Recent searches
Search options
Somebody is claiming to have exfiltrated 6 million lines of data with Oracle Cloud’s SSO and LDAP that includes JKS files, encrypted SSO passwords, key files and enterprise manager JPS keys from servers on login.*.oraclecloud.com
The poster has no prior reputation, it is unclear if they're LARPing. Some of the sample data does align with prior infostealer logs, I'm told. https://breachforums.st/Thread-SELLING-Oracle-cloud-traditional-hacked-login-X-oraclecloud-com
If anybody is interested, the servers they claim they targeted all run Oracle WebLogic and are managed by Oracle as a SaaS service.
Has anybody else got Oracle to comment on this? No reply to my queries.
Oracle are denying a breach to @BleepingComputer, but the threat actor has provided an archived URL which suggests they somehow uploaded a file to the Oracle Access Manager (SaaS solution) frontend.
https://web.archive.org/web/20250301161517/http:/login.us2.oraclecloud.com/oamfed/x.txt?x
The Oracle thing keeps getting more strange. The threat actor has supplied an hour long YouTube video, which appears to be taken from an endpoint inside Oracle... in 2019. They've also supplied a dump of data from 2025, to Hudson Rock. https://www.youtube.com/watch?v=375_G9wAffo
If anybody from Oracle follows me, I definitely think the OCI team needs to spin up security incident response on that YouTube video to try to find out what was happening. It looks like it may be a Citrix session recording of a staff member's access in OCI.
@GossiTheDog What are the odds on CVE-2024-8068 and CVE-2024-8069?
