Full Report
Despite Oracle denying a breach of its Oracle Cloud federated SSO login servers and the theft of account data for 6 million people, BleepingComputer has confirmed with multiple companies that associated data samples shared by the threat actor are valid. [...]
Analysis Summary
# Incident Report: Alleged Oracle Cloud Data Breach via Fusion Middleware Exploit
## Executive Summary
An alleged major data breach affecting Oracle Cloud infrastructure was reported, where a threat actor claimed to have accessed data pertaining to 6 million users. Customers later confirmed the validity of the allegedly stolen data, which included user identifying information such as LDAP display names and email addresses. The likely attack vector involved exploiting a known vulnerability in Oracle Fusion Middleware 11g running on `login.us2.oraclecloud.com`. Oracle reportedly took the affected server offline following public disclosure of the exploitation.
## Incident Details
- **Discovery Date:** Not explicitly stated, implied around the time data samples were shared (February 2025 timeframe).
- **Incident Date:** Unknown, implied to have occurred prior to recent reporting (likely leveraging a vulnerability present before February 17, 2025).
- **Affected Organization:** Oracle (Cloud infrastructure clients).
- **Sector:** Technology/Cloud Services
- **Geography:** Global (Implied by Oracle's service scope)
## Timeline of Events
### Initial Access
- **Date/Time:** Unknown, but exploitation appears active leading up to February 17, 2025.
- **Vector:** Exploitation of an unpatched vulnerability in Oracle Fusion Middleware 11g.
- **Details:** The vulnerability is tracked as **CVE-2021-35587**, which allows unauthenticated attackers to compromise Oracle Access Manager.
### Lateral Movement
- Not explicitly detailed in the provided text, but access to a "cloud dashboard infrastructure" was claimed.
### Data Exfiltration/Impact
- **Data Stolen:** Information on up to 6 million users, confirmed by victims to include LDAP display names, email addresses, and given names.
### Detection & Response
- **How it was discovered:** The threat actor proactively contacted Oracle’s security email (`[email protected]`) to report the breach, and subsequently shared data samples with BleepingComputer, which led to customer confirmation.
- **Response actions taken:** BleepingComputer learned that Oracle reportedly took the affected server (`login.us2.oraclecloud.com`) offline after the breach was reported publicly.
## Attack Methodology
- **Initial Access:** Exploitation of **CVE-2021-35587** in Oracle Fusion Middleware 11g running on `login.us2.oraclecloud.com`.
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed, but likely gained access to user identity data.
- **Discovery:** Not detailed.
- **Lateral Movement:** Claimed "full access to info on 6 million users" via the "cloud dashboard infrastructure."
- **Collection:** Gathering user data (names, emails).
- **Exfiltration:** Data was exfiltrated, leading to samples being provided by the threat actor.
- **Impact:** Unauthorized access and theft of customer identity data.
## Impact Assessment
- **Financial:** Not quantified.
- **Data Breach:** Identity data (LDAP display names, email addresses, given names) relating to approximately 6 million users across over 140,000 tenants.
- **Operational:** The specific server involved (`login.us2.oraclecloud.com`) was taken offline, indicating potential service disruption for components relying on that access management infrastructure.
- **Reputational:** Significant negative impact due to the scale and confirmation of data validity by affected customers.
## Indicators of Compromise
- **Network indicators - defanged:** Server identified as **login[.]us2[.]oraclecloud[.]com** was running vulnerable software.
- **File indicators:** None provided.
- **Behavioral indicators:** Threat actor communicated with Oracle security channels and shared data proofs with media.
## Response Actions
- **Containment measures:** Oracle reportedly took the affected server (`login.us2.oraclecloud.com`) offline.
- **Eradication steps:** Unknown, likely involved patching CVE-2021-35587 across the infrastructure.
- **Recovery actions:** Unknown, but required bringing affected services back online securely.
## Lessons Learned
- **Key takeaways:** Unpatched, older versions of middleware (Oracle Fusion Middleware 11g, impacted by a 2021 CVE) remain a critical security risk, even within major cloud environments.
- **What could have been done better:** Proactive identification and patching of the specific software running on production infrastructure (`login.us2.oraclecloud.com`) before the deadline cited by the threat actor.
## Recommendations
- Implement rigorous, continuous vulnerability scanning and asset inventory management across all cloud infrastructure components, specifically targeting application servers like Oracle Fusion Middleware.
- Expedite patching cycles for high and critical severity CVEs, particularly those affecting critical access management components.
- Establish clear, verifiable internal communication channels for vulnerability disclosure, separate from public-facing reporting mechanisms, to handle responsible disclosure efficiently.