Hacker Claims Millions of Oracle Client Passwords and Keys Stolen; Company Denies Leak

Oracle denies cyberattack and data leak after hacker claims millions of records were stolen from the company’s servers. In mid-March, an attacker using the pseudonym rose87168 claimed to have stolen 6 million records from Oracle Cloud Federated SSO Login servers. The archive, which he posted on the dark web as an example, included a sample database, LDAP information, and a list of companies using Oracle Cloud.

Image Source: Oracle

Oracle has categorically denied the hack. In a statement, the company said: “There was no breach of Oracle Cloud. The credentials released are not related to Oracle Cloud. No Oracle Cloud customers experienced a breach or loss of data.”

Meanwhile, rose87168 has put the archive with the data up for sale. The hacker is willing to exchange it for an undisclosed amount of money or for zero-day exploits. The attacker claims that the data includes encrypted SSO passwords, Java Keystore (JKS) files, key files, Enterprise Manager JPS keys, and more.

«SSO passwords are encrypted, but they can be decrypted using the available files. It is also possible to crack the hashed LDAP password. I will list the domains of all the companies mentioned in this leak. Companies can pay a certain amount to remove information about their employees from the list before it is sold,” said rose87168.

As SecurityLab writes, if a leak did occur, the consequences could be large-scale. Stolen JKS files containing cryptographic keys are especially dangerous – they can be used to decrypt confidential information and gain secondary access to systems. Compromising SSO and LDAP passwords also increases the risk of cascading attacks on organizations using Oracle Cloud.

Before putting the stolen archive up for sale, the attacker apparently demanded 100,000 XMR (the Monero cryptocurrency) from Oracle as a ransom. However, the company, in turn, asked the hacker for “all the information necessary to fix and develop a security patch.” Since rose87168 did not provide it, the negotiations fell through, BleepingComputer writes.

To prove the authenticity of the stolen files, the attacker provided BleepingComputer with an Internet Archive URL confirming that he had uploaded a .txt file containing his ProtonMail email address to the login.us2.oraclecloud.com server.

Experts believe that the hack was carried out through the vulnerability CVE-2021-35587, which affects Oracle Access Manager, part of Fusion Middleware. It allows an unauthorized attacker to gain control over the system via HTTP access.