The Biggest Supply Chain Hack Of 2025: 6M Records For Sale Exfiltrated from Oracle Cloud Affecting over 140k Tenants

gregmcc

gregmcc

Honorary Master
Joined
Jun 29, 2006
Messages
28,156
Reaction score
8,783
Location
Somewhere in the world
www.cloudsek.com

The Biggest Supply Chain Hack Of 2025: 6M Records Exfiltrated from Oracle Cloud affecting over 140k Tenants | CloudSEK

CloudSEK uncovers a major breach targeting Oracle Cloud, with 6 million records exfiltrated via a suspected undisclosed vulnerability. Over 140,000 tenants are impacted, as the attacker demands ransom and markets sensitive data online. Learn the full scope, risks, and how to respond. Are you...
www.cloudsek.com www.cloudsek.com

On 21 March 2025, CloudSEK’s XVigil discovered a threat actor, "rose87168," selling 6M records exfiltrated from SSO and LDAP of Oracle Cloud. The data includes JKS files, encrypted SSO passwords, key files, and enterprise manager JPS keys.

The attacker, active since January 2025, is incentivizing decryption assistance and demanding payment for data removal from over 140K affected tenants. Our engagement with the threat actor suggests a possible undisclosed vulnerability on login.(region-name).oraclecloud.com, leading to unauthorized access. While the threat actor has no prior history, their methods indicate high sophistication, CloudSEK assesses this threat with medium confidence and rates it as High in severity.
Click to expand...


Check if Your Organization's Data is for Sale on the Dark Web|CloudSEK

Our search tool can help you quickly and easily check for any recent listings about your organization's assets on popular dark web marketplaces.
exposure.cloudsek.com

@rpm @Jan

1742806858339.png
 
What does that mean for us, isn't this old news or has Mybb been hacked again?
 
Not old news - it's just happened.

Still a lot of complicating info out there. Oracle are still denying it but it wouldn't surprise me if they eventually admit it.

Just means there is possible a data dump of encrypted SSO/LDAP passwords and keys that could potentially be used to logon to OCI for all effected domains.
 
gregmcc said:
www.cloudsek.com

The Biggest Supply Chain Hack Of 2025: 6M Records Exfiltrated from Oracle Cloud affecting over 140k Tenants | CloudSEK

CloudSEK uncovers a major breach targeting Oracle Cloud, with 6 million records exfiltrated via a suspected undisclosed vulnerability. Over 140,000 tenants are impacted, as the attacker demands ransom and markets sensitive data online. Learn the full scope, risks, and how to respond. Are you...
www.cloudsek.com www.cloudsek.com




Check if Your Organization's Data is for Sale on the Dark Web|CloudSEK

Our search tool can help you quickly and easily check for any recent listings about your organization's assets on popular dark web marketplaces.
exposure.cloudsek.com

@rpm @Jan

View attachment 1806537
Click to expand...
Oof...

The oracle fusion middleware server , which according to the fofa were last updated around Sat, 27 Sep 2014 . The Oracle fusion middleware had a critical vulnerability CVE-2021-35587 which affects Oracle Access Manager (OpenSSO Agent) . Which was added to CISA KEV(Known Exploited Vulnerabilities) on 2022 December.
 
AFAIK we don't use Oracle cloud, but I'll pass it onto the web team.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter