- 14 Tem 2024
- 388
- 10
- 356
In the underground forum BF, threat actor claimed that they have gained access to 6 million records related to the Oracle Cloud Federated SSO Login system.
The Data records have been exfiltrated from SSO and LDAP of Oracle Cloud.
Due to vulnerability on
login.(region-name).oraclecloud.com endpoint (regions US2 and EM2), threat actor successfully exploited it and gained unauthorized access. Dumped data includes SSO encrypted passwords, Java Keystore (JKS) files, key files, and enterprise manager JPS keys.
The threat actor also offered to share some of the information with those who will help in decrypting SSO passwords or crack LDAP passwords.
Researchers from CloudSEK claimed that "threat actor has no prior history, their methods indicate high sophistication" and
they rated this threat with medium confidence and rates it as High in severity.
Some notes from analysis:
As additional proof about unauthorized access to Oracle Cloud servers, the attacker provided to Bleeping Computer with this Internet Archive link,
which shows uploaded a text file with a ProtonMail email address to the
login.us2.oraclecloud.com server.The screenshot from the Internet Archive link: link
This endpoint has been captured in the Wayback Machine before the breach on 17 Feb 2025, and we can see that
the endpoint was hosting Oracle Fusion Middleware 11g.
On 2022 December, Critical vulnerability related to the Oracle Fusion Middleware (OpenSSO Agent) CVE-2021-35587,
has been added to CISO KEV (Known Exploited Vulnerabilities) Catalog. link
The vulnerability allows attackers gain unauthorized access Oracle Access Manager.
Researchers suspect that the breach occurred due to the vulnerability CVE-2021-35587.
According to the fofa, the compromised endpoint has been lastly updated on Sat, 27 Sep 2014.
The vulnerability CVE-2021-35587 has only one public POC (Proof of Concept) on github.
https://github.com/ZZ-SOCMAP/CVE-2021-35587This easily exploitable vulnerability allows attackers to compromise Oracle Access Manager with network access via HTTP.
Due to unpatched vulnerability, threat actor successfully exploited it and gained complete access to the Oracle Access Manager.
Researches made several analysis and investigations about the breach in order to validate it.
Since Oracle Cloud denied any breach, stating on the same day: “There has been no breach of Oracle Cloud.” , the further analysis by researchers
will help to confirm whether the endpoint environment was just test environment or production environment.
Research analysis showed that, archived public GitHub repository by oracle-quickstart (Oracle’s official organisation) mentioned
endpoint related to “login.us2.oraclecloud.com” - link, additionally real customers domains matched with domains in the Attacker's list and
it has been checked that “login.us2.oraclecloud.com” endpoint has been used in production SSO setup and confirmed
that
<identity-domain>.login.us2.oraclecloud.com has been used in production environments. It also has been confirmed that data is real not for test environment but for productional environment related, and
Users and Tenant IDs match and they also related to productional environment.
In addition Rose claimed that "it has been used same RCE (Remote Code Execution) reported in CloudSEK's report".
Impact of this breach, we can include Supply Chain Risks using key files threat actors can further try to compromise and access other related
enterprise systems, data exposure, credential compromise: encrypted SSO and LDAP passwords can be cracked and it will open new unauthorized
access to other Oracle Cloud environments, it also affects company's reputation.
