access was obtained by exploiting a vulnerability in Oracle Cloud’s authentication system. The specific flaw, identified as CVE-2021-35587, is a known security issue in Oracle Access Manager (OAM) that enables unauthorized attackers to gain access via HTTP network exploitation. The compromised endpoint was reportedly login.(region-name).oraclecloud.com, a critical authentication subdomain within Oracle’s cloud infrastructure.

The stolen data allegedly includes:

• Java Key Store (JKS) files – Containing cryptographic keys and certificates essential for Java applications.
• Encrypted SSO passwords – Used for federated authentication, potentially enabling unauthorized access if decrypted.
• Encrypted LDAP passwords – Critical for user authentication within enterprise directory services.
• Enterprise Manager JPS keys – Used for managing access and encryption within Oracle Enterprise Manager.

While the SSO and LDAP credentials are encrypted, making them difficult to use immediately, the attacker has openly offered a bounty for anyone capable of decrypting them, significantly escalating the risks associated with this breach.

‍

Analysis of Potential Exploitation and Vulnerability

Investigations indicate that the breach may have originated from the subdomain login.us2.oraclecloud.com, which was taken offline following the attack’s disclosure. Archived records suggest that this endpoint was running Oracle Fusion Middleware 11G, a version last updated in September 2014.

Oracle Fusion Middleware is known to have been affected by CVE-2021-35587, a critical security vulnerability in Oracle Access Manager (OAM). This flaw enables unauthenticated attackers to exploit OAM via HTTP, potentially gaining full system control. The vulnerability was officially added to CISA’s Known Exploited Vulnerabilities (KEV) catalog in December 2022, marking it as a severe risk for enterprises using outdated Oracle infrastructure.

Due to poor patch management and reliance on outdated software, Oracle Cloud’s authentication system may have remained vulnerable to this exploit. The attacker allegedly leveraged this flaw to access and exfiltrate sensitive authentication files, later offering them for sale on cybercrime forums.

‍

Oracle’s Response and Ongoing Controversy:

Oracle has firmly denied any security breach, stating that no customer data has been compromised. The company asserts that the credentials in question do not originate from Oracle Cloud and maintains that its systems remain secure.

Oracle stated that the attacker’s so-called “proof” was merely a text file containing a ProtonMail address, which surfaced via the Wayback Machine but did not contain any Oracle customer data. The company insists that its cloud systems were not compromised and suggests the attacker may have fabricated or misrepresented the situation. Despite Oracle’s firm denial, some cybersecurity experts remain cautious, highlighting the need for further investigation.

‍

Conclusion

The alleged breach raises significant concerns about cloud security and enterprise authentication vulnerabilities. While Oracle denies any intrusion, claims by the attacker and evidence of outdated security patches highlight potential risks.

For organizations using Oracle Cloud’s authentication services, this incident reinforces the need for proactive cybersecurity measures. Despite Oracle’s denial, the potential exploitation of CVE-2021-35587 suggests that businesses should act swiftly to secure their environments.

Although no full-scale breach has been confirmed, the possibility of compromised encrypted credentials remains a concern. The attacker’s efforts to decrypt the stolen data indicate that future security threats could emerge if these credentials are cracked. Organizations must stay vigilant and enhance their security posture accordingly.

‍

Impact

The alleged breach poses serious security risks for affected organizations, including unauthorized access to critical systems, potential data leaks, and financial extortion. If the encrypted SSO and LDAP credentials are decrypted, attackers could gain extensive access to enterprise networks, leading to espionage, data theft and operational disruptions.Additionally, exposure of sensitive data could result in compliance violations, reputational damage, and legal consequences. To mitigate these risks, organizations must conduct immediate security assessments and implement remediation measures.

‍

IOC and Context Details

‍

‍

Recommended Actions

To reduce the risks associated with this alleged breach, organizations should take immediate action by implementing the following security measures:

1. Reset Passwords and Strengthen Authentication

• Immediately reset passwords for all LDAP user accounts, prioritizing privileged accounts like Tenant Admins.
• Enforce strong password policies requiring complex, unique passwords and frequent changes.
• Enable Multi-Factor Authentication (MFA) across all accounts to block unauthorized access.

2. Update SASL Hashes and Strengthen Authentication Methods

• Regenerate SASL/MD5 hashes to mitigate credential replay attacks.
• Where feasible, migrate to stronger authentication mechanisms such as SHA-256 or modern cryptographic standards.

3. Rotate Tenant-Specific Credentials

• Contact Oracle Support to immediately rotate tenant-specific identifiers, including orclmttenantguid and orclmttenantuname.
• Consult Oracle for additional remediation steps to enhance security.

4. Regenerate and Replace Compromised Certificates and Secrets

• Regenerate and replace all SSO/SAML/OIDC secrets and certificates tied to LDAP configurations.
• Securely store and protect newly issued certificates from unauthorized access.

5. Implement Continuous Monitoring and Auditing

• Review LDAP authentication logs for suspicious login attempts or anomalies.
• Investigate recent account activities to detect unauthorized access or unusual behavior.
• Deploy real-time monitoring to track unauthorized access attempts and flag anomalies.

6. Strengthen Access Controls and Security Policies

• Apply the Principle of Least Privilege (PoLP) to restrict access to sensitive data and systems.
• Enhance logging and auditing mechanisms to track authentication failures and abnormal access patterns.
• Implement network segmentation to limit lateral movement in case of a security breach.

7. Conduct Incident Response and Forensic Investigation

• Perform a forensic investigation to identify any unauthorized access or data exfiltration.
• If a compromise is detected, contain the threat, remove malicious access, and restore affected systems.
• Conduct a post-incident security review to reinforce defenses against future attacks.

8. Monitor Threat Intelligence and Engage with Oracle Security

• Track dark web forums and threat intelligence feeds for discussions related to leaked data.
• Engage with Oracle Security teams to determine if this is part of a broader supply chain attack and request necessary patches or mitigations.
• Stay informed on Oracle’s security advisories and enforce a regular patch management policy to prevent future vulnerabilities.

‍

References

https://www.iconnectitbs.com/the-oracle-cloud-breach-of-2025-breaking-down/